Mercurial > hg > openjdk > jdk8u > jaxws
changeset 1397:4c06ef2757de jdk8u151-b03
Merge
author | asaha |
---|---|
date | Mon, 26 Jun 2017 14:56:09 -0700 |
parents | ac9019089b0d (current diff) e50530b9dcda (diff) |
children | cb9db45ecdc5 04a80aaab394 b0b07a36bfac |
files | .hgtags |
diffstat | 4 files changed, 52 insertions(+), 19 deletions(-) [+] |
line wrap: on
line diff
--- a/.hgtags Mon Jun 19 14:50:40 2017 -0700 +++ b/.hgtags Mon Jun 26 14:56:09 2017 -0700 @@ -700,6 +700,7 @@ 7f1844127578d6726da60f6813bfa9206b57dda9 jdk8u141-b11 d8134565e6c8cab3ccd0e356c787e0aa75ef68ee jdk8u141-b12 27d35df45162afdf75b76983fcf11e1cbf2e3001 jdk8u141-b13 +65d3b0e445513e024157635b970660b1e7211937 jdk8u141-b14 eb09a34966f43c62cb286c78c10dc722fd12d884 jdk8u151-b00 c59814f445e808150326012d911b5b4d8caa025b jdk8u151-b01 d3dec37780f84151b08c03a6a8cba7d68bde0f80 jdk8u151-b02
--- a/src/share/jaxws_classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java Mon Jun 19 14:50:40 2017 -0700 +++ b/src/share/jaxws_classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java Mon Jun 26 14:56:09 2017 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -112,15 +112,13 @@ this.entityResolver = entityResolver; this.errorReceiver = errReceiver; this.logic = logic; + // secure xml processing can be switched off if input requires it + boolean disableXmlSecurity = options == null ? false : options.disableXmlSecurity; + + DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(disableXmlSecurity); + this.parserFactory = XmlUtil.newSAXParserFactory(disableXmlSecurity); try { - // secure xml processing can be switched off if input requires it - boolean secureProcessingEnabled = options == null || !options.disableXmlSecurity; - DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(secureProcessingEnabled); - dbf.setNamespaceAware(true); this.documentBuilder = dbf.newDocumentBuilder(); - - this.parserFactory = XmlUtil.newSAXParserFactory(secureProcessingEnabled); - this.parserFactory.setNamespaceAware(true); } catch (ParserConfigurationException e) { throw new AssertionError(e); }
--- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/DOMUtil.java Mon Jun 19 14:50:40 2017 -0700 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/DOMUtil.java Mon Jun 26 14:56:09 2017 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -57,7 +57,6 @@ if (db == null) { try { DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(); - dbf.setNamespaceAware(true); db = dbf.newDocumentBuilder(); } catch (ParserConfigurationException e) { throw new FactoryConfigurationError(e);
--- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Mon Jun 19 14:50:40 2017 -0700 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Mon Jun 26 14:56:09 2017 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -84,6 +84,14 @@ private final static String LEXICAL_HANDLER_PROPERTY = "http://xml.org/sax/properties/lexical-handler"; + private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl"; + + private static final String EXTERNAL_GE = "http://xml.org/sax/features/external-general-entities"; + + private static final String EXTERNAL_PE = "http://xml.org/sax/features/external-parameter-entities"; + + private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; + private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName()); private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.ws.disableXmlSecurity"; @@ -372,15 +380,29 @@ }; public static DocumentBuilderFactory newDocumentBuilderFactory() { - return newDocumentBuilderFactory(true); + return newDocumentBuilderFactory(false); } - public static DocumentBuilderFactory newDocumentBuilderFactory(boolean secureXmlProcessing) { + public static DocumentBuilderFactory newDocumentBuilderFactory(boolean disableSecurity) { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; try { - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessing)); + boolean securityOn = !isXMLSecurityDisabled(disableSecurity); + factory.setFeature(featureToSet, securityOn); + factory.setNamespaceAware(true); + if (securityOn) { + factory.setExpandEntityReferences(false); + featureToSet = DISALLOW_DOCTYPE_DECL; + factory.setFeature(featureToSet, true); + featureToSet = EXTERNAL_GE; + factory.setFeature(featureToSet, false); + featureToSet = EXTERNAL_PE; + factory.setFeature(featureToSet, false); + featureToSet = LOAD_EXTERNAL_DTD; + factory.setFeature(featureToSet, false); + } } catch (ParserConfigurationException e) { - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[] {factory.getClass().getName()} ); } return factory; } @@ -399,12 +421,25 @@ return newTransformerFactory(true); } - public static SAXParserFactory newSAXParserFactory(boolean secureXmlProcessingEnabled) { + public static SAXParserFactory newSAXParserFactory(boolean disableSecurity) { SAXParserFactory factory = SAXParserFactory.newInstance(); + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; try { - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessingEnabled)); - } catch (Exception e) { - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); + boolean securityOn = !isXMLSecurityDisabled(disableSecurity); + factory.setFeature(featureToSet, securityOn); + factory.setNamespaceAware(true); + if (securityOn) { + featureToSet = DISALLOW_DOCTYPE_DECL; + factory.setFeature(featureToSet, true); + featureToSet = EXTERNAL_GE; + factory.setFeature(featureToSet, false); + featureToSet = EXTERNAL_PE; + factory.setFeature(featureToSet, false); + featureToSet = LOAD_EXTERNAL_DTD; + factory.setFeature(featureToSet, false); + } + } catch (ParserConfigurationException | SAXNotRecognizedException | SAXNotSupportedException e) { + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[]{factory.getClass().getName()}); } return factory; }