Author: veithen
Date: Sun Aug 9 15:25:18 2009
New Revision: 802550
URL: http://svn.apache.org/viewvc?rev=802550&view=rev
Log:
AXIS2-4450: Added a feature to disallow doctype declarations at StAX level.
Note that the correct way to do that depends on the StAX implementation, so
this feature is part of the dialect API.
Added:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/DisallowDoctypeDeclInputFactoryWrapper.java
(with props)
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/DisallowDoctypeDeclStreamReaderWrapper.java
(with props)
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialectUtils.java
(with props)
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/java/org/apache/axiom/util/stax/dialect/DummyHTTPServer.java
(with props)
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/resources/org/
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/resources/org/apache/
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/resources/org/apache/axiom/
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/resources/org/apache/axiom/util/
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/resources/org/apache/axiom/util/stax/
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/resources/org/apache/axiom/util/stax/dialect/
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/resources/org/apache/axiom/util/stax/dialect/doctype_dos.xml
(with props)
Modified:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/BEADialect.java
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/SJSXPDialect.java
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialect.java
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/UnknownStAXDialect.java
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/WoodstoxDialect.java
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXP2Dialect.java
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXPDialect.java
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/java/org/apache/axiom/util/stax/dialect/StAXDialectTest.java
Modified:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/BEADialect.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/BEADialect.java?rev=802550&r1=802549&r2=802550&view=diff
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/BEADialect.java
(original)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/BEADialect.java
Sun Aug 9 15:25:18 2009
@@ -37,6 +37,10 @@
Boolean.TRUE);
}
+ public XMLInputFactory disallowDoctypeDecl(XMLInputFactory factory) {
+ return StAXDialectUtils.disallowDoctypeDecl(factory);
+ }
+
public XMLInputFactory makeThreadSafe(XMLInputFactory factory) {
// Factories are already thread safe
return factory;
Added:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/DisallowDoctypeDeclInputFactoryWrapper.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/DisallowDoctypeDeclInputFactoryWrapper.java?rev=802550&view=auto
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/DisallowDoctypeDeclInputFactoryWrapper.java
(added)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/DisallowDoctypeDeclInputFactoryWrapper.java
Sun Aug 9 15:25:18 2009
@@ -0,0 +1,35 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.axiom.util.stax.dialect;
+
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamReader;
+
+import org.apache.axiom.util.stax.wrapper.WrappingXMLInputFactory;
+
+class DisallowDoctypeDeclInputFactoryWrapper extends WrappingXMLInputFactory {
+ public DisallowDoctypeDeclInputFactoryWrapper(XMLInputFactory parent) {
+ super(parent);
+ }
+
+ protected XMLStreamReader wrap(XMLStreamReader reader) {
+ return new DisallowDoctypeDeclStreamReaderWrapper(reader);
+ }
+}
Propchange:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/DisallowDoctypeDeclInputFactoryWrapper.java
------------------------------------------------------------------------------
svn:eol-style = native
Added:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/DisallowDoctypeDeclStreamReaderWrapper.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/DisallowDoctypeDeclStreamReaderWrapper.java?rev=802550&view=auto
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/DisallowDoctypeDeclStreamReaderWrapper.java
(added)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/DisallowDoctypeDeclStreamReaderWrapper.java
Sun Aug 9 15:25:18 2009
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.axiom.util.stax.dialect;
+
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+
+import org.apache.axiom.util.stax.wrapper.XMLStreamReaderWrapper;
+
+class DisallowDoctypeDeclStreamReaderWrapper extends XMLStreamReaderWrapper {
+ public DisallowDoctypeDeclStreamReaderWrapper(XMLStreamReader parent) {
+ super(parent);
+ }
+
+ public int next() throws XMLStreamException {
+ int event = super.next();
+ if (event == DTD) {
+ throw new XMLStreamException("DOCTYPE is not allowed");
+ }
+ return event;
+ }
+}
Propchange:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/DisallowDoctypeDeclStreamReaderWrapper.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/SJSXPDialect.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/SJSXPDialect.java?rev=802550&r1=802549&r2=802550&view=diff
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/SJSXPDialect.java
(original)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/SJSXPDialect.java
Sun Aug 9 15:25:18 2009
@@ -21,6 +21,8 @@
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLOutputFactory;
+import javax.xml.stream.XMLResolver;
+import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.XMLStreamWriter;
@@ -37,6 +39,23 @@
Boolean.TRUE);
}
+ public XMLInputFactory disallowDoctypeDecl(XMLInputFactory factory) {
+ // SJSXP is particular because when SUPPORT_DTD is set to false, no
DTD event is reported.
+ // This means that we would not be able to throw an exception. The
trick is to enable
+ // DTD support and trigger an exception if the parser attempts to load
the external subset
+ // or returns a DTD event.
+ factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.TRUE);
+ factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
Boolean.FALSE);
+ factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
Boolean.FALSE);
+ factory.setXMLResolver(new XMLResolver() {
+ public Object resolveEntity(String publicID, String systemID,
String baseURI,
+ String namespace) throws XMLStreamException {
+ throw new XMLStreamException("DOCTYPE is not allowed");
+ }
+ });
+ return new DisallowDoctypeDeclInputFactoryWrapper(factory);
+ }
+
public XMLInputFactory makeThreadSafe(XMLInputFactory factory) {
factory.setProperty("reuse-instance", Boolean.FALSE);
return factory;
Modified:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialect.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialect.java?rev=802550&r1=802549&r2=802550&view=diff
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialect.java
(original)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialect.java
Sun Aug 9 15:25:18 2009
@@ -21,6 +21,7 @@
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLOutputFactory;
+import javax.xml.stream.XMLStreamConstants;
/**
* Encapsulates the specific characteristics of a particular StAX
implementation.
@@ -139,6 +140,32 @@
void enableCDataReporting(XMLInputFactory factory);
/**
+ * Configure the given factory to disallow DOCTYPE declarations. The
effect of this is similar
+ * to the <tt>http://apache.org/xml/features/disallow-doctype-decl</tt>
feature in Xerces. The
+ * factory instance returned by this method MUST satisfy the following
requirements:
+ * <ul>
+ * <li>The factory or the reader implementation MUST throw an exception
when requested to parse
+ * a document containing a DOCTYPE declaration. If the exception is not
thrown by the factory,
+ * it MUST be thrown by the reader before the first {...@link
XMLStreamConstants#START_ELEMENT}
+ * event.
+ * <li>The parser MUST NOT attempt to load the external DTD subset or any
other external
+ * entity.
+ * <li>The parser MUST protect itself against denial of service attacks
based on deeply nested
+ * entity definitions present in the internal DTD subset. Ideally, the
parser SHOULD NOT process
+ * the internal subset at all and throw an exception immediately when
encountering the DOCTYPE
+ * declaration.
+ * </ul>
+ * This method is typically useful in the context of SOAP processing since
a SOAP message must
+ * not contain a Document Type Declaration.
+ *
+ * @param factory
+ * the factory to configure
+ * @return the factory that disallows DOCTYPE declarations; this may be
the original factory
+ * instance or a wrapper
+ */
+ XMLInputFactory disallowDoctypeDecl(XMLInputFactory factory);
+
+ /**
* Make an {...@link XMLInputFactory} object thread safe. The
implementation may do this either by
* configuring the factory or by creating a thread safe wrapper. The
returned factory must be
* thread safe for all method calls that don't change the (visible) state
of the factory. This
Added:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialectUtils.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialectUtils.java?rev=802550&view=auto
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialectUtils.java
(added)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialectUtils.java
Sun Aug 9 15:25:18 2009
@@ -0,0 +1,45 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.axiom.util.stax.dialect;
+
+import javax.xml.stream.XMLInputFactory;
+
+class StAXDialectUtils {
+ /**
+ * Default implementation for the {...@link
StAXDialect#disallowDoctypeDecl(XMLInputFactory)}
+ * method. This method assumes that if {...@link
XMLInputFactory#SUPPORT_DTD} is set to false, the
+ * underlying parser
+ * <ol>
+ * <li>still reports DTD events and
+ * <li>doesn't attempt to load the external DTD subset (if present).
+ * </ol>
+ * These assumptions may be false for some StAX implementations.
+ *
+ * @param factory
+ * the factory to configure
+ * @return the configured factory
+ */
+ public static XMLInputFactory disallowDoctypeDecl(XMLInputFactory factory)
{
+ factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+ factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
Boolean.FALSE);
+ factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
Boolean.FALSE);
+ return new DisallowDoctypeDeclInputFactoryWrapper(factory);
+ }
+}
Propchange:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialectUtils.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/UnknownStAXDialect.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/UnknownStAXDialect.java?rev=802550&r1=802549&r2=802550&view=diff
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/UnknownStAXDialect.java
(original)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/UnknownStAXDialect.java
Sun Aug 9 15:25:18 2009
@@ -33,6 +33,10 @@
// This is in principle only the prerequisite; let's hope that it is
sufficient
factory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.FALSE);
}
+
+ public XMLInputFactory disallowDoctypeDecl(XMLInputFactory factory) {
+ return StAXDialectUtils.disallowDoctypeDecl(factory);
+ }
public XMLInputFactory makeThreadSafe(XMLInputFactory factory) {
// Cross fingers and assume that the factory is already thread safe
Modified:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/WoodstoxDialect.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/WoodstoxDialect.java?rev=802550&r1=802549&r2=802550&view=diff
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/WoodstoxDialect.java
(original)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/WoodstoxDialect.java
Sun Aug 9 15:25:18 2009
@@ -36,6 +36,10 @@
factory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.FALSE);
}
+ public XMLInputFactory disallowDoctypeDecl(XMLInputFactory factory) {
+ return StAXDialectUtils.disallowDoctypeDecl(factory);
+ }
+
public XMLInputFactory makeThreadSafe(XMLInputFactory factory) {
// Woodstox' factories are designed to be thread safe
return factory;
Modified:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXP2Dialect.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXP2Dialect.java?rev=802550&r1=802549&r2=802550&view=diff
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXP2Dialect.java
(original)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXP2Dialect.java
Sun Aug 9 15:25:18 2009
@@ -35,6 +35,10 @@
factory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.FALSE);
}
+ public XMLInputFactory disallowDoctypeDecl(XMLInputFactory factory) {
+ return StAXDialectUtils.disallowDoctypeDecl(factory);
+ }
+
public XMLInputFactory makeThreadSafe(XMLInputFactory factory) {
// XLXP's factories are thread safe
return factory;
Modified:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXPDialect.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXPDialect.java?rev=802550&r1=802549&r2=802550&view=diff
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXPDialect.java
(original)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXPDialect.java
Sun Aug 9 15:25:18 2009
@@ -40,6 +40,10 @@
factory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.FALSE);
}
+ public XMLInputFactory disallowDoctypeDecl(XMLInputFactory factory) {
+ return StAXDialectUtils.disallowDoctypeDecl(factory);
+ }
+
public XMLInputFactory makeThreadSafe(XMLInputFactory factory) {
// XLXP's factories are thread safe
return factory;
Added:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/java/org/apache/axiom/util/stax/dialect/DummyHTTPServer.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/java/org/apache/axiom/util/stax/dialect/DummyHTTPServer.java?rev=802550&view=auto
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/java/org/apache/axiom/util/stax/dialect/DummyHTTPServer.java
(added)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/java/org/apache/axiom/util/stax/dialect/DummyHTTPServer.java
Sun Aug 9 15:25:18 2009
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.axiom.util.stax.dialect;
+
+import java.io.IOException;
+import java.net.ServerSocket;
+import java.net.Socket;
+
+/**
+ * Dummy HTTP server used to determine if a parser attempts to access an
external HTTP resource.
+ */
+public class DummyHTTPServer implements Runnable {
+ private ServerSocket serverSocket;
+ private volatile boolean requestReceived;
+
+ public void run() {
+ while (true) {
+ Socket socket;
+ try {
+ socket = serverSocket.accept();
+ } catch (IOException ex) {
+ return;
+ }
+ requestReceived = true;
+ try {
+ socket.close();
+ } catch (IOException ex) {
+ ex.printStackTrace();
+ }
+ }
+ }
+
+ public void start() throws IOException {
+ serverSocket = new ServerSocket(0);
+ new Thread(this).start();
+ }
+
+ public void stop() throws IOException {
+ serverSocket.close();
+ }
+
+ public String getBaseURL() {
+ return "http://127.0.0.1:"; + serverSocket.getLocalPort() + "/";
+ }
+
+ public boolean isRequestReceived() {
+ return requestReceived;
+ }
+}
Propchange:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/java/org/apache/axiom/util/stax/dialect/DummyHTTPServer.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/java/org/apache/axiom/util/stax/dialect/StAXDialectTest.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/java/org/apache/axiom/util/stax/dialect/StAXDialectTest.java?rev=802550&r1=802549&r2=802550&view=diff
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/java/org/apache/axiom/util/stax/dialect/StAXDialectTest.java
(original)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/java/org/apache/axiom/util/stax/dialect/StAXDialectTest.java
Sun Aug 9 15:25:18 2009
@@ -20,8 +20,12 @@
package org.apache.axiom.util.stax.dialect;
import java.io.ByteArrayInputStream;
+import java.io.InputStream;
import java.io.StringReader;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamConstants;
+import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.XMLStreamWriter;
@@ -123,4 +127,97 @@
}
reader.close();
}
+
+ public void testDisallowDoctypeDeclWithExternalSubset() throws Exception {
+ XMLInputFactory factory = XMLInputFactory.newInstance();
+ StAXDialect dialect =
StAXDialectDetector.getDialect(factory.getClass());
+ factory = dialect.disallowDoctypeDecl(dialect.normalize(factory));
+ DummyHTTPServer server = new DummyHTTPServer();
+ server.start();
+ try {
+ boolean gotException = false;
+ boolean reachedDocumentElement = false;
+ try {
+ XMLStreamReader reader = factory.createXMLStreamReader(new
StringReader(
+ "<?xml version='1.0'?><!DOCTYPE root SYSTEM '" +
server.getBaseURL() +
+ "dummy.dtd'><root/>"));
+ try {
+ while (reader.hasNext()) {
+ if (reader.next() == XMLStreamConstants.START_ELEMENT)
{
+ reachedDocumentElement = true;
+ }
+ }
+ } finally {
+ reader.close();
+ }
+ } catch (XMLStreamException ex) {
+ gotException = true;
+ } catch (RuntimeException ex) {
+ gotException = true;
+ }
+ assertTrue("Expected exception", gotException);
+ assertFalse("The parser tried to load external DTD subset",
server.isRequestReceived());
+ assertFalse("The parser failed to throw an exception before
reaching the document element", reachedDocumentElement);
+ } finally {
+ server.stop();
+ }
+ }
+
+ public void testDisallowDoctypeDeclWithInternalSubset() throws Exception {
+ XMLInputFactory factory = XMLInputFactory.newInstance();
+ StAXDialect dialect =
StAXDialectDetector.getDialect(factory.getClass());
+ factory = dialect.disallowDoctypeDecl(dialect.normalize(factory));
+ boolean gotException = false;
+ boolean reachedDocumentElement = false;
+ try {
+ XMLStreamReader reader = factory.createXMLStreamReader(new
StringReader(
+ "<?xml version='1.0'?><!DOCTYPE root []><root/>"));
+ try {
+ while (reader.hasNext()) {
+ if (reader.next() == XMLStreamConstants.START_ELEMENT) {
+ reachedDocumentElement = true;
+ }
+ }
+ } finally {
+ reader.close();
+ }
+ } catch (XMLStreamException ex) {
+ gotException = true;
+ } catch (RuntimeException ex) {
+ gotException = true;
+ }
+ assertTrue("Expected exception", gotException);
+ assertFalse("The parser failed to throw an exception before reaching
the document element", reachedDocumentElement);
+ }
+
+ public void testDisallowDoctypeDeclWithDenialOfService() throws Exception {
+ XMLInputFactory factory = XMLInputFactory.newInstance();
+ StAXDialect dialect =
StAXDialectDetector.getDialect(factory.getClass());
+ factory = dialect.disallowDoctypeDecl(dialect.normalize(factory));
+ InputStream in =
StAXDialectTest.class.getResourceAsStream("doctype_dos.xml");
+ try {
+ boolean gotException = false;
+ boolean reachedDocumentElement = false;
+ try {
+ XMLStreamReader reader = factory.createXMLStreamReader(in);
+ try {
+ while (reader.hasNext()) {
+ if (reader.next() == XMLStreamConstants.START_ELEMENT)
{
+ reachedDocumentElement = true;
+ }
+ }
+ } finally {
+ reader.close();
+ }
+ } catch (XMLStreamException ex) {
+ gotException = true;
+ } catch (RuntimeException ex) {
+ gotException = true;
+ }
+ assertTrue("Expected exception", gotException);
+ assertFalse("The parser failed to throw an exception before
reaching the document element", reachedDocumentElement);
+ } finally {
+ in.close();
+ }
+ }
}
Added:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/resources/org/apache/axiom/util/stax/dialect/doctype_dos.xml
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/resources/org/apache/axiom/util/stax/dialect/doctype_dos.xml?rev=802550&view=auto
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/resources/org/apache/axiom/util/stax/dialect/doctype_dos.xml
(added)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/resources/org/apache/axiom/util/stax/dialect/doctype_dos.xml
Sun Aug 9 15:25:18 2009
@@ -0,0 +1,107 @@
+<?xml version="1.0" encoding ="UTF-8"?>
+<!-- Sample document with an internal DTD subset with deeply nested entity
definitions that could
+ be used for a Denial of Service attack.
+ See also https://jaxp.dev.java.net/1.4/JAXP-Compatibility.html -->
+<!DOCTYPE foobar [
+ <!ENTITY x100 "foobar">
+ <!ENTITY x99 "&x100;&x100;">
+ <!ENTITY x98 "&x99;&x99;">
+ <!ENTITY x97 "&x98;&x98;">
+ <!ENTITY x96 "&x97;&x97;">
+ <!ENTITY x95 "&x96;&x96;">
+ <!ENTITY x94 "&x95;&x95;">
+ <!ENTITY x93 "&x94;&x94;">
+ <!ENTITY x92 "&x93;&x93;">
+ <!ENTITY x91 "&x92;&x92;">
+ <!ENTITY x90 "&x91;&x91;">
+ <!ENTITY x89 "&x90;&x90;">
+ <!ENTITY x88 "&x89;&x89;">
+ <!ENTITY x87 "&x88;&x88;">
+ <!ENTITY x86 "&x87;&x87;">
+ <!ENTITY x85 "&x86;&x86;">
+ <!ENTITY x84 "&x85;&x85;">
+ <!ENTITY x83 "&x84;&x84;">
+ <!ENTITY x82 "&x83;&x83;">
+ <!ENTITY x81 "&x82;&x82;">
+ <!ENTITY x80 "&x81;&x81;">
+ <!ENTITY x79 "&x80;&x80;">
+ <!ENTITY x78 "&x79;&x79;">
+ <!ENTITY x77 "&x78;&x78;">
+ <!ENTITY x76 "&x77;&x77;">
+ <!ENTITY x75 "&x76;&x76;">
+ <!ENTITY x74 "&x75;&x75;">
+ <!ENTITY x73 "&x74;&x74;">
+ <!ENTITY x72 "&x73;&x73;">
+ <!ENTITY x71 "&x72;&x72;">
+ <!ENTITY x70 "&x71;&x71;">
+ <!ENTITY x69 "&x70;&x70;">
+ <!ENTITY x68 "&x69;&x69;">
+ <!ENTITY x67 "&x68;&x68;">
+ <!ENTITY x66 "&x67;&x67;">
+ <!ENTITY x65 "&x66;&x66;">
+ <!ENTITY x64 "&x65;&x65;">
+ <!ENTITY x63 "&x64;&x64;">
+ <!ENTITY x62 "&x63;&x63;">
+ <!ENTITY x61 "&x62;&x62;">
+ <!ENTITY x60 "&x61;&x61;">
+ <!ENTITY x59 "&x60;&x60;">
+ <!ENTITY x58 "&x59;&x59;">
+ <!ENTITY x57 "&x58;&x58;">
+ <!ENTITY x56 "&x57;&x57;">
+ <!ENTITY x55 "&x56;&x56;">
+ <!ENTITY x54 "&x55;&x55;">
+ <!ENTITY x53 "&x54;&x54;">
+ <!ENTITY x52 "&x53;&x53;">
+ <!ENTITY x51 "&x52;&x52;">
+ <!ENTITY x50 "&x51;&x51;">
+ <!ENTITY x49 "&x50;&x50;">
+ <!ENTITY x48 "&x49;&x49;">
+ <!ENTITY x47 "&x48;&x48;">
+ <!ENTITY x46 "&x47;&x47;">
+ <!ENTITY x45 "&x46;&x46;">
+ <!ENTITY x44 "&x45;&x45;">
+ <!ENTITY x43 "&x44;&x44;">
+ <!ENTITY x42 "&x43;&x43;">
+ <!ENTITY x41 "&x42;&x42;">
+ <!ENTITY x40 "&x41;&x41;">
+ <!ENTITY x39 "&x40;&x40;">
+ <!ENTITY x38 "&x39;&x39;">
+ <!ENTITY x37 "&x38;&x38;">
+ <!ENTITY x36 "&x37;&x37;">
+ <!ENTITY x35 "&x36;&x36;">
+ <!ENTITY x34 "&x35;&x35;">
+ <!ENTITY x33 "&x34;&x34;">
+ <!ENTITY x32 "&x33;&x33;">
+ <!ENTITY x31 "&x32;&x32;">
+ <!ENTITY x30 "&x31;&x31;">
+ <!ENTITY x29 "&x30;&x30;">
+ <!ENTITY x28 "&x29;&x29;">
+ <!ENTITY x27 "&x28;&x28;">
+ <!ENTITY x26 "&x27;&x27;">
+ <!ENTITY x25 "&x26;&x26;">
+ <!ENTITY x24 "&x25;&x25;">
+ <!ENTITY x23 "&x24;&x24;">
+ <!ENTITY x22 "&x23;&x23;">
+ <!ENTITY x21 "&x22;&x22;">
+ <!ENTITY x20 "&x21;&x21;">
+ <!ENTITY x19 "&x20;&x20;">
+ <!ENTITY x18 "&x19;&x19;">
+ <!ENTITY x17 "&x18;&x18;">
+ <!ENTITY x16 "&x17;&x17;">
+ <!ENTITY x15 "&x16;&x16;">
+ <!ENTITY x14 "&x15;&x15;">
+ <!ENTITY x13 "&x14;&x14;">
+ <!ENTITY x12 "&x13;&x13;">
+ <!ENTITY x11 "&x12;&x12;">
+ <!ENTITY x10 "&x11;&x11;">
+ <!ENTITY x9 "&x10;&x10;">
+ <!ENTITY x8 "&x9;&x9;">
+ <!ENTITY x7 "&x8;&x8;">
+ <!ENTITY x6 "&x7;&x7;">
+ <!ENTITY x5 "&x6;&x6;">
+ <!ENTITY x4 "&x5;&x5;">
+ <!ENTITY x3 "&x4;&x4;">
+ <!ENTITY x2 "&x3;&x3;">
+ <!ENTITY x1 "&x2;&x2;">
+]>
+<foobar>&x1;</foobar>
Propchange:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/test/resources/org/apache/axiom/util/stax/dialect/doctype_dos.xml
------------------------------------------------------------------------------
svn:eol-style = native
