Repository: cayenne Updated Branches: refs/heads/STABLE-3.1 1e9c4837d -> bf01e60ec
Disable XML external entities Project: http://git-wip-us.apache.org/repos/asf/cayenne/repo Commit: http://git-wip-us.apache.org/repos/asf/cayenne/commit/5714108e Tree: http://git-wip-us.apache.org/repos/asf/cayenne/tree/5714108e Diff: http://git-wip-us.apache.org/repos/asf/cayenne/diff/5714108e Branch: refs/heads/STABLE-3.1 Commit: 5714108e8a4dabbc89957f562ad46035064ef731 Parents: 1e9c483 Author: Nikita Timofeev <stari...@gmail.com> Authored: Tue Jul 10 17:21:11 2018 +0300 Committer: Nikita Timofeev <stari...@gmail.com> Committed: Tue Jul 10 17:21:11 2018 +0300 ---------------------------------------------------------------------- .../src/main/java/org/apache/cayenne/util/Util.java | 3 +++ .../src/main/java/org/apache/cayenne/xml/XMLUtil.java | 11 +++++++++++ .../org/apache/cayenne/project/unit/Project2Case.java | 11 +++++++++++ 3 files changed, 25 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cayenne/blob/5714108e/framework/cayenne-jdk1.5-unpublished/src/main/java/org/apache/cayenne/util/Util.java ---------------------------------------------------------------------- diff --git a/framework/cayenne-jdk1.5-unpublished/src/main/java/org/apache/cayenne/util/Util.java b/framework/cayenne-jdk1.5-unpublished/src/main/java/org/apache/cayenne/util/Util.java index f926430..429258c 100644 --- a/framework/cayenne-jdk1.5-unpublished/src/main/java/org/apache/cayenne/util/Util.java +++ b/framework/cayenne-jdk1.5-unpublished/src/main/java/org/apache/cayenne/util/Util.java @@ -402,6 +402,9 @@ public class Util { // Create a JAXP SAXParser SAXParser saxParser = spf.newSAXParser(); + spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); + spf.setFeature("http://xml.org/sax/features/external-general-entities";, false); + spf.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); // Get the encapsulated SAX XMLReader XMLReader reader = saxParser.getXMLReader(); http://git-wip-us.apache.org/repos/asf/cayenne/blob/5714108e/framework/cayenne-jdk1.5-unpublished/src/main/java/org/apache/cayenne/xml/XMLUtil.java ---------------------------------------------------------------------- diff --git a/framework/cayenne-jdk1.5-unpublished/src/main/java/org/apache/cayenne/xml/XMLUtil.java b/framework/cayenne-jdk1.5-unpublished/src/main/java/org/apache/cayenne/xml/XMLUtil.java index 4982d3e..8dcd4b9 100644 --- a/framework/cayenne-jdk1.5-unpublished/src/main/java/org/apache/cayenne/xml/XMLUtil.java +++ b/framework/cayenne-jdk1.5-unpublished/src/main/java/org/apache/cayenne/xml/XMLUtil.java @@ -59,6 +59,17 @@ class XMLUtil { static DocumentBuilder newBuilder() throws CayenneRuntimeException { if (sharedFactory == null) { sharedFactory = DocumentBuilderFactory.newInstance(); + sharedFactory.setNamespaceAware(false); + sharedFactory.setExpandEntityReferences(false); + sharedFactory.setXIncludeAware(false); + try { + sharedFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); + sharedFactory.setFeature("http://xml.org/sax/features/external-general-entities";, false); + sharedFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); + sharedFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); + } catch (ParserConfigurationException ex) { + throw new CayenneRuntimeException("Unable to configure DocumentBuilderFactory", ex); + } } try { http://git-wip-us.apache.org/repos/asf/cayenne/blob/5714108e/framework/cayenne-project/src/test/java/org/apache/cayenne/project/unit/Project2Case.java ---------------------------------------------------------------------- diff --git a/framework/cayenne-project/src/test/java/org/apache/cayenne/project/unit/Project2Case.java b/framework/cayenne-project/src/test/java/org/apache/cayenne/project/unit/Project2Case.java index 4252b18..07f122d 100644 --- a/framework/cayenne-project/src/test/java/org/apache/cayenne/project/unit/Project2Case.java +++ b/framework/cayenne-project/src/test/java/org/apache/cayenne/project/unit/Project2Case.java @@ -42,6 +42,17 @@ public class Project2Case extends TestCase { */ protected Document toDOMTree(File file) { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + dbf.setNamespaceAware(false); + dbf.setExpandEntityReferences(false); + dbf.setXIncludeAware(false); + try { + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); + dbf.setFeature("http://xml.org/sax/features/external-general-entities";, false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); + dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); + } catch (ParserConfigurationException ex) { + throw new RuntimeException("Unable to configure DocumentBuilderFactory", ex); + } DocumentBuilder domParser; try { domParser = dbf.newDocumentBuilder();
