1.1 --- a/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/unmarshaller/UnmarshallerImpl.java Thu Apr 04 19:05:24 2013 -0700 1.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/bind/v2/runtime/unmarshaller/UnmarshallerImpl.java Tue Apr 09 14:51:13 2013 +0100 1.3 @@ -1,5 +1,5 @@ 1.4 /* 1.5 - * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. 1.6 + * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. 1.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 1.8 * 1.9 * This code is free software; you can redistribute it and/or modify it 1.10 @@ -60,8 +60,11 @@ 1.11 import com.sun.xml.internal.bind.v2.runtime.AssociationMap; 1.12 import com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl; 1.13 import com.sun.xml.internal.bind.v2.runtime.JaxBeanInfo; 1.14 +import com.sun.xml.internal.bind.v2.util.XmlFactory; 1.15 1.16 import java.io.Closeable; 1.17 +import javax.xml.parsers.ParserConfigurationException; 1.18 +import javax.xml.parsers.SAXParserFactory; 1.19 import org.w3c.dom.Document; 1.20 import org.w3c.dom.Element; 1.21 import org.w3c.dom.Node; 1.22 @@ -80,7 +83,7 @@ 1.23 * @author 1.24 * <a href="mailto:kohsuke.kawaguchi@sun.com">Kohsuke KAWAGUCHI</a> 1.25 */ 1.26 -public final class UnmarshallerImpl extends AbstractUnmarshallerImpl implements ValidationEventHandler, Closeable 1.27 + public final class UnmarshallerImpl extends AbstractUnmarshallerImpl implements ValidationEventHandler, Closeable 1.28 { 1.29 /** Owning {@link JAXBContext} */ 1.30 protected final JAXBContextImpl context; 1.31 @@ -116,10 +119,43 @@ 1.32 return getUnmarshallerHandler(true,null); 1.33 } 1.34 1.35 + private XMLReader reader = null; 1.36 + 1.37 + /** 1.38 + * Obtains a configured XMLReader. 1.39 + * 1.40 + * This method is used when the client-specified 1.41 + * {@link SAXSource} object doesn't have XMLReader. 1.42 + * 1.43 + * {@link Unmarshaller} is not re-entrant, so we will 1.44 + * only use one instance of XMLReader. 1.45 + * 1.46 + * Overriden in order to fix potential security issue. 1.47 + */ 1.48 + @Override 1.49 + protected XMLReader getXMLReader() throws JAXBException { 1.50 + if (reader == null) { 1.51 + try { 1.52 + SAXParserFactory parserFactory = XmlFactory.createParserFactory(context.disableSecurityProcessing); 1.53 + // there is no point in asking a validation because 1.54 + // there is no guarantee that the document will come with 1.55 + // a proper schemaLocation. 1.56 + parserFactory.setValidating(false); 1.57 + reader = parserFactory.newSAXParser().getXMLReader(); 1.58 + } catch (ParserConfigurationException e) { 1.59 + throw new JAXBException(e); 1.60 + } catch (SAXException e) { 1.61 + throw new JAXBException(e); 1.62 + } 1.63 + } 1.64 + return reader; 1.65 + } 1.66 + 1.67 private SAXConnector getUnmarshallerHandler( boolean intern, JaxBeanInfo expectedType ) { 1.68 - XmlVisitor h = createUnmarshallerHandler(null,false,expectedType); 1.69 - if(intern) 1.70 + XmlVisitor h = createUnmarshallerHandler(null, false, expectedType); 1.71 + if (intern) { 1.72 h = new InterningXmlVisitor(h); 1.73 + } 1.74 return new SAXConnector(h,null); 1.75 } 1.76 1.77 @@ -142,11 +178,13 @@ 1.78 XmlVisitor unmarshaller = coordinator; 1.79 1.80 // delegate to JAXP 1.3 for validation if the client provided a schema 1.81 - if (schema != null) 1.82 + if (schema != null) { 1.83 unmarshaller = new ValidatingUnmarshaller(schema,unmarshaller); 1.84 + } 1.85 1.86 - if(attachmentUnmarshaller!=null && attachmentUnmarshaller.isXOPPackage()) 1.87 + if(attachmentUnmarshaller!=null && attachmentUnmarshaller.isXOPPackage()) { 1.88 unmarshaller = new MTOMDecorator(this,unmarshaller,attachmentUnmarshaller); 1.89 + } 1.90 1.91 return unmarshaller; 1.92 } 1.93 @@ -162,8 +200,9 @@ 1.94 } 1.95 1.96 try { 1.97 - if( reader.getFeature("http://xml.org/sax/features/string-interning") ) 1.98 + if (reader.getFeature("http://xml.org/sax/features/string-interning")) { 1.99 return false; // no need for intern 1.100 + } 1.101 } catch (SAXException e) { 1.102 // unrecognized/unsupported 1.103 } 1.104 @@ -176,8 +215,9 @@ 1.105 } 1.106 1.107 protected <T> JAXBElement<T> unmarshal( XMLReader reader, InputSource source, Class<T> expectedType ) throws JAXBException { 1.108 - if(expectedType==null) 1.109 + if(expectedType==null) { 1.110 throw new IllegalArgumentException(); 1.111 + } 1.112 return (JAXBElement)unmarshal0(reader,source,getBeanInfo(expectedType)); 1.113 } 1.114 1.115 @@ -222,40 +262,44 @@ 1.116 1.117 @Override 1.118 public <T> JAXBElement<T> unmarshal( Source source, Class<T> expectedType ) throws JAXBException { 1.119 - if(source instanceof SAXSource) { 1.120 - SAXSource ss = (SAXSource)source; 1.121 + if (source instanceof SAXSource) { 1.122 + SAXSource ss = (SAXSource) source; 1.123 1.124 - XMLReader reader = ss.getXMLReader(); 1.125 - if( reader == null ) 1.126 - reader = getXMLReader(); 1.127 + XMLReader locReader = ss.getXMLReader(); 1.128 + if (locReader == null) { 1.129 + locReader = getXMLReader(); 1.130 + } 1.131 1.132 - return unmarshal( reader, ss.getInputSource(), expectedType ); 1.133 + return unmarshal(locReader, ss.getInputSource(), expectedType); 1.134 } 1.135 - if(source instanceof StreamSource) { 1.136 - return unmarshal( getXMLReader(), streamSourceToInputSource((StreamSource)source), expectedType ); 1.137 + if (source instanceof StreamSource) { 1.138 + return unmarshal(getXMLReader(), streamSourceToInputSource((StreamSource) source), expectedType); 1.139 } 1.140 - if(source instanceof DOMSource) 1.141 - return unmarshal( ((DOMSource)source).getNode(), expectedType ); 1.142 + if (source instanceof DOMSource) { 1.143 + return unmarshal(((DOMSource) source).getNode(), expectedType); 1.144 + } 1.145 1.146 // we don't handle other types of Source 1.147 throw new IllegalArgumentException(); 1.148 } 1.149 1.150 public Object unmarshal0( Source source, JaxBeanInfo expectedType ) throws JAXBException { 1.151 - if(source instanceof SAXSource) { 1.152 - SAXSource ss = (SAXSource)source; 1.153 + if (source instanceof SAXSource) { 1.154 + SAXSource ss = (SAXSource) source; 1.155 1.156 - XMLReader reader = ss.getXMLReader(); 1.157 - if( reader == null ) 1.158 - reader = getXMLReader(); 1.159 + XMLReader locReader = ss.getXMLReader(); 1.160 + if (locReader == null) { 1.161 + locReader = getXMLReader(); 1.162 + } 1.163 1.164 - return unmarshal0( reader, ss.getInputSource(), expectedType ); 1.165 + return unmarshal0(locReader, ss.getInputSource(), expectedType); 1.166 } 1.167 - if(source instanceof StreamSource) { 1.168 - return unmarshal0( getXMLReader(), streamSourceToInputSource((StreamSource)source), expectedType ); 1.169 + if (source instanceof StreamSource) { 1.170 + return unmarshal0(getXMLReader(), streamSourceToInputSource((StreamSource) source), expectedType); 1.171 } 1.172 - if(source instanceof DOMSource) 1.173 - return unmarshal0( ((DOMSource)source).getNode(), expectedType ); 1.174 + if (source instanceof DOMSource) { 1.175 + return unmarshal0(((DOMSource) source).getNode(), expectedType); 1.176 + } 1.177 1.178 // we don't handle other types of Source 1.179 throw new IllegalArgumentException(); 1.180 @@ -283,8 +327,9 @@ 1.181 1.182 @Override 1.183 public <T> JAXBElement<T> unmarshal(Node node, Class<T> expectedType) throws JAXBException { 1.184 - if(expectedType==null) 1.185 + if (expectedType == null) { 1.186 throw new IllegalArgumentException(); 1.187 + } 1.188 return (JAXBElement)unmarshal0(node,getBeanInfo(expectedType)); 1.189 } 1.190 1.191 @@ -305,14 +350,13 @@ 1.192 InterningXmlVisitor handler = new InterningXmlVisitor(createUnmarshallerHandler(null,false,expectedType)); 1.193 scanner.setContentHandler(new SAXConnector(handler,scanner)); 1.194 1.195 - if(node.getNodeType() == Node.ELEMENT_NODE) 1.196 + if(node.getNodeType() == Node.ELEMENT_NODE) { 1.197 scanner.scan((Element)node); 1.198 - else 1.199 - if(node.getNodeType() == Node.DOCUMENT_NODE) 1.200 + } else if(node.getNodeType() == Node.DOCUMENT_NODE) { 1.201 scanner.scan((Document)node); 1.202 - else 1.203 - // no other type of input is supported 1.204 + } else { 1.205 throw new IllegalArgumentException("Unexpected node type: "+node); 1.206 + } 1.207 1.208 Object retVal = handler.getContext().getResult(); 1.209 handler.getContext().clearResult(); 1.210 @@ -329,8 +373,9 @@ 1.211 1.212 @Override 1.213 public <T> JAXBElement<T> unmarshal(XMLStreamReader reader, Class<T> expectedType) throws JAXBException { 1.214 - if(expectedType==null) 1.215 + if (expectedType==null) { 1.216 throw new IllegalArgumentException(); 1.217 + } 1.218 return (JAXBElement)unmarshal0(reader,getBeanInfo(expectedType)); 1.219 } 1.220 1.221 @@ -364,8 +409,9 @@ 1.222 1.223 @Override 1.224 public <T> JAXBElement<T> unmarshal(XMLEventReader reader, Class<T> expectedType) throws JAXBException { 1.225 - if(expectedType==null) 1.226 + if(expectedType==null) { 1.227 throw new IllegalArgumentException(); 1.228 + } 1.229 return (JAXBElement)unmarshal0(reader,getBeanInfo(expectedType)); 1.230 } 1.231 1.232 @@ -393,8 +439,9 @@ 1.233 // Quick hack until SJSXP fixes 6270116 1.234 boolean isZephyr = reader.getClass().getName().equals("com.sun.xml.internal.stream.XMLReaderImpl"); 1.235 XmlVisitor h = createUnmarshallerHandler(null,false,expectedType); 1.236 - if(!isZephyr) 1.237 + if(!isZephyr) { 1.238 h = new InterningXmlVisitor(h); 1.239 + } 1.240 new StAXEventConnector(reader,h).bridge(); 1.241 return h.getContext().getResult(); 1.242 } catch (XMLStreamException e) { 1.243 @@ -414,10 +461,12 @@ 1.244 // So we unwrap them here. But we don't want to unwrap too eagerly, because 1.245 // that could throw away some meaningful exception information. 1.246 Throwable ne = e.getNestedException(); 1.247 - if(ne instanceof JAXBException) 1.248 + if(ne instanceof JAXBException) { 1.249 return (JAXBException)ne; 1.250 - if(ne instanceof SAXException) 1.251 + } 1.252 + if(ne instanceof SAXException) { 1.253 return new UnmarshalException(ne); 1.254 + } 1.255 return new UnmarshalException(e); 1.256 } 1.257 1.258 @@ -490,20 +539,22 @@ 1.259 1.260 @Override 1.261 public <A extends XmlAdapter> void setAdapter(Class<A> type, A adapter) { 1.262 - if(type==null) 1.263 + if (type==null) { 1.264 throw new IllegalArgumentException(); 1.265 + } 1.266 coordinator.putAdapter(type,adapter); 1.267 } 1.268 1.269 @Override 1.270 public <A extends XmlAdapter> A getAdapter(Class<A> type) { 1.271 - if(type==null) 1.272 + if(type==null) { 1.273 throw new IllegalArgumentException(); 1.274 - if(coordinator.containsAdapter(type)) 1.275 - // so as not to create a new instance when this method is called 1.276 + } 1.277 + if(coordinator.containsAdapter(type)) { 1.278 return coordinator.getAdapter(type); 1.279 - else 1.280 + } else { 1.281 return null; 1.282 + } 1.283 } 1.284 1.285 // opening up for public use