1.1 --- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Thu Apr 04 19:05:24 2013 -0700 1.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Tue Apr 09 14:51:13 2013 +0100 1.3 @@ -1,5 +1,5 @@ 1.4 /* 1.5 - * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. 1.6 + * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. 1.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 1.8 * 1.9 * This code is free software; you can redistribute it and/or modify it 1.10 @@ -37,16 +37,14 @@ 1.11 import org.w3c.dom.Node; 1.12 import org.w3c.dom.NodeList; 1.13 import org.w3c.dom.Text; 1.14 -import org.xml.sax.EntityResolver; 1.15 -import org.xml.sax.ErrorHandler; 1.16 -import org.xml.sax.SAXException; 1.17 -import org.xml.sax.SAXParseException; 1.18 -import org.xml.sax.XMLReader; 1.19 -import org.xml.sax.InputSource; 1.20 +import org.xml.sax.*; 1.21 1.22 +import javax.xml.XMLConstants; 1.23 import javax.xml.namespace.QName; 1.24 +import javax.xml.parsers.DocumentBuilderFactory; 1.25 import javax.xml.parsers.ParserConfigurationException; 1.26 import javax.xml.parsers.SAXParserFactory; 1.27 +import javax.xml.stream.XMLInputFactory; 1.28 import javax.xml.transform.Result; 1.29 import javax.xml.transform.Source; 1.30 import javax.xml.transform.Transformer; 1.31 @@ -57,6 +55,8 @@ 1.32 import javax.xml.transform.sax.TransformerHandler; 1.33 import javax.xml.transform.stream.StreamSource; 1.34 import javax.xml.ws.WebServiceException; 1.35 +import javax.xml.xpath.XPathFactory; 1.36 +import javax.xml.xpath.XPathFactoryConfigurationException; 1.37 import java.io.IOException; 1.38 import java.io.InputStream; 1.39 import java.io.OutputStreamWriter; 1.40 @@ -67,6 +67,8 @@ 1.41 import java.util.Iterator; 1.42 import java.util.List; 1.43 import java.util.StringTokenizer; 1.44 +import java.util.logging.Level; 1.45 +import java.util.logging.Logger; 1.46 1.47 /** 1.48 * @author WS Development Team 1.49 @@ -75,6 +77,15 @@ 1.50 private final static String LEXICAL_HANDLER_PROPERTY = 1.51 "http://xml.org/sax/properties/lexical-handler"; 1.52 1.53 + private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName()); 1.54 + 1.55 + private static boolean globalSecureXmlProcessingEnabled; 1.56 + 1.57 + static { 1.58 + String disableSecureXmlProcessing = System.getProperty("disableSecureXmlProcessing"); 1.59 + globalSecureXmlProcessingEnabled = disableSecureXmlProcessing == null || !Boolean.valueOf(disableSecureXmlProcessing); 1.60 + } 1.61 + 1.62 public static String getPrefix(String s) { 1.63 int i = s.indexOf(':'); 1.64 if (i == -1) 1.65 @@ -163,7 +174,7 @@ 1.66 } 1.67 1.68 public static String getTextForNode(Node node) { 1.69 - StringBuffer sb = new StringBuffer(); 1.70 + StringBuilder sb = new StringBuilder(); 1.71 1.72 NodeList children = node.getChildNodes(); 1.73 if (children.getLength() == 0) 1.74 @@ -199,9 +210,9 @@ 1.75 } 1.76 } 1.77 1.78 - static final TransformerFactory transformerFactory = TransformerFactory.newInstance(); 1.79 + static final TransformerFactory transformerFactory = newTransformerFactory(); 1.80 1.81 - static final SAXParserFactory saxParserFactory = SAXParserFactory.newInstance(); 1.82 + static final SAXParserFactory saxParserFactory = newSAXParserFactory(true); 1.83 1.84 static { 1.85 saxParserFactory.setNamespaceAware(true); 1.86 @@ -326,15 +337,81 @@ 1.87 * {@link ErrorHandler} that always treat the error as fatal. 1.88 */ 1.89 public static final ErrorHandler DRACONIAN_ERROR_HANDLER = new ErrorHandler() { 1.90 + @Override 1.91 public void warning(SAXParseException exception) { 1.92 } 1.93 1.94 + @Override 1.95 public void error(SAXParseException exception) throws SAXException { 1.96 throw exception; 1.97 } 1.98 1.99 + @Override 1.100 public void fatalError(SAXParseException exception) throws SAXException { 1.101 throw exception; 1.102 } 1.103 }; 1.104 + 1.105 + public static DocumentBuilderFactory newDocumentBuilderFactory() { 1.106 + return newDocumentBuilderFactory(true); 1.107 + } 1.108 + 1.109 + public static DocumentBuilderFactory newDocumentBuilderFactory(boolean secureXmlProcessing) { 1.110 + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); 1.111 + try { 1.112 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessing)); 1.113 + } catch (ParserConfigurationException e) { 1.114 + LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); 1.115 + } 1.116 + return factory; 1.117 + } 1.118 + 1.119 + public static TransformerFactory newTransformerFactory(boolean secureXmlProcessingEnabled) { 1.120 + TransformerFactory factory = TransformerFactory.newInstance(); 1.121 + try { 1.122 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessingEnabled)); 1.123 + } catch (TransformerConfigurationException e) { 1.124 + LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); 1.125 + } 1.126 + return factory; 1.127 + } 1.128 + 1.129 + public static TransformerFactory newTransformerFactory() { 1.130 + return newTransformerFactory(true); 1.131 + } 1.132 + 1.133 + public static SAXParserFactory newSAXParserFactory(boolean secureXmlProcessingEnabled) { 1.134 + SAXParserFactory factory = SAXParserFactory.newInstance(); 1.135 + try { 1.136 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessingEnabled)); 1.137 + } catch (Exception e) { 1.138 + LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); 1.139 + } 1.140 + return factory; 1.141 + } 1.142 + 1.143 + public static XPathFactory newXPathFactory(boolean secureXmlProcessingEnabled) { 1.144 + XPathFactory factory = XPathFactory.newInstance(); 1.145 + try { 1.146 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessingEnabled)); 1.147 + } catch (XPathFactoryConfigurationException e) { 1.148 + LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); 1.149 + } 1.150 + return factory; 1.151 + } 1.152 + 1.153 + public static XMLInputFactory newXMLInputFactory(boolean secureXmlProcessingEnabled) { 1.154 + XMLInputFactory factory = XMLInputFactory.newInstance(); 1.155 + if (checkGlobalOverride(secureXmlProcessingEnabled)) { 1.156 + // TODO-Miran: are those apppropriate defaults? 1.157 + factory.setProperty(XMLInputFactory.SUPPORT_DTD, false); 1.158 + factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); 1.159 + } 1.160 + return factory; 1.161 + } 1.162 + 1.163 + private static boolean checkGlobalOverride(boolean localSecureXmlProcessingEnabled) { 1.164 + return globalSecureXmlProcessingEnabled && localSecureXmlProcessingEnabled; 1.165 + } 1.166 + 1.167 }