This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/3.3.x-fixes by this push:
new 7ada100 Disable external DTD/Schemas in the WadlGenerator
7ada100 is described below
commit 7ada100d79e14368361d51ac8f03def792795da8
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Thu Oct 24 12:36:38 2019 +0100
Disable external DTD/Schemas in the WadlGenerator
(cherry picked from commit 165c0b1c461bc7c9cd645614d49fce21881b5cfe)
---
.../org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git
a/rt/rs/description/src/main/java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java
b/rt/rs/description/src/main/java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java
index 90e1aca..3573a14 100644
---
a/rt/rs/description/src/main/java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java
+++
b/rt/rs/description/src/main/java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java
@@ -69,6 +69,7 @@ import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.MessageBodyWriter;
+import javax.xml.XMLConstants;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.annotation.XmlRootElement;
import javax.xml.bind.annotation.XmlSeeAlso;
@@ -217,7 +218,7 @@ public class WadlGenerator implements
ContainerRequestFilter {
if (extraClasses != null) {
this.extraClasses = extraClasses;
}
- }
+ }
@Override
public void filter(ContainerRequestContext context) {
@@ -1299,14 +1300,29 @@ public class WadlGenerator implements
ContainerRequestFilter {
StringWriter stringWriter = new StringWriter();
TransformerFactory transformerFactory =
TransformerFactory.newInstance();
transformerFactory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING,
true);
+ try {
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD,
"");
+
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ } catch (IllegalArgumentException ex) {
+ // ignore
+ }
+
Transformer transformer = transformerFactory.newTransformer();
transformer.transform(domSource, new StreamResult(stringWriter));
return stringWriter.toString();
}
+
private String transformLocally(Message m, UriInfo ui, Source source)
throws Exception {
InputStream is = ResourceUtils.getResourceStream(stylesheetReference,
m.getExchange().getBus());
TransformerFactory transformerFactory =
TransformerFactory.newInstance();
transformerFactory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING,
true);
+ try {
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD,
"");
+
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ } catch (IllegalArgumentException ex) {
+ // ignore
+ }
+
Transformer t = transformerFactory.newTemplates(new
StreamSource(is)).newTransformer();
t.setParameter("base.path", m.get("http.base.path"));
StringWriter stringWriter = new StringWriter();
