Mercurial > hg > openjdk > jdk6 > jaxws

--- a/drop_included/jaxws_src/src/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java	Tue May 23 13:19:25 2017 +0300
+++ b/drop_included/jaxws_src/src/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java	Sun Jun 25 00:13:53 2017 +0100
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -36,6 +36,7 @@
 import com.sun.tools.internal.xjc.reader.internalizer.LocatorTable;
 import com.sun.xml.internal.bind.marshaller.DataWriter;
 import com.sun.xml.internal.ws.util.JAXWSUtils;
+import com.sun.xml.internal.ws.util.xml.XmlUtil;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
@@ -117,13 +118,11 @@
         this.options = options;
         this.errorReceiver = errReceiver;
         this.logic = logic;
+
+        DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory();
+        this.parserFactory = XmlUtil.newSAXParserFactory();
         try {
-            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-            dbf.setNamespaceAware(true);
             this.documentBuilder = dbf.newDocumentBuilder();
-
-            this.parserFactory = SAXParserFactory.newInstance();
-            this.parserFactory.setNamespaceAware(true);
         } catch (ParserConfigurationException e) {
             throw new AssertionError(e);
         }
--- a/drop_included/jaxws_src/src/com/sun/xml/internal/ws/util/DOMUtil.java	Tue May 23 13:19:25 2017 +0300
+++ b/drop_included/jaxws_src/src/com/sun/xml/internal/ws/util/DOMUtil.java	Sun Jun 25 00:13:53 2017 +0100
@@ -25,6 +25,7 @@

 package com.sun.xml.internal.ws.util;

+import com.sun.xml.internal.ws.util.xml.XmlUtil;
 import org.w3c.dom.Document;
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
@@ -63,8 +64,7 @@
         synchronized (DOMUtil.class) {
             if (db == null) {
                 try {
-                    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-                    dbf.setNamespaceAware(true);
+                    DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory();
                     db = dbf.newDocumentBuilder();
                 } catch (ParserConfigurationException e) {
                     throw new FactoryConfigurationError(e);
--- a/drop_included/jaxws_src/src/com/sun/xml/internal/ws/util/xml/XmlUtil.java	Tue May 23 13:19:25 2017 +0300
+++ b/drop_included/jaxws_src/src/com/sun/xml/internal/ws/util/xml/XmlUtil.java	Sun Jun 25 00:13:53 2017 +0100
@@ -36,14 +36,11 @@
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.w3c.dom.Text;
-import org.xml.sax.EntityResolver;
-import org.xml.sax.ErrorHandler;
-import org.xml.sax.SAXException;
-import org.xml.sax.SAXParseException;
-import org.xml.sax.XMLReader;
-import org.xml.sax.InputSource;
+import org.xml.sax.*;

+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
+import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParserFactory;
 import javax.xml.transform.Result;
@@ -61,11 +58,15 @@
 import java.io.OutputStreamWriter;
 import java.io.Writer;
 import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.Iterator;
 import java.util.List;
 import java.util.StringTokenizer;
+import java.util.logging.Level;
+import java.util.logging.Logger;

 /**
  * @author WS Development Team
@@ -74,6 +75,27 @@
     private final static String LEXICAL_HANDLER_PROPERTY =
         "http://xml.org/sax/properties/lexical-handler";

+    private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
+
+    private static final String EXTERNAL_GE = "http://xml.org/sax/features/external-general-entities";
+
+    private static final String EXTERNAL_PE = "http://xml.org/sax/features/external-parameter-entities";
+
+    private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
+    private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName());
+
+    private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.ws.disableXmlSecurity";
+
+    private static boolean XML_SECURITY_DISABLED = AccessController.doPrivileged(
+            new PrivilegedAction<Boolean>() {
+                @Override
+                public Boolean run() {
+                    return Boolean.getBoolean(DISABLE_XML_SECURITY);
+                }
+            }
+    );
+
     public static String getPrefix(String s) {
         int i = s.indexOf(':');
         if (i == -1)
@@ -317,4 +339,72 @@
             throw exception;
         }
     };
+
+    public static DocumentBuilderFactory newDocumentBuilderFactory() {
+        return newDocumentBuilderFactory(false);
+    }
+
+    public static DocumentBuilderFactory newDocumentBuilderFactory(boolean disableSecurity) {
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING;
+        try {
+            boolean securityOn = !isXMLSecurityDisabled(disableSecurity);
+            factory.setFeature(featureToSet, securityOn);
+            factory.setNamespaceAware(true);
+            if (securityOn) {
+                factory.setExpandEntityReferences(false);
+                featureToSet = DISALLOW_DOCTYPE_DECL;
+                factory.setFeature(featureToSet, true);
+                featureToSet = EXTERNAL_GE;
+                factory.setFeature(featureToSet, false);
+                featureToSet = EXTERNAL_PE;
+                factory.setFeature(featureToSet, false);
+                featureToSet = LOAD_EXTERNAL_DTD;
+                factory.setFeature(featureToSet, false);
+            }
+        } catch (ParserConfigurationException e) {
+            LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[] {factory.getClass().getName()} );
+        }
+        return factory;
+    }
+
+
+    private static boolean isXMLSecurityDisabled(boolean runtimeDisabled) {
+        return XML_SECURITY_DISABLED || runtimeDisabled;
+    }
+
+    public static SAXParserFactory newSAXParserFactory() {
+        return newSAXParserFactory(false);
+    }
+
+    public static SAXParserFactory newSAXParserFactory(boolean disableSecurity) {
+        SAXParserFactory factory = SAXParserFactory.newInstance();
+        String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING;
+        boolean issueWarning = false;
+        try {
+            boolean securityOn = !isXMLSecurityDisabled(disableSecurity);
+            factory.setFeature(featureToSet, securityOn);
+            factory.setNamespaceAware(true);
+            if (securityOn) {
+                featureToSet = DISALLOW_DOCTYPE_DECL;
+                factory.setFeature(featureToSet, true);
+                featureToSet = EXTERNAL_GE;
+                factory.setFeature(featureToSet, false);
+                featureToSet = EXTERNAL_PE;
+                factory.setFeature(featureToSet, false);
+                featureToSet = LOAD_EXTERNAL_DTD;
+                factory.setFeature(featureToSet, false);
+            }
+        } catch (ParserConfigurationException e) {
+            issueWarning = true;
+        } catch (SAXNotRecognizedException e) {
+            issueWarning = true;
+        } catch (SAXNotSupportedException e) {
+            issueWarning = true;
+        }
+        if (issueWarning) {
+            LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[]{factory.getClass().getName()});
+        }
+        return factory;
+    }
 }