1.1 --- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Mon Jun 12 23:06:50 2017 -0700
1.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Sun Jun 25 00:13:53 2017 +0100
1.3 @@ -1,5 +1,5 @@
1.4 /*
1.5 - * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
1.6 + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
1.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
1.8 *
1.9 * This code is free software; you can redistribute it and/or modify it
1.10 @@ -84,6 +84,14 @@
1.11 private final static String LEXICAL_HANDLER_PROPERTY =
1.12 "http://xml.org/sax/properties/lexical-handler";
1.13
1.14 + private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
1.15 +
1.16 + private static final String EXTERNAL_GE = "http://xml.org/sax/features/external-general-entities";
1.17 +
1.18 + private static final String EXTERNAL_PE = "http://xml.org/sax/features/external-parameter-entities";
1.19 +
1.20 + private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
1.21 +
1.22 private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName());
1.23
1.24 private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.ws.disableXmlSecurity";
1.25 @@ -372,15 +380,29 @@
1.26 };
1.27
1.28 public static DocumentBuilderFactory newDocumentBuilderFactory() {
1.29 - return newDocumentBuilderFactory(true);
1.30 + return newDocumentBuilderFactory(false);
1.31 }
1.32
1.33 - public static DocumentBuilderFactory newDocumentBuilderFactory(boolean secureXmlProcessing) {
1.34 + public static DocumentBuilderFactory newDocumentBuilderFactory(boolean disableSecurity) {
1.35 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
1.36 + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING;
1.37 try {
1.38 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessing));
1.39 + boolean securityOn = !isXMLSecurityDisabled(disableSecurity);
1.40 + factory.setFeature(featureToSet, securityOn);
1.41 + factory.setNamespaceAware(true);
1.42 + if (securityOn) {
1.43 + factory.setExpandEntityReferences(false);
1.44 + featureToSet = DISALLOW_DOCTYPE_DECL;
1.45 + factory.setFeature(featureToSet, true);
1.46 + featureToSet = EXTERNAL_GE;
1.47 + factory.setFeature(featureToSet, false);
1.48 + featureToSet = EXTERNAL_PE;
1.49 + factory.setFeature(featureToSet, false);
1.50 + featureToSet = LOAD_EXTERNAL_DTD;
1.51 + factory.setFeature(featureToSet, false);
1.52 + }
1.53 } catch (ParserConfigurationException e) {
1.54 - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } );
1.55 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[] {factory.getClass().getName()} );
1.56 }
1.57 return factory;
1.58 }
1.59 @@ -399,12 +421,25 @@
1.60 return newTransformerFactory(true);
1.61 }
1.62
1.63 - public static SAXParserFactory newSAXParserFactory(boolean secureXmlProcessingEnabled) {
1.64 + public static SAXParserFactory newSAXParserFactory(boolean disableSecurity) {
1.65 SAXParserFactory factory = SAXParserFactory.newInstance();
1.66 + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING;
1.67 try {
1.68 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessingEnabled));
1.69 - } catch (Exception e) {
1.70 - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()});
1.71 + boolean securityOn = !isXMLSecurityDisabled(disableSecurity);
1.72 + factory.setFeature(featureToSet, securityOn);
1.73 + factory.setNamespaceAware(true);
1.74 + if (securityOn) {
1.75 + featureToSet = DISALLOW_DOCTYPE_DECL;
1.76 + factory.setFeature(featureToSet, true);
1.77 + featureToSet = EXTERNAL_GE;
1.78 + factory.setFeature(featureToSet, false);
1.79 + featureToSet = EXTERNAL_PE;
1.80 + factory.setFeature(featureToSet, false);
1.81 + featureToSet = LOAD_EXTERNAL_DTD;
1.82 + factory.setFeature(featureToSet, false);
1.83 + }
1.84 + } catch (ParserConfigurationException | SAXNotRecognizedException | SAXNotSupportedException e) {
1.85 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[]{factory.getClass().getName()});
1.86 }
1.87 return factory;
1.88 }
