This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/master by this push:
new 2cb11b1 Make sure secure processing is enabled on all
DocumentBuilderFactory instances
2cb11b1 is described below
commit 2cb11b19660909971e7cd475bd358c6830773e58
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Wed Nov 21 18:09:30 2018 +0000
Make sure secure processing is enabled on all DocumentBuilderFactory
instances
---
.../src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java | 1 +
.../org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java | 1 +
.../apache/cxf/tools/common/toolspec/parser/CommandLineParser.java | 3 +++
.../cxf/tools/corba/processors/idl/ObjectReferenceVisitor.java | 7 ++++++-
.../org/apache/cxf/tools/validator/internal/SchemaValidator.java | 1 +
.../org/apache/cxf/tools/validator/internal/ValidatorUtil.java | 1 +
6 files changed, 13 insertions(+), 1 deletion(-)
diff --git
a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java
b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java
index a79724a..11ccbed 100644
---
a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java
+++
b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java
@@ -117,6 +117,7 @@ public class XMLTypeCreator extends AbstractTypeCreator {
AEGIS_DOCUMENT_BUILDER_FACTORY.setNamespaceAware(true);
try {
AEGIS_DOCUMENT_BUILDER_FACTORY.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING,
true);
+
AEGIS_DOCUMENT_BUILDER_FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
} catch (javax.xml.parsers.ParserConfigurationException ex) {
// ignore
}
diff --git
a/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java
b/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java
index 9531efb..747acf1 100644
---
a/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java
+++
b/tools/common/src/main/java/org/apache/cxf/tools/common/dom/ExtendedDocumentBuilder.java
@@ -74,6 +74,7 @@ public class ExtendedDocumentBuilder {
parserFactory = DocumentBuilderFactory.newInstance();
try {
parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+
parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
} catch (ParserConfigurationException e) {
//old version, not supported.
}
diff --git
a/tools/common/src/main/java/org/apache/cxf/tools/common/toolspec/parser/CommandLineParser.java
b/tools/common/src/main/java/org/apache/cxf/tools/common/toolspec/parser/CommandLineParser.java
index ef01b55..588c616 100644
---
a/tools/common/src/main/java/org/apache/cxf/tools/common/toolspec/parser/CommandLineParser.java
+++
b/tools/common/src/main/java/org/apache/cxf/tools/common/toolspec/parser/CommandLineParser.java
@@ -29,6 +29,7 @@ import java.util.StringTokenizer;
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
@@ -96,6 +97,8 @@ public class CommandLineParser {
try {
DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
resultDoc = factory.newDocumentBuilder().newDocument();
} catch (Exception ex) {
LOG.log(Level.SEVERE, "FAIL_CREATE_DOM_MSG");
diff --git
a/tools/corba/src/main/java/org/apache/cxf/tools/corba/processors/idl/ObjectReferenceVisitor.java
b/tools/corba/src/main/java/org/apache/cxf/tools/corba/processors/idl/ObjectReferenceVisitor.java
index 4dae488..48a27b9 100644
---
a/tools/corba/src/main/java/org/apache/cxf/tools/corba/processors/idl/ObjectReferenceVisitor.java
+++
b/tools/corba/src/main/java/org/apache/cxf/tools/corba/processors/idl/ObjectReferenceVisitor.java
@@ -25,6 +25,7 @@ import java.util.List;
import javax.wsdl.Binding;
import javax.wsdl.Definition;
+import javax.xml.XMLConstants;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -271,7 +272,11 @@ public class ObjectReferenceVisitor extends VisitorBase {
XmlSchemaAnnotation annotation = new XmlSchemaAnnotation();
XmlSchemaAppInfo appInfo = new XmlSchemaAppInfo();
try {
- DocumentBuilder db =
DocumentBuilderFactory.newInstance().newDocumentBuilder();
+ DocumentBuilderFactory dbf =
DocumentBuilderFactory.newInstance();
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
+
+ DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.newDocument();
Element el = doc.createElement("appinfo");
el.setTextContent("corba:binding=" +
bindingName.getLocalPart());
diff --git
a/tools/validator/src/main/java/org/apache/cxf/tools/validator/internal/SchemaValidator.java
b/tools/validator/src/main/java/org/apache/cxf/tools/validator/internal/SchemaValidator.java
index f2b52de..c6d5148 100644
---
a/tools/validator/src/main/java/org/apache/cxf/tools/validator/internal/SchemaValidator.java
+++
b/tools/validator/src/main/java/org/apache/cxf/tools/validator/internal/SchemaValidator.java
@@ -108,6 +108,7 @@ public class SchemaValidator extends
AbstractDefinitionValidator {
try {
docFactory.setNamespaceAware(true);
docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+
docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
docBuilder = docFactory.newDocumentBuilder();
} catch (ParserConfigurationException e) {
throw new ToolException(e);
diff --git
a/tools/validator/src/main/java/org/apache/cxf/tools/validator/internal/ValidatorUtil.java
b/tools/validator/src/main/java/org/apache/cxf/tools/validator/internal/ValidatorUtil.java
index 2313de9..0c8761e 100644
---
a/tools/validator/src/main/java/org/apache/cxf/tools/validator/internal/ValidatorUtil.java
+++
b/tools/validator/src/main/java/org/apache/cxf/tools/validator/internal/ValidatorUtil.java
@@ -148,6 +148,7 @@ public final class ValidatorUtil {
DocumentBuilderFactory docFactory =
DocumentBuilderFactory.newInstance();
docFactory.setNamespaceAware(true);
docFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+
docFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
docBuilder = docFactory.newDocumentBuilder();
} catch (ParserConfigurationException e) {
throw new ToolException(e);
