1.1 --- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Mon Jun 12 23:06:50 2017 -0700 1.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Sun Jun 25 00:13:53 2017 +0100 1.3 @@ -1,5 +1,5 @@ 1.4 /* 1.5 - * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. 1.6 + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. 1.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 1.8 * 1.9 * This code is free software; you can redistribute it and/or modify it 1.10 @@ -84,6 +84,14 @@ 1.11 private final static String LEXICAL_HANDLER_PROPERTY = 1.12 "http://xml.org/sax/properties/lexical-handler"; 1.13 1.14 + private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl"; 1.15 + 1.16 + private static final String EXTERNAL_GE = "http://xml.org/sax/features/external-general-entities"; 1.17 + 1.18 + private static final String EXTERNAL_PE = "http://xml.org/sax/features/external-parameter-entities"; 1.19 + 1.20 + private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; 1.21 + 1.22 private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName()); 1.23 1.24 private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.ws.disableXmlSecurity"; 1.25 @@ -372,15 +380,29 @@ 1.26 }; 1.27 1.28 public static DocumentBuilderFactory newDocumentBuilderFactory() { 1.29 - return newDocumentBuilderFactory(true); 1.30 + return newDocumentBuilderFactory(false); 1.31 } 1.32 1.33 - public static DocumentBuilderFactory newDocumentBuilderFactory(boolean secureXmlProcessing) { 1.34 + public static DocumentBuilderFactory newDocumentBuilderFactory(boolean disableSecurity) { 1.35 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); 1.36 + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; 1.37 try { 1.38 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessing)); 1.39 + boolean securityOn = !isXMLSecurityDisabled(disableSecurity); 1.40 + factory.setFeature(featureToSet, securityOn); 1.41 + factory.setNamespaceAware(true); 1.42 + if (securityOn) { 1.43 + factory.setExpandEntityReferences(false); 1.44 + featureToSet = DISALLOW_DOCTYPE_DECL; 1.45 + factory.setFeature(featureToSet, true); 1.46 + featureToSet = EXTERNAL_GE; 1.47 + factory.setFeature(featureToSet, false); 1.48 + featureToSet = EXTERNAL_PE; 1.49 + factory.setFeature(featureToSet, false); 1.50 + featureToSet = LOAD_EXTERNAL_DTD; 1.51 + factory.setFeature(featureToSet, false); 1.52 + } 1.53 } catch (ParserConfigurationException e) { 1.54 - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); 1.55 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[] {factory.getClass().getName()} ); 1.56 } 1.57 return factory; 1.58 } 1.59 @@ -399,12 +421,25 @@ 1.60 return newTransformerFactory(true); 1.61 } 1.62 1.63 - public static SAXParserFactory newSAXParserFactory(boolean secureXmlProcessingEnabled) { 1.64 + public static SAXParserFactory newSAXParserFactory(boolean disableSecurity) { 1.65 SAXParserFactory factory = SAXParserFactory.newInstance(); 1.66 + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; 1.67 try { 1.68 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessingEnabled)); 1.69 - } catch (Exception e) { 1.70 - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); 1.71 + boolean securityOn = !isXMLSecurityDisabled(disableSecurity); 1.72 + factory.setFeature(featureToSet, securityOn); 1.73 + factory.setNamespaceAware(true); 1.74 + if (securityOn) { 1.75 + featureToSet = DISALLOW_DOCTYPE_DECL; 1.76 + factory.setFeature(featureToSet, true); 1.77 + featureToSet = EXTERNAL_GE; 1.78 + factory.setFeature(featureToSet, false); 1.79 + featureToSet = EXTERNAL_PE; 1.80 + factory.setFeature(featureToSet, false); 1.81 + featureToSet = LOAD_EXTERNAL_DTD; 1.82 + factory.setFeature(featureToSet, false); 1.83 + } 1.84 + } catch (ParserConfigurationException | SAXNotRecognizedException | SAXNotSupportedException e) { 1.85 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[]{factory.getClass().getName()}); 1.86 } 1.87 return factory; 1.88 }