Author: schor Date: Tue Jun 25 20:05:07 2019 New Revision: 1862084 URL: http://svn.apache.org/viewvc?rev=1862084&view=rev Log: [UIMA-6064]
Modified: uima/uv3/uimaj-v3/trunk/uima-docbook-references/src/docbook/ref.config.xml (contents, props changed) uima/uv3/uimaj-v3/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java (contents, props changed) Modified: uima/uv3/uimaj-v3/trunk/uima-docbook-references/src/docbook/ref.config.xml URL: http://svn.apache.org/viewvc/uima/uv3/uimaj-v3/trunk/uima-docbook-references/src/docbook/ref.config.xml?rev=1862084&r1=1862083&r2=1862084&view=diff ============================================================================== --- uima/uv3/uimaj-v3/trunk/uima-docbook-references/src/docbook/ref.config.xml (original) +++ uima/uv3/uimaj-v3/trunk/uima-docbook-references/src/docbook/ref.config.xml Tue Jun 25 20:05:07 2019 @@ -102,6 +102,7 @@ under the License. <entry><emphasis role="bold">Since Version</emphasis></entry> </row> + <!-- ******************************************************************************* --> <row> <entry><para>Use built-in Java Logger as default back-end</para></entry> @@ -153,6 +154,21 @@ under the License. <entry><para>2.7.0</para></entry> </row> --> + + <!-- ******************************************************************************* --> + <row> + <entry><para>XML: enable doctype declarations</para></entry> + <entry><para><code>uima.xml.enable.doctype_decl</code> (default is false)</para> + + <para>See <ulink url="https://issues.apache.org/jira/browse/UIMA-6064">UIMA-6064</ulink> + Normally, this is turned off to avoid exposure to malicious XML; see + <ulink url="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing"> + XML External Entity processing vulnerability</ulink>. + </para> + </entry> + + <entry><para>2.10.4, 3.0.3</para></entry> + </row> <row> <entry spanname="fullwidth"><emphasis role="bold">Index protection properties</emphasis></entry> Propchange: uima/uv3/uimaj-v3/trunk/uima-docbook-references/src/docbook/ref.config.xml ------------------------------------------------------------------------------ --- svn:mergeinfo (added) +++ svn:mergeinfo Tue Jun 25 20:05:07 2019 @@ -0,0 +1,4 @@ +/uima/uimaj/branches/depend-on-july-9-build-tools/uima-docbook-references/src/docbook/ref.config.xml:963167-964468 +/uima/uimaj/branches/depend-on-parent-pom-4/uima-docbook-references/src/docbook/ref.config.xml:961329-961745 +/uima/uimaj/branches/filteredCompress-uima-2498/uima-docbook-references/src/docbook/ref.config.xml:1436573-1462257 +/uima/uimaj/trunk/uima-docbook-references/src/docbook/ref.config.xml:1690273-1862083 Modified: uima/uv3/uimaj-v3/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java URL: http://svn.apache.org/viewvc/uima/uv3/uimaj-v3/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java?rev=1862084&r1=1862083&r2=1862084&view=diff ============================================================================== --- uima/uv3/uimaj-v3/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java (original) +++ uima/uv3/uimaj-v3/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java Tue Jun 25 20:05:07 2019 @@ -31,6 +31,7 @@ import javax.xml.transform.sax.SAXTransf import org.apache.uima.UIMAFramework; import org.apache.uima.util.Level; +import org.apache.uima.util.Misc; import org.w3c.dom.Element; import org.w3c.dom.Node; import org.w3c.dom.NodeList; @@ -44,10 +45,19 @@ import org.xml.sax.helpers.XMLReaderFact /** * Some utilities for working with XML. * - * + * abstract only to prevent instantiation - all methods are static */ public abstract class XMLUtils { + /** see https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md */ + + /** + * -Duima.xml.enable.doctype_decl + * + */ + private static final String XML_ENABLE_DOCTYPE_DECL = "uima.xml.enable.doctype_decl"; + private static final boolean IS_XML_ENABLE_DOCTYPE_DECL = Misc.getNoValueSystemProperty(XML_ENABLE_DOCTYPE_DECL); + // constants - not all Java versions define these private static final String ACCESS_EXTERNAL_STYLESHEET = "http://javax.xml.XMLConstants/property/accessExternalStylesheet"; @@ -57,6 +67,7 @@ public abstract class XMLUtils { private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; private static final String EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities"; private static final String EXTERNAL_PARAMETER_ENTITIES = "http://xml.org/sax/features/external-parameter-entities"; + /** * Normalizes the given string for output to XML. This converts all special characters, e.g. <, * %gt;, &, to their XML representations, e.g. &lt;, &gt;, &amp;. The normalized @@ -542,7 +553,9 @@ public abstract class XMLUtils { public static SAXParserFactory createSAXParserFactory() { SAXParserFactory factory = SAXParserFactory.newInstance(); try { - factory.setFeature(DISALLOW_DOCTYPE_DECL, true); + if ( ! IS_XML_ENABLE_DOCTYPE_DECL) { // https://issues.apache.org/jira/browse/UIMA-6064 + factory.setFeature(DISALLOW_DOCTYPE_DECL, true); + } } catch (SAXNotRecognizedException e) { UIMAFramework.getLogger().log(Level.WARNING, "SAXParserFactory didn't recognize feature " + DISALLOW_DOCTYPE_DECL); @@ -647,7 +660,9 @@ public abstract class XMLUtils { public static DocumentBuilderFactory createDocumentBuilderFactory() { DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); try { - documentBuilderFactory.setFeature(DISALLOW_DOCTYPE_DECL, true); + if ( ! IS_XML_ENABLE_DOCTYPE_DECL) { // https://issues.apache.org/jira/browse/UIMA-6064 + documentBuilderFactory.setFeature(DISALLOW_DOCTYPE_DECL, true); + } } catch (ParserConfigurationException e1) { UIMAFramework.getLogger().log(Level.WARNING, "DocumentBuilderFactory didn't recognize setting feature " + DISALLOW_DOCTYPE_DECL); Propchange: uima/uv3/uimaj-v3/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Tue Jun 25 20:05:07 2019 @@ -5,4 +5,4 @@ /uima/uimaj/branches/filteredCompress-uima-2498/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java:1436573-1462257 /uima/uimaj/branches/mavenAlign/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java:933273-944396 /uima/uimaj/branches/test-parent-pom-6/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java:1024030 -/uima/uimaj/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java:1690273-1813784 +/uima/uimaj/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java:1690273-1862083