1 /* |
1 /* |
2 * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
82 private static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema"; |
82 private static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema"; |
83 |
83 |
84 private final static String LEXICAL_HANDLER_PROPERTY = |
84 private final static String LEXICAL_HANDLER_PROPERTY = |
85 "http://xml.org/sax/properties/lexical-handler"; |
85 "http://xml.org/sax/properties/lexical-handler"; |
86 |
86 |
|
87 private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl"; |
|
88 |
|
89 private static final String EXTERNAL_GE = "http://xml.org/sax/features/external-general-entities"; |
|
90 |
|
91 private static final String EXTERNAL_PE = "http://xml.org/sax/features/external-parameter-entities"; |
|
92 |
|
93 private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; |
|
94 |
87 private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName()); |
95 private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName()); |
88 |
96 |
89 private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.ws.disableXmlSecurity"; |
97 private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.ws.disableXmlSecurity"; |
90 |
98 |
91 private static boolean XML_SECURITY_DISABLED = AccessController.doPrivileged( |
99 private static boolean XML_SECURITY_DISABLED = AccessController.doPrivileged( |
370 throw exception; |
378 throw exception; |
371 } |
379 } |
372 }; |
380 }; |
373 |
381 |
374 public static DocumentBuilderFactory newDocumentBuilderFactory() { |
382 public static DocumentBuilderFactory newDocumentBuilderFactory() { |
375 return newDocumentBuilderFactory(true); |
383 return newDocumentBuilderFactory(false); |
376 } |
384 } |
377 |
385 |
378 public static DocumentBuilderFactory newDocumentBuilderFactory(boolean secureXmlProcessing) { |
386 public static DocumentBuilderFactory newDocumentBuilderFactory(boolean disableSecurity) { |
379 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); |
387 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); |
380 try { |
388 String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; |
381 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessing)); |
389 try { |
|
390 boolean securityOn = !isXMLSecurityDisabled(disableSecurity); |
|
391 factory.setFeature(featureToSet, securityOn); |
|
392 factory.setNamespaceAware(true); |
|
393 if (securityOn) { |
|
394 factory.setExpandEntityReferences(false); |
|
395 featureToSet = DISALLOW_DOCTYPE_DECL; |
|
396 factory.setFeature(featureToSet, true); |
|
397 featureToSet = EXTERNAL_GE; |
|
398 factory.setFeature(featureToSet, false); |
|
399 featureToSet = EXTERNAL_PE; |
|
400 factory.setFeature(featureToSet, false); |
|
401 featureToSet = LOAD_EXTERNAL_DTD; |
|
402 factory.setFeature(featureToSet, false); |
|
403 } |
382 } catch (ParserConfigurationException e) { |
404 } catch (ParserConfigurationException e) { |
383 LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); |
405 LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[] {factory.getClass().getName()} ); |
384 } |
406 } |
385 return factory; |
407 return factory; |
386 } |
408 } |
387 |
409 |
388 public static TransformerFactory newTransformerFactory(boolean secureXmlProcessingEnabled) { |
410 public static TransformerFactory newTransformerFactory(boolean secureXmlProcessingEnabled) { |
397 |
419 |
398 public static TransformerFactory newTransformerFactory() { |
420 public static TransformerFactory newTransformerFactory() { |
399 return newTransformerFactory(true); |
421 return newTransformerFactory(true); |
400 } |
422 } |
401 |
423 |
402 public static SAXParserFactory newSAXParserFactory(boolean secureXmlProcessingEnabled) { |
424 public static SAXParserFactory newSAXParserFactory(boolean disableSecurity) { |
403 SAXParserFactory factory = SAXParserFactory.newInstance(); |
425 SAXParserFactory factory = SAXParserFactory.newInstance(); |
404 try { |
426 String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; |
405 factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessingEnabled)); |
427 try { |
406 } catch (Exception e) { |
428 boolean securityOn = !isXMLSecurityDisabled(disableSecurity); |
407 LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); |
429 factory.setFeature(featureToSet, securityOn); |
|
430 factory.setNamespaceAware(true); |
|
431 if (securityOn) { |
|
432 featureToSet = DISALLOW_DOCTYPE_DECL; |
|
433 factory.setFeature(featureToSet, true); |
|
434 featureToSet = EXTERNAL_GE; |
|
435 factory.setFeature(featureToSet, false); |
|
436 featureToSet = EXTERNAL_PE; |
|
437 factory.setFeature(featureToSet, false); |
|
438 featureToSet = LOAD_EXTERNAL_DTD; |
|
439 factory.setFeature(featureToSet, false); |
|
440 } |
|
441 } catch (ParserConfigurationException | SAXNotRecognizedException | SAXNotSupportedException e) { |
|
442 LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[]{factory.getClass().getName()}); |
408 } |
443 } |
409 return factory; |
444 return factory; |
410 } |
445 } |
411 |
446 |
412 public static XPathFactory newXPathFactory(boolean secureXmlProcessingEnabled) { |
447 public static XPathFactory newXPathFactory(boolean secureXmlProcessingEnabled) { |