Author: fanningpj
Date: Sat Aug 11 09:22:05 2018
New Revision: 1837850
URL: http://svn.apache.org/viewvc?rev=1837850&view=rev
Log:
disable dtd processing
Added:
poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/POIXMLConstants.java
(with props)
poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestDocumentHelper.java
- copied, changed from r1837715,
poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java
Modified:
poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java
poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java
poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java
Modified: poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java
URL:
http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java?rev=1837850&r1=1837849&r2=1837850&view=diff
==============================================================================
--- poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java
(original)
+++ poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java Sat
Aug 11 09:22:05 2018
@@ -95,11 +95,14 @@ public final class DocumentHelper {
}
}
- private static final DocumentBuilderFactory documentBuilderFactory =
DocumentBuilderFactory.newInstance();
+ static final DocumentBuilderFactory documentBuilderFactory =
DocumentBuilderFactory.newInstance();
static {
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setValidating(false);
+
trySetSAXFeature(documentBuilderFactory,
XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ trySetSAXFeature(documentBuilderFactory,
POIXMLConstants.FEATURE_LOAD_DTD_GRAMMAR, false);
+ trySetSAXFeature(documentBuilderFactory,
POIXMLConstants.FEATURE_LOAD_EXTERNAL_DTD, false);
trySetXercesSecurityManager(documentBuilderFactory);
}
@@ -123,7 +126,7 @@ public final class DocumentHelper {
Object mgr =
Class.forName(securityManagerClassName).newInstance();
Method setLimit =
mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
setLimit.invoke(mgr, 4096);
-
dbf.setAttribute("http://apache.org/xml/properties/security-manager";, mgr);
+ dbf.setAttribute(POIXMLConstants.PROPERTY_SECURITY_MANAGER,
mgr);
// Stop once one can be setup without error
return;
} catch (ClassNotFoundException e) {
@@ -134,7 +137,7 @@ public final class DocumentHelper {
}
// separate old version of Xerces not found => use the builtin way of
setting the property
-
dbf.setAttribute("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit";,
4096);
+ dbf.setAttribute(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT,
4096);
}
/**
Added: poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/POIXMLConstants.java
URL:
http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/POIXMLConstants.java?rev=1837850&view=auto
==============================================================================
--- poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/POIXMLConstants.java
(added)
+++ poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/POIXMLConstants.java Sat
Aug 11 09:22:05 2018
@@ -0,0 +1,25 @@
+/* ====================================================================
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+==================================================================== */
+
+package org.apache.poi.ooxml.util;
+
+public class POIXMLConstants {
+ public static final String FEATURE_LOAD_DTD_GRAMMAR =
"http://apache.org/xml/features/nonvalidating/load-dtd-grammar";;
+ public static final String FEATURE_LOAD_EXTERNAL_DTD =
"http://apache.org/xml/features/nonvalidating/load-external-dtd";;
+ public static final String PROPERTY_ENTITY_EXPANSION_LIMIT =
"http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit";;
+ public static final String PROPERTY_SECURITY_MANAGER =
"http://apache.org/xml/properties/security-manager";;
+}
Propchange:
poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/POIXMLConstants.java
------------------------------------------------------------------------------
svn:eol-style = native
Modified: poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java
URL:
http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java?rev=1837850&r1=1837849&r2=1837850&view=diff
==============================================================================
--- poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java (original)
+++ poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java Sat Aug
11 09:22:05 2018
@@ -68,6 +68,9 @@ public final class SAXHelper {
saxFactory = SAXParserFactory.newInstance();
saxFactory.setValidating(false);
saxFactory.setNamespaceAware(true);
+ trySetSAXFeature(saxFactory,
XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ trySetSAXFeature(saxFactory,
POIXMLConstants.FEATURE_LOAD_DTD_GRAMMAR, false);
+ trySetSAXFeature(saxFactory,
POIXMLConstants.FEATURE_LOAD_EXTERNAL_DTD, false);
} catch (RuntimeException | Error re) { // NOSONAR
// this also catches NoClassDefFoundError, which may be due to a
local class path issue
// This may occur if the code is run inside a web container
@@ -81,6 +84,16 @@ public final class SAXHelper {
}
}
+ private static void trySetSAXFeature(SAXParserFactory spf, String feature,
boolean flag) {
+ try {
+ spf.setFeature(feature, flag);
+ } catch (Exception e) {
+ logger.log(POILogger.WARN, "SAX Feature unsupported", feature, e);
+ } catch (AbstractMethodError ame) {
+ logger.log(POILogger.WARN, "Cannot set SAX feature because
outdated XML parser in classpath", feature, ame);
+ }
+ }
+
private static void trySetSAXFeature(XMLReader xmlReader, String feature) {
try {
xmlReader.setFeature(feature, true);
@@ -101,7 +114,7 @@ public final class SAXHelper {
Object mgr =
Class.forName(securityManagerClassName).newInstance();
Method setLimit =
mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
setLimit.invoke(mgr, 4096);
-
xmlReader.setProperty("http://apache.org/xml/properties/security-manager";, mgr);
+
xmlReader.setProperty(POIXMLConstants.PROPERTY_SECURITY_MANAGER, mgr);
// Stop once one can be setup without error
return;
} catch (ClassNotFoundException e) {
@@ -117,7 +130,7 @@ public final class SAXHelper {
// separate old version of Xerces not found => use the builtin way of
setting the property
try {
-
xmlReader.setProperty("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit";,
4096);
+
xmlReader.setProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT, 4096);
} catch (SAXException e) { // NOSONAR - also catch things like
NoClassDefError here
// throttle the log somewhat as it can spam the log otherwise
if(System.currentTimeMillis() > lastLog +
TimeUnit.MINUTES.toMillis(5)) {
Copied:
poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestDocumentHelper.java
(from r1837715,
poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java)
URL:
http://svn.apache.org/viewvc/poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestDocumentHelper.java?p2=poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestDocumentHelper.java&p1=poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java&r1=1837715&r2=1837850&rev=1837850&view=diff
==============================================================================
--- poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java
(original)
+++
poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestDocumentHelper.java
Sat Aug 11 09:22:05 2018
@@ -16,30 +16,29 @@
==================================================================== */
package org.apache.poi.ooxml.util;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNotSame;
-import static org.junit.Assert.assertTrue;
+import org.junit.Test;
+import org.xml.sax.InputSource;
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
import java.io.ByteArrayInputStream;
-import javax.xml.XMLConstants;
+import static org.junit.Assert.*;
-import org.junit.Test;
-import org.xml.sax.InputSource;
-import org.xml.sax.XMLReader;
-
-public class TestSAXHelper {
+public class TestDocumentHelper {
@Test
- public void testXMLReader() throws Exception {
- XMLReader reader = SAXHelper.newXMLReader();
- assertNotSame(reader, SAXHelper.newXMLReader());
- assertTrue(reader.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING));
- assertEquals(SAXHelper.IGNORING_ENTITY_RESOLVER,
reader.getEntityResolver());
-
assertNotNull(reader.getProperty("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit";));
- assertEquals("4096",
reader.getProperty("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit";));
-
assertNotNull(reader.getProperty("http://apache.org/xml/properties/security-manager";));
+ public void testDocumentBuilder() throws Exception {
+ DocumentBuilder documentBuilder = DocumentHelper.newDocumentBuilder();
+ assertNotSame(documentBuilder, DocumentHelper.newDocumentBuilder());
+ assertTrue(documentBuilder.isNamespaceAware());
+ assertFalse(documentBuilder.isValidating());
+ documentBuilder.parse(new InputSource(new
ByteArrayInputStream("<xml></xml>".getBytes("UTF-8"))));
+ }
- reader.parse(new InputSource(new
ByteArrayInputStream("<xml></xml>".getBytes("UTF-8"))));
+ @Test
+ public void testDocumentBuilderFactory() throws Exception {
+
assertTrue(DocumentHelper.documentBuilderFactory.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING));
+
assertFalse(DocumentHelper.documentBuilderFactory.getFeature(POIXMLConstants.FEATURE_LOAD_DTD_GRAMMAR));
+
assertFalse(DocumentHelper.documentBuilderFactory.getFeature(POIXMLConstants.FEATURE_LOAD_EXTERNAL_DTD));
}
}
Modified:
poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java
URL:
http://svn.apache.org/viewvc/poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java?rev=1837850&r1=1837849&r2=1837850&view=diff
==============================================================================
--- poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java
(original)
+++ poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java
Sat Aug 11 09:22:05 2018
@@ -16,10 +16,7 @@
==================================================================== */
package org.apache.poi.ooxml.util;
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNotNull;
-import static org.junit.Assert.assertNotSame;
-import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.*;
import java.io.ByteArrayInputStream;
@@ -35,10 +32,12 @@ public class TestSAXHelper {
XMLReader reader = SAXHelper.newXMLReader();
assertNotSame(reader, SAXHelper.newXMLReader());
assertTrue(reader.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING));
+
assertFalse(reader.getFeature(POIXMLConstants.FEATURE_LOAD_DTD_GRAMMAR));
+
assertFalse(reader.getFeature(POIXMLConstants.FEATURE_LOAD_EXTERNAL_DTD));
assertEquals(SAXHelper.IGNORING_ENTITY_RESOLVER,
reader.getEntityResolver());
-
assertNotNull(reader.getProperty("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit";));
- assertEquals("4096",
reader.getProperty("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit";));
-
assertNotNull(reader.getProperty("http://apache.org/xml/properties/security-manager";));
+
assertNotNull(reader.getProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT));
+ assertEquals("4096",
reader.getProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT));
+
assertNotNull(reader.getProperty(POIXMLConstants.PROPERTY_SECURITY_MANAGER));
reader.parse(new InputSource(new
ByteArrayInputStream("<xml></xml>".getBytes("UTF-8"))));
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
