Author: scheu
Date: Tue May 25 14:06:19 2010
New Revision: 948048
URL: http://svn.apache.org/viewvc?rev=948048&view=rev
Log:
AXIS2-4450
Don't allow XLXP2 to resolve entities when DTD's are disallowed.
Added:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/SecureXMLResolver.java
Modified:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialectDetector.java
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXP2Dialect.java
Added:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/SecureXMLResolver.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/SecureXMLResolver.java?rev=948048&view=auto
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/SecureXMLResolver.java
(added)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/SecureXMLResolver.java
Tue May 25 14:06:19 2010
@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.axiom.util.stax.dialect;
+
+import javax.xml.stream.XMLResolver;
+import javax.xml.stream.XMLStreamException;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+/**
+ * This XMLResolver is used whenever a secure XMLStreamReader
+ * is needed. Basically it throws an exception if an attempt
+ * is made to read an entity.
+ */
+public final class SecureXMLResolver implements XMLResolver {
+
+ private static Log log = LogFactory.getLog(SecureXMLResolver.class);
+ public Object resolveEntity(String arg0, String arg1, String arg2,
+ String arg3) throws XMLStreamException {
+ // Do not expose the name of the entity that was attempted to be
+ // read as this will reveal secure information to the client.
+ if (log.isDebugEnabled()) {
+ log.debug("resolveEntity is disabled because this is a secure
XMLStreamReader(" +
+ arg0 + ") (" + arg1 + ") (" + arg2 + ") (" + arg3 + ")");
+ }
+ throw new XMLStreamException("Reading external entities is disabled");
+ }
+
+}
+
Modified:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialectDetector.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialectDetector.java?rev=948048&r1=948047&r2=948048&view=diff
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialectDetector.java
(original)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/StAXDialectDetector.java
Tue May 25 14:06:19 2010
@@ -231,7 +231,9 @@ public class StAXDialectDetector {
return new SJSXPDialect(false);
} else if ("BEA".equals(vendor)) {
return BEADialect.INSTANCE;
- } else if ("IBM".equals(vendor) ||
"com.ibm.ws.prereq.banshee".equals(symbolicName)) {
+ } else if ("IBM".equals(vendor) ||
+ (vendor != null && vendor.indexOf("IBM") >= 0)
+ || "com.ibm.ws.prereq.banshee".equals(symbolicName)) {
return XLXP2Dialect.INSTANCE;
} else {
return null;
@@ -281,6 +283,10 @@ public class StAXDialectDetector {
}
return new XLXPDialect(isSetPrefixBroken);
}
+ cls = loadClass(classLoader, rootUrl,
"com.ibm.xml.xlxp2.api.stax.StAXImplConstants");
+ if (cls != null) {
+ return new XLXP2Dialect();
+ }
return null;
}
Modified:
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXP2Dialect.java
URL:
http://svn.apache.org/viewvc/webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXP2Dialect.java?rev=948048&r1=948047&r2=948048&view=diff
==============================================================================
---
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXP2Dialect.java
(original)
+++
webservices/commons/trunk/modules/axiom/modules/axiom-api/src/main/java/org/apache/axiom/util/stax/dialect/XLXP2Dialect.java
Tue May 25 14:06:19 2010
@@ -37,6 +37,9 @@ class XLXP2Dialect extends AbstractStAXD
}
public XMLInputFactory disallowDoctypeDecl(XMLInputFactory factory) {
+ // Set an XMLResolver that fails if an attempt is made to resolve a
reference
+ // This is an additional safeguard.
+ factory.setXMLResolver(new SecureXMLResolver());
return StAXDialectUtils.disallowDoctypeDecl(factory);
}
