[cxf] branch master updated: Disable external DTD/Schemas in the WadlGenerator

Thu, 24 Oct 2019 04:37:35 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new 165c0b1  Disable external DTD/Schemas in the WadlGenerator
165c0b1 is described below

commit 165c0b1c461bc7c9cd645614d49fce21881b5cfe
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Thu Oct 24 12:36:38 2019 +0100

    Disable external DTD/Schemas in the WadlGenerator
---
 .../org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git 
a/rt/rs/description/src/main/java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java
 
b/rt/rs/description/src/main/java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java
index 90e1aca..3573a14 100644
--- 
a/rt/rs/description/src/main/java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java
+++ 
b/rt/rs/description/src/main/java/org/apache/cxf/jaxrs/model/wadl/WadlGenerator.java
@@ -69,6 +69,7 @@ import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;
 import javax.ws.rs.core.UriInfo;
 import javax.ws.rs.ext.MessageBodyWriter;
+import javax.xml.XMLConstants;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.annotation.XmlRootElement;
 import javax.xml.bind.annotation.XmlSeeAlso;
@@ -217,7 +218,7 @@ public class WadlGenerator implements 
ContainerRequestFilter {
         if (extraClasses != null) {
             this.extraClasses = extraClasses;
         }
-    }    
+    }
 
     @Override
     public void filter(ContainerRequestContext context) {
@@ -1299,14 +1300,29 @@ public class WadlGenerator implements 
ContainerRequestFilter {
         StringWriter stringWriter = new StringWriter();
         TransformerFactory transformerFactory = 
TransformerFactory.newInstance();
         
transformerFactory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, 
true);
+        try {
+            transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, 
"");
+            
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        } catch (IllegalArgumentException ex) {
+            // ignore
+        }
+
         Transformer transformer = transformerFactory.newTransformer();
         transformer.transform(domSource, new StreamResult(stringWriter));
         return stringWriter.toString();
     }
+
     private String transformLocally(Message m, UriInfo ui, Source source) 
throws Exception {
         InputStream is = ResourceUtils.getResourceStream(stylesheetReference, 
m.getExchange().getBus());
         TransformerFactory transformerFactory = 
TransformerFactory.newInstance();
         
transformerFactory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, 
true);
+        try {
+            transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, 
"");
+            
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        } catch (IllegalArgumentException ex) {
+            // ignore
+        }
+
         Transformer t = transformerFactory.newTemplates(new 
StreamSource(is)).newTransformer();
         t.setParameter("base.path", m.get("http.base.path"));
         StringWriter stringWriter = new StringWriter();

Reply via email to