1.1 --- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Thu Apr 04 19:05:24 2013 -0700
1.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Tue Apr 09 14:51:13 2013 +0100
1.3 @@ -1,5 +1,5 @@
1.4 /*
1.5 - * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
1.6 + * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
1.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
1.8 *
1.9 * This code is free software; you can redistribute it and/or modify it
1.10 @@ -37,16 +37,14 @@
1.11 import org.w3c.dom.Node;
1.12 import org.w3c.dom.NodeList;
1.13 import org.w3c.dom.Text;
1.14 -import org.xml.sax.EntityResolver;
1.15 -import org.xml.sax.ErrorHandler;
1.16 -import org.xml.sax.SAXException;
1.17 -import org.xml.sax.SAXParseException;
1.18 -import org.xml.sax.XMLReader;
1.19 -import org.xml.sax.InputSource;
1.20 +import org.xml.sax.*;
1.21
1.22 +import javax.xml.XMLConstants;
1.23 import javax.xml.namespace.QName;
1.24 +import javax.xml.parsers.DocumentBuilderFactory;
1.25 import javax.xml.parsers.ParserConfigurationException;
1.26 import javax.xml.parsers.SAXParserFactory;
1.27 +import javax.xml.stream.XMLInputFactory;
1.28 import javax.xml.transform.Result;
1.29 import javax.xml.transform.Source;
1.30 import javax.xml.transform.Transformer;
1.31 @@ -57,6 +55,8 @@
1.32 import javax.xml.transform.sax.TransformerHandler;
1.33 import javax.xml.transform.stream.StreamSource;
1.34 import javax.xml.ws.WebServiceException;
1.35 +import javax.xml.xpath.XPathFactory;
1.36 +import javax.xml.xpath.XPathFactoryConfigurationException;
1.37 import java.io.IOException;
1.38 import java.io.InputStream;
1.39 import java.io.OutputStreamWriter;
1.40 @@ -67,6 +67,8 @@
1.41 import java.util.Iterator;
1.42 import java.util.List;
1.43 import java.util.StringTokenizer;
1.44 +import java.util.logging.Level;
1.45 +import java.util.logging.Logger;
1.46
1.47 /**
1.48 * @author WS Development Team
1.49 @@ -75,6 +77,15 @@
1.50 private final static String LEXICAL_HANDLER_PROPERTY =
1.51 "http://xml.org/sax/properties/lexical-handler";
1.52
1.53 + private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName());
1.54 +
1.55 + private static boolean globalSecureXmlProcessingEnabled;
1.56 +
1.57 + static {
1.58 + String disableSecureXmlProcessing = System.getProperty("disableSecureXmlProcessing");
1.59 + globalSecureXmlProcessingEnabled = disableSecureXmlProcessing == null || !Boolean.valueOf(disableSecureXmlProcessing);
1.60 + }
1.61 +
1.62 public static String getPrefix(String s) {
1.63 int i = s.indexOf(':');
1.64 if (i == -1)
1.65 @@ -163,7 +174,7 @@
1.66 }
1.67
1.68 public static String getTextForNode(Node node) {
1.69 - StringBuffer sb = new StringBuffer();
1.70 + StringBuilder sb = new StringBuilder();
1.71
1.72 NodeList children = node.getChildNodes();
1.73 if (children.getLength() == 0)
1.74 @@ -199,9 +210,9 @@
1.75 }
1.76 }
1.77
1.78 - static final TransformerFactory transformerFactory = TransformerFactory.newInstance();
1.79 + static final TransformerFactory transformerFactory = newTransformerFactory();
1.80
1.81 - static final SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
1.82 + static final SAXParserFactory saxParserFactory = newSAXParserFactory(true);
1.83
1.84 static {
1.85 saxParserFactory.setNamespaceAware(true);
1.86 @@ -326,15 +337,81 @@
1.87 * {@link ErrorHandler} that always treat the error as fatal.
1.88 */
1.89 public static final ErrorHandler DRACONIAN_ERROR_HANDLER = new ErrorHandler() {
1.90 + @Override
1.91 public void warning(SAXParseException exception) {
1.92 }
1.93
1.94 + @Override
1.95 public void error(SAXParseException exception) throws SAXException {
1.96 throw exception;
1.97 }
1.98
1.99 + @Override
1.100 public void fatalError(SAXParseException exception) throws SAXException {
1.101 throw exception;
1.102 }
1.103 };
1.104 +
1.105 + public static DocumentBuilderFactory newDocumentBuilderFactory() {
1.106 + return newDocumentBuilderFactory(true);
1.107 + }
1.108 +
1.109 + public static DocumentBuilderFactory newDocumentBuilderFactory(boolean secureXmlProcessing) {
1.110 + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
1.111 + try {
1.112 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessing));
1.113 + } catch (ParserConfigurationException e) {
1.114 + LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } );
1.115 + }
1.116 + return factory;
1.117 + }
1.118 +
1.119 + public static TransformerFactory newTransformerFactory(boolean secureXmlProcessingEnabled) {
1.120 + TransformerFactory factory = TransformerFactory.newInstance();
1.121 + try {
1.122 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessingEnabled));
1.123 + } catch (TransformerConfigurationException e) {
1.124 + LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()});
1.125 + }
1.126 + return factory;
1.127 + }
1.128 +
1.129 + public static TransformerFactory newTransformerFactory() {
1.130 + return newTransformerFactory(true);
1.131 + }
1.132 +
1.133 + public static SAXParserFactory newSAXParserFactory(boolean secureXmlProcessingEnabled) {
1.134 + SAXParserFactory factory = SAXParserFactory.newInstance();
1.135 + try {
1.136 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessingEnabled));
1.137 + } catch (Exception e) {
1.138 + LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()});
1.139 + }
1.140 + return factory;
1.141 + }
1.142 +
1.143 + public static XPathFactory newXPathFactory(boolean secureXmlProcessingEnabled) {
1.144 + XPathFactory factory = XPathFactory.newInstance();
1.145 + try {
1.146 + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, checkGlobalOverride(secureXmlProcessingEnabled));
1.147 + } catch (XPathFactoryConfigurationException e) {
1.148 + LOGGER.log(Level.WARNING, "Factory [{}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } );
1.149 + }
1.150 + return factory;
1.151 + }
1.152 +
1.153 + public static XMLInputFactory newXMLInputFactory(boolean secureXmlProcessingEnabled) {
1.154 + XMLInputFactory factory = XMLInputFactory.newInstance();
1.155 + if (checkGlobalOverride(secureXmlProcessingEnabled)) {
1.156 + // TODO-Miran: are those apppropriate defaults?
1.157 + factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
1.158 + factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
1.159 + }
1.160 + return factory;
1.161 + }
1.162 +
1.163 + private static boolean checkGlobalOverride(boolean localSecureXmlProcessingEnabled) {
1.164 + return globalSecureXmlProcessingEnabled && localSecureXmlProcessingEnabled;
1.165 + }
1.166 +
1.167 }
