Author: schor
Date: Tue Jun 25 20:05:07 2019
New Revision: 1862084
URL: http://svn.apache.org/viewvc?rev=1862084&view=rev
Log:
[UIMA-6064]
Modified:
uima/uv3/uimaj-v3/trunk/uima-docbook-references/src/docbook/ref.config.xml
(contents, props changed)
uima/uv3/uimaj-v3/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java
(contents, props changed)
Modified:
uima/uv3/uimaj-v3/trunk/uima-docbook-references/src/docbook/ref.config.xml
URL:
http://svn.apache.org/viewvc/uima/uv3/uimaj-v3/trunk/uima-docbook-references/src/docbook/ref.config.xml?rev=1862084&r1=1862083&r2=1862084&view=diff
==============================================================================
--- uima/uv3/uimaj-v3/trunk/uima-docbook-references/src/docbook/ref.config.xml
(original)
+++ uima/uv3/uimaj-v3/trunk/uima-docbook-references/src/docbook/ref.config.xml
Tue Jun 25 20:05:07 2019
@@ -102,6 +102,7 @@ under the License.
<entry><emphasis role="bold">Since Version</emphasis></entry>
</row>
+
<!--
*******************************************************************************
-->
<row>
<entry><para>Use built-in Java Logger as default
back-end</para></entry>
@@ -153,6 +154,21 @@ under the License.
<entry><para>2.7.0</para></entry>
</row>
-->
+
+ <!--
*******************************************************************************
-->
+ <row>
+ <entry><para>XML: enable doctype declarations</para></entry>
+ <entry><para><code>uima.xml.enable.doctype_decl</code> (default is
false)</para>
+
+ <para>See <ulink
url="https://issues.apache.org/jira/browse/UIMA-6064";>UIMA-6064</ulink>
+ Normally, this is turned off to avoid exposure to malicious XML; see
+ <ulink
url="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">
+ XML External Entity processing vulnerability</ulink>.
+ </para>
+ </entry>
+
+ <entry><para>2.10.4, 3.0.3</para></entry>
+ </row>
<row>
<entry spanname="fullwidth"><emphasis role="bold">Index protection
properties</emphasis></entry>
Propchange:
uima/uv3/uimaj-v3/trunk/uima-docbook-references/src/docbook/ref.config.xml
------------------------------------------------------------------------------
--- svn:mergeinfo (added)
+++ svn:mergeinfo Tue Jun 25 20:05:07 2019
@@ -0,0 +1,4 @@
+/uima/uimaj/branches/depend-on-july-9-build-tools/uima-docbook-references/src/docbook/ref.config.xml:963167-964468
+/uima/uimaj/branches/depend-on-parent-pom-4/uima-docbook-references/src/docbook/ref.config.xml:961329-961745
+/uima/uimaj/branches/filteredCompress-uima-2498/uima-docbook-references/src/docbook/ref.config.xml:1436573-1462257
+/uima/uimaj/trunk/uima-docbook-references/src/docbook/ref.config.xml:1690273-1862083
Modified:
uima/uv3/uimaj-v3/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java
URL:
http://svn.apache.org/viewvc/uima/uv3/uimaj-v3/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java?rev=1862084&r1=1862083&r2=1862084&view=diff
==============================================================================
---
uima/uv3/uimaj-v3/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java
(original)
+++
uima/uv3/uimaj-v3/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java
Tue Jun 25 20:05:07 2019
@@ -31,6 +31,7 @@ import javax.xml.transform.sax.SAXTransf
import org.apache.uima.UIMAFramework;
import org.apache.uima.util.Level;
+import org.apache.uima.util.Misc;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
@@ -44,10 +45,19 @@ import org.xml.sax.helpers.XMLReaderFact
/**
* Some utilities for working with XML.
*
- *
+ * abstract only to prevent instantiation - all methods are static
*/
public abstract class XMLUtils {
+ /** see
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md
*/
+
+ /**
+ * -Duima.xml.enable.doctype_decl
+ *
+ */
+ private static final String XML_ENABLE_DOCTYPE_DECL =
"uima.xml.enable.doctype_decl";
+ private static final boolean IS_XML_ENABLE_DOCTYPE_DECL =
Misc.getNoValueSystemProperty(XML_ENABLE_DOCTYPE_DECL);
+
// constants - not all Java versions define these
private static final String ACCESS_EXTERNAL_STYLESHEET =
"http://javax.xml.XMLConstants/property/accessExternalStylesheet";;
@@ -57,6 +67,7 @@ public abstract class XMLUtils {
private static final String LOAD_EXTERNAL_DTD =
"http://apache.org/xml/features/nonvalidating/load-external-dtd";;
private static final String EXTERNAL_GENERAL_ENTITIES =
"http://xml.org/sax/features/external-general-entities";;
private static final String EXTERNAL_PARAMETER_ENTITIES =
"http://xml.org/sax/features/external-parameter-entities";;
+
/**
* Normalizes the given string for output to XML. This converts all special
characters, e.g. <,
* %gt;, &, to their XML representations, e.g. &lt;, &gt;,
&amp;. The normalized
@@ -542,7 +553,9 @@ public abstract class XMLUtils {
public static SAXParserFactory createSAXParserFactory() {
SAXParserFactory factory = SAXParserFactory.newInstance();
try {
- factory.setFeature(DISALLOW_DOCTYPE_DECL, true);
+ if ( ! IS_XML_ENABLE_DOCTYPE_DECL) { //
https://issues.apache.org/jira/browse/UIMA-6064
+ factory.setFeature(DISALLOW_DOCTYPE_DECL, true);
+ }
} catch (SAXNotRecognizedException e) {
UIMAFramework.getLogger().log(Level.WARNING,
"SAXParserFactory didn't recognize feature " +
DISALLOW_DOCTYPE_DECL);
@@ -647,7 +660,9 @@ public abstract class XMLUtils {
public static DocumentBuilderFactory createDocumentBuilderFactory() {
DocumentBuilderFactory documentBuilderFactory =
DocumentBuilderFactory.newInstance();
try {
- documentBuilderFactory.setFeature(DISALLOW_DOCTYPE_DECL, true);
+ if ( ! IS_XML_ENABLE_DOCTYPE_DECL) { //
https://issues.apache.org/jira/browse/UIMA-6064
+ documentBuilderFactory.setFeature(DISALLOW_DOCTYPE_DECL, true);
+ }
} catch (ParserConfigurationException e1) {
UIMAFramework.getLogger().log(Level.WARNING,
"DocumentBuilderFactory didn't recognize setting feature " +
DISALLOW_DOCTYPE_DECL);
Propchange:
uima/uv3/uimaj-v3/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Tue Jun 25 20:05:07 2019
@@ -5,4 +5,4 @@
/uima/uimaj/branches/filteredCompress-uima-2498/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java:1436573-1462257
/uima/uimaj/branches/mavenAlign/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java:933273-944396
/uima/uimaj/branches/test-parent-pom-6/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java:1024030
-/uima/uimaj/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java:1690273-1813784
+/uima/uimaj/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java:1690273-1862083
