Author: dkulp
Date: Tue May 25 17:52:01 2010
New Revision: 948131
URL: http://svn.apache.org/viewvc?rev=948131&view=rev
Log:
Turn off DTD and Entity expansion stuff in the XMLStreamReaders
Modified:
cxf/trunk/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java
Modified:
cxf/trunk/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java?rev=948131&r1=948130&r2=948131&view=diff
==============================================================================
---
cxf/trunk/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java
(original)
+++
cxf/trunk/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java
Tue May 25 17:52:01 2010
@@ -38,6 +38,7 @@ import javax.xml.stream.Location;
import javax.xml.stream.StreamFilter;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLOutputFactory;
+import javax.xml.stream.XMLResolver;
import javax.xml.stream.XMLStreamConstants;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
@@ -136,8 +137,7 @@ public final class StaxUtils {
private static XMLInputFactory getXMLInputFactory() {
XMLInputFactory f = NS_AWARE_INPUT_FACTORY_POOL.poll();
if (f == null) {
- f = XMLInputFactory.newInstance();
- f.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, true);
+ f = createXMLInputFactory(true);
}
return f;
}
@@ -166,6 +166,16 @@ public final class StaxUtils {
public static XMLInputFactory createXMLInputFactory(boolean nsAware) {
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, nsAware);
+ factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+ factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
Boolean.FALSE);
+ factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
Boolean.FALSE);
+ factory.setXMLResolver(new XMLResolver() {
+ public Object resolveEntity(String publicID, String systemID,
+ String baseURI, String namespace)
+ throws XMLStreamException {
+ throw new XMLStreamException("Reading external entities is
disabled");
+ }
+ });
return factory;
}
Modified:
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java
URL:
http://svn.apache.org/viewvc/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java?rev=948131&r1=948130&r2=948131&view=diff
==============================================================================
---
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java
(original)
+++
cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java
Tue May 25 17:52:01 2010
@@ -24,12 +24,12 @@ import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
-import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamConstants;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.XMLStreamWriter;
+import org.apache.cxf.staxutils.StaxUtils;
import org.apache.xmlbeans.XmlObject;
/**
@@ -61,7 +61,7 @@ public class XMLBeanStreamSerializer {
xObj.save(tmpFile);
InputStream tmpIn = new FileInputStream(tmpFile);
- XMLStreamReader rdr =
XMLInputFactory.newInstance().createXMLStreamReader(tmpIn);
+ XMLStreamReader rdr = StaxUtils.createXMLStreamReader(tmpIn);
while (rdr.hasNext()) {
