Refactoring reference resolving

Author: coheigea

src/main/java/org/apache/xml/security/stax/impl/resourceResolvers/ResolverFilesystem.java

@@ -25,6 +25,7 @@
 import org.apache.xml.security.stax.ext.ResourceResolver;
 import org.apache.xml.security.stax.ext.ResourceResolverLookup;
 import org.apache.xml.security.stax.ext.stax.XMLSecStartElement;
+import org.apache.xml.security.utils.resolver.ResolverUtils;
 
 /**
  * Resolver for local filesystem resources. Use the standard java security-manager to
@@ -49,7 +50,11 @@ public ResourceResolverLookup canResolve(String uri, String baseURI) {
         if (uri == null) {
             return null;
         }
-        if (uri.startsWith("file:") || baseURI != null && baseURI.startsWith("file:")) {
+        // At least one of uri or baseURI must start with "file:", and
+        // neither may carry a different explicit scheme (e.g. http:, https:, ftp:).
+        if ((uri.startsWith("file:") || baseURI != null && baseURI.startsWith("file:"))
+                && !ResolverUtils.hasExplicitNonFileScheme(uri)
+                && !ResolverUtils.hasExplicitNonFileScheme(baseURI)) {
             return this;
         }
         return null;

src/main/java/org/apache/xml/security/utils/resolver/ResourceResolverContext.java

@@ -62,11 +62,11 @@ public boolean isURISafeToResolve() {
             return true;
         }
         if (uriToResolve != null) {
-            if (uriToResolve.startsWith("file:") || uriToResolve.startsWith("http:")) {
+            if (uriToResolve.startsWith("file:") || ResolverUtils.hasExplicitNonFileScheme(uriToResolve)) {
                 return false;
             }
             if (!uriToResolve.isEmpty() && uriToResolve.charAt(0) != '#' &&
-                    baseUri != null && (baseUri.startsWith("file:") || baseUri.startsWith("http:"))) {
+                    baseUri != null && (baseUri.startsWith("file:") || ResolverUtils.hasExplicitNonFileScheme(baseUri))) {
                 return false;
             }
         }

src/main/java/org/apache/xml/security/utils/resolver/implementations/ResolverLocalFilesystem.java

@@ -29,6 +29,7 @@
 import org.apache.xml.security.utils.resolver.ResourceResolverContext;
 import org.apache.xml.security.utils.resolver.ResourceResolverException;
 import org.apache.xml.security.utils.resolver.ResourceResolverSpi;
+import org.apache.xml.security.utils.resolver.ResolverUtils;
 
 /**
  * A simple ResourceResolver for requests into the local filesystem.
@@ -64,15 +65,18 @@ public boolean engineCanResolveURI(ResourceResolverContext context) {
             return false;
         }
 
-        if (context.uriToResolve.isEmpty() || context.uriToResolve.charAt(0) == '#' ||
-            context.uriToResolve.startsWith("http:")) {
+        if (context.uriToResolve.isEmpty() || context.uriToResolve.charAt(0) == '#') {
             return false;
         }
 
         try {
             LOG.log(Level.DEBUG, "I was asked whether I can resolve {0}", context.uriToResolve);
 
-            if (context.uriToResolve.startsWith("file:") || context.baseUri.startsWith("file:")) {
+            // At least one of uriToResolve or baseUri must start with "file:", and
+            // neither may carry a different explicit scheme (e.g. http:, https:, ftp:).
+            if ((context.uriToResolve.startsWith("file:") || context.baseUri.startsWith("file:"))
+                    && !ResolverUtils.hasExplicitNonFileScheme(context.uriToResolve)
+                    && !ResolverUtils.hasExplicitNonFileScheme(context.baseUri)) {
                 LOG.log(Level.DEBUG, "I state that I can resolve {0}", context.uriToResolve);
                 return true;
             }