Mon, 26 Jun 2017 22:24:22 -0700
Merge
.hgtags | file | annotate | diff | comparison | revisions |
1.1 --- a/.hgtags Fri Jun 23 10:18:26 2017 -0700 1.2 +++ b/.hgtags Mon Jun 26 22:24:22 2017 -0700 1.3 @@ -700,6 +700,7 @@ 1.4 7f1844127578d6726da60f6813bfa9206b57dda9 jdk8u141-b11 1.5 d8134565e6c8cab3ccd0e356c787e0aa75ef68ee jdk8u141-b12 1.6 27d35df45162afdf75b76983fcf11e1cbf2e3001 jdk8u141-b13 1.7 +65d3b0e445513e024157635b970660b1e7211937 jdk8u141-b14 1.8 ea4b3e983ee708f9323d228044176e52526e9e13 jdk8u122-b00 1.9 2e7f62568785adfe695e0c06f2e88c9d369c3b2c jdk8u122-b01 1.10 b97e1b7f3c92b3e9f75e6aa590e0884c3c3ed33f jdk8u122-b02
2.1 --- a/src/share/jaxws_classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java Fri Jun 23 10:18:26 2017 -0700 2.2 +++ b/src/share/jaxws_classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java Mon Jun 26 22:24:22 2017 -0700 2.3 @@ -1,5 +1,5 @@ 2.4 /* 2.5 - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. 2.6 + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. 2.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 2.8 * 2.9 * This code is free software; you can redistribute it and/or modify it 2.10 @@ -112,15 +112,13 @@ 2.11 this.entityResolver = entityResolver; 2.12 this.errorReceiver = errReceiver; 2.13 this.logic = logic; 2.14 + // secure xml processing can be switched off if input requires it 2.15 + boolean disableXmlSecurity = options == null ? false : options.disableXmlSecurity; 2.16 + 2.17 + DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(disableXmlSecurity); 2.18 + this.parserFactory = XmlUtil.newSAXParserFactory(disableXmlSecurity); 2.19 try { 2.20 - // secure xml processing can be switched off if input requires it 2.21 - boolean secureProcessingEnabled = options == null || !options.disableXmlSecurity; 2.22 - DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(secureProcessingEnabled); 2.23 - dbf.setNamespaceAware(true); 2.24 this.documentBuilder = dbf.newDocumentBuilder(); 2.25 - 2.26 - this.parserFactory = XmlUtil.newSAXParserFactory(secureProcessingEnabled); 2.27 - this.parserFactory.setNamespaceAware(true); 2.28 } catch (ParserConfigurationException e) { 2.29 throw new AssertionError(e); 2.30 }
3.1 --- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/DOMUtil.java Fri Jun 23 10:18:26 2017 -0700 3.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/DOMUtil.java Mon Jun 26 22:24:22 2017 -0700 3.3 @@ -1,5 +1,5 @@ 3.4 /* 3.5 - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. 3.6 + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. 3.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 3.8 * 3.9 * This code is free software; you can redistribute it and/or modify it 3.10 @@ -57,7 +57,6 @@ 3.11 if (db == null) { 3.12 try { 3.13 DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(); 3.14 - dbf.setNamespaceAware(true); 3.15 db = dbf.newDocumentBuilder(); 3.16 } catch (ParserConfigurationException e) { 3.17 throw new FactoryConfigurationError(e);
4.1 --- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Fri Jun 23 10:18:26 2017 -0700 4.2 +++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Mon Jun 26 22:24:22 2017 -0700 4.3 @@ -1,5 +1,5 @@ 4.4 /* 4.5 - * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. 4.6 + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. 4.7 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4.8 * 4.9 * This code is free software; you can redistribute it and/or modify it 4.10 @@ -84,6 +84,14 @@ 4.11 private final static String LEXICAL_HANDLER_PROPERTY = 4.12 "http://xml.org/sax/properties/lexical-handler"; 4.13 4.14 + private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl"; 4.15 + 4.16 + private static final String EXTERNAL_GE = "http://xml.org/sax/features/external-general-entities"; 4.17 + 4.18 + private static final String EXTERNAL_PE = "http://xml.org/sax/features/external-parameter-entities"; 4.19 + 4.20 + private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; 4.21 + 4.22 private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName()); 4.23 4.24 private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.ws.disableXmlSecurity"; 4.25 @@ -372,15 +380,29 @@ 4.26 }; 4.27 4.28 public static DocumentBuilderFactory newDocumentBuilderFactory() { 4.29 - return newDocumentBuilderFactory(true); 4.30 + return newDocumentBuilderFactory(false); 4.31 } 4.32 4.33 - public static DocumentBuilderFactory newDocumentBuilderFactory(boolean secureXmlProcessing) { 4.34 + public static DocumentBuilderFactory newDocumentBuilderFactory(boolean disableSecurity) { 4.35 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); 4.36 + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; 4.37 try { 4.38 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessing)); 4.39 + boolean securityOn = !isXMLSecurityDisabled(disableSecurity); 4.40 + factory.setFeature(featureToSet, securityOn); 4.41 + factory.setNamespaceAware(true); 4.42 + if (securityOn) { 4.43 + factory.setExpandEntityReferences(false); 4.44 + featureToSet = DISALLOW_DOCTYPE_DECL; 4.45 + factory.setFeature(featureToSet, true); 4.46 + featureToSet = EXTERNAL_GE; 4.47 + factory.setFeature(featureToSet, false); 4.48 + featureToSet = EXTERNAL_PE; 4.49 + factory.setFeature(featureToSet, false); 4.50 + featureToSet = LOAD_EXTERNAL_DTD; 4.51 + factory.setFeature(featureToSet, false); 4.52 + } 4.53 } catch (ParserConfigurationException e) { 4.54 - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); 4.55 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[] {factory.getClass().getName()} ); 4.56 } 4.57 return factory; 4.58 } 4.59 @@ -399,12 +421,25 @@ 4.60 return newTransformerFactory(true); 4.61 } 4.62 4.63 - public static SAXParserFactory newSAXParserFactory(boolean secureXmlProcessingEnabled) { 4.64 + public static SAXParserFactory newSAXParserFactory(boolean disableSecurity) { 4.65 SAXParserFactory factory = SAXParserFactory.newInstance(); 4.66 + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; 4.67 try { 4.68 - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessingEnabled)); 4.69 - } catch (Exception e) { 4.70 - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); 4.71 + boolean securityOn = !isXMLSecurityDisabled(disableSecurity); 4.72 + factory.setFeature(featureToSet, securityOn); 4.73 + factory.setNamespaceAware(true); 4.74 + if (securityOn) { 4.75 + featureToSet = DISALLOW_DOCTYPE_DECL; 4.76 + factory.setFeature(featureToSet, true); 4.77 + featureToSet = EXTERNAL_GE; 4.78 + factory.setFeature(featureToSet, false); 4.79 + featureToSet = EXTERNAL_PE; 4.80 + factory.setFeature(featureToSet, false); 4.81 + featureToSet = LOAD_EXTERNAL_DTD; 4.82 + factory.setFeature(featureToSet, false); 4.83 + } 4.84 + } catch (ParserConfigurationException | SAXNotRecognizedException | SAXNotSupportedException e) { 4.85 + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[]{factory.getClass().getName()}); 4.86 } 4.87 return factory; 4.88 }