Author: bdelacretaz
Date: Wed Aug 10 09:57:15 2016
New Revision: 1755704
URL: http://svn.apache.org/viewvc?rev=1755704&view=rev
Log:
SLING-5954 - Disable non-essential features in XML parser
Modified:
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
Modified:
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
URL:
http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java?rev=1755704&r1=1755703&r2=1755704&view=diff
==============================================================================
---
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
(original)
+++
sling/trunk/bundles/extensions/xss/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
Wed Aug 10 09:57:15 2016
@@ -21,6 +21,7 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
+import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
@@ -43,6 +44,8 @@ import org.owasp.esapi.Validator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xml.sax.InputSource;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
import org.xml.sax.XMLReader;
@Component
@@ -65,6 +68,13 @@ public class XSSAPIImpl implements XSSAP
factory = SAXParserFactory.newInstance();
factory.setValidating(false);
factory.setNamespaceAware(true);
+ try {
+
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
false);
+
factory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
+
factory.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
+ } catch (Exception e) {
+ LOGGER.error("SAX parser configuration error: " + e.getMessage(),
e);
+ }
}
@Deactivate
Modified:
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
URL:
http://svn.apache.org/viewvc/sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java?rev=1755704&r1=1755703&r2=1755704&view=diff
==============================================================================
---
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
(original)
+++
sling/trunk/bundles/extensions/xss/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
Wed Aug 10 09:57:15 2016
@@ -673,6 +673,10 @@ public class XSSAPIImplTest {
{
"<t><w>xyz</t></w>",
RUBBISH_XML
+ },
+ {
+ "<?xml version=\"1.0\"?><!DOCTYPE test SYSTEM
\"http://nonExistentHost:1234/\";><test/>",
+ "<?xml version=\"1.0\"?><!DOCTYPE test SYSTEM
\"http://nonExistentHost:1234/\";><test/>"
}
};
for (String[] aTestData : testData) {
