Author: dkulp Date: Wed May 26 15:04:53 2010 New Revision: 948468 URL: http://svn.apache.org/viewvc?rev=948468&view=rev Log: Merged revisions 948162 via svnmerge from https://svn.apache.org/repos/asf/cxf/branches/2.2.x-fixes
................ r948162 | dkulp | 2010-05-25 14:35:11 -0400 (Tue, 25 May 2010) | 9 lines Merged revisions 948131 via svnmerge from https://svn.apache.org/repos/asf/cxf/trunk ........ r948131 | dkulp | 2010-05-25 13:52:01 -0400 (Tue, 25 May 2010) | 1 line Turn off DTD and Entity expansion stuff in the XMLStreamReaders ........ ................ Modified: cxf/branches/2.1.x-fixes/ (props changed) cxf/branches/2.1.x-fixes/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java cxf/branches/2.1.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java Propchange: cxf/branches/2.1.x-fixes/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Wed May 26 15:04:53 2010 @@ -1,2 +1,2 @@ -/cxf/branches/2.2.x-fixes:908559,908843 +/cxf/branches/2.2.x-fixes:908559,908843,948162 /cxf/trunk:908549,908779 Propchange: cxf/branches/2.1.x-fixes/ ------------------------------------------------------------------------------ Binary property 'svnmerge-integrated' - no diff available. Modified: cxf/branches/2.1.x-fixes/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java URL: http://svn.apache.org/viewvc/cxf/branches/2.1.x-fixes/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java?rev=948468&r1=948467&r2=948468&view=diff ============================================================================== --- cxf/branches/2.1.x-fixes/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java (original) +++ cxf/branches/2.1.x-fixes/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java Wed May 26 15:04:53 2010 @@ -36,6 +36,7 @@ import javax.xml.parsers.ParserConfigura import javax.xml.stream.StreamFilter; import javax.xml.stream.XMLInputFactory; import javax.xml.stream.XMLOutputFactory; +import javax.xml.stream.XMLResolver; import javax.xml.stream.XMLStreamConstants; import javax.xml.stream.XMLStreamException; import javax.xml.stream.XMLStreamReader; @@ -127,8 +128,7 @@ public final class StaxUtils { private static XMLInputFactory getXMLInputFactory() { XMLInputFactory f = NS_AWARE_INPUT_FACTORY_POOL.poll(); if (f == null) { - f = XMLInputFactory.newInstance(); - f.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, true); + f = createXMLInputFactory(true); } return f; } @@ -157,6 +157,16 @@ public final class StaxUtils { public static XMLInputFactory createXMLInputFactory(boolean nsAware) { XMLInputFactory factory = XMLInputFactory.newInstance(); factory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, nsAware); + factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE); + factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.FALSE); + factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE); + factory.setXMLResolver(new XMLResolver() { + public Object resolveEntity(String publicID, String systemID, + String baseURI, String namespace) + throws XMLStreamException { + throw new XMLStreamException("Reading external entities is disabled"); + } + }); return factory; } Modified: cxf/branches/2.1.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java URL: http://svn.apache.org/viewvc/cxf/branches/2.1.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java?rev=948468&r1=948467&r2=948468&view=diff ============================================================================== --- cxf/branches/2.1.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java (original) +++ cxf/branches/2.1.x-fixes/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java Wed May 26 15:04:53 2010 @@ -24,12 +24,12 @@ import java.io.FileInputStream; import java.io.IOException; import java.io.InputStream; -import javax.xml.stream.XMLInputFactory; import javax.xml.stream.XMLStreamConstants; import javax.xml.stream.XMLStreamException; import javax.xml.stream.XMLStreamReader; import javax.xml.stream.XMLStreamWriter; +import org.apache.cxf.staxutils.StaxUtils; import org.apache.xmlbeans.XmlObject; /** @@ -61,7 +61,7 @@ public class XMLBeanStreamSerializer { xObj.save(tmpFile); InputStream tmpIn = new FileInputStream(tmpFile); - XMLStreamReader rdr = XMLInputFactory.newInstance().createXMLStreamReader(tmpIn); + XMLStreamReader rdr = StaxUtils.createXMLStreamReader(tmpIn); while (rdr.hasNext()) {
