Author: veithen
Date: Sun May 16 21:17:02 2010
New Revision: 944915
URL: http://svn.apache.org/viewvc?rev=944915&view=rev
Log:
AXIS2-4450: Strictly forbid document type declarations in both SOAP and plain
XML requests.
Modified:
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
Modified:
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java?rev=944915&r1=944914&r2=944915&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
(original)
+++
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/builder/BuilderUtil.java
Sun May 16 21:17:02 2010
@@ -32,6 +32,7 @@ import org.apache.axiom.om.impl.MTOMCons
import org.apache.axiom.om.impl.builder.StAXBuilder;
import org.apache.axiom.om.impl.builder.StAXOMBuilder;
import org.apache.axiom.om.impl.builder.XOPAwareStAXOMBuilder;
+import org.apache.axiom.om.util.StAXParserConfiguration;
import org.apache.axiom.om.util.StAXUtils;
import org.apache.axiom.soap.SOAP11Constants;
import org.apache.axiom.soap.SOAP12Constants;
@@ -227,8 +228,11 @@ public class BuilderUtil {
public static StAXBuilder getPOXBuilder(InputStream inStream, String
charSetEnc)
throws XMLStreamException {
StAXBuilder builder;
+ // We use the StAXParserConfiguration.SOAP here as well because we
don't want to allow
+ // document type declarations (that potentially reference external
entities), even
+ // in plain XML messages.
XMLStreamReader xmlreader =
- StAXUtils.createXMLStreamReader(inStream, charSetEnc);
+ StAXUtils.createXMLStreamReader(StAXParserConfiguration.SOAP,
inStream, charSetEnc);
builder = new StAXOMBuilder(xmlreader);
return builder;
}
Modified:
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java?rev=944915&r1=944914&r2=944915&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
(original)
+++
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/builder/SOAPBuilder.java
Sun May 16 21:17:02 2010
@@ -21,6 +21,7 @@ package org.apache.axis2.builder;
import org.apache.axiom.om.OMElement;
import org.apache.axiom.om.impl.builder.StAXBuilder;
+import org.apache.axiom.om.util.StAXParserConfiguration;
import org.apache.axiom.om.util.StAXUtils;
import org.apache.axiom.om.util.DetachableInputStream;
import org.apache.axiom.soap.SOAPEnvelope;
@@ -54,8 +55,14 @@ public class SOAPBuilder implements Buil
PushbackInputStream pis = BuilderUtil.getPushbackInputStream(is);
String actualCharSetEncoding = BuilderUtil.getCharSetEncoding(pis,
charSetEncoding);
- // Get the XMLStreamReader for this input stream
- streamReader = StAXUtils.createXMLStreamReader(pis,
actualCharSetEncoding);
+ // Get the XMLStreamReader for this input stream.
+ // Note: StAXSOAPModelBuilder will trigger an exception when it
encounters a DTD event.
+ // However, with StAX implementations other than Woodstox,
this may already be
+ // too late. For these parsers, additional settings may be
required. We let
+ // the StAX dialect detector in Axiom apply the necessary
configuration.
+ // See also AXIS2-4450.
+ streamReader =
StAXUtils.createXMLStreamReader(StAXParserConfiguration.SOAP, pis,
+ actualCharSetEncoding);
StAXBuilder builder = new StAXSOAPModelBuilder(streamReader);
SOAPEnvelope envelope = (SOAPEnvelope)
builder.getDocumentElement();
