# HG changeset patch # User asaha # Date 1500006815 25200 # Node ID 08e2a28966ff72cf3c83e693592ea12b9f5e73dd # Parent d23691199308042ef997667b60878da0fb51e075# Parent d72565e4d8cfd8ed07fb515172e610c0dab911b4 Merge diff -r d23691199308 -r 08e2a28966ff jaxws/src/java.xml.ws/share/classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java --- a/jaxws/src/java.xml.ws/share/classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Thu Jul 13 17:32:50 2017 +0000 +++ b/jaxws/src/java.xml.ws/share/classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java Thu Jul 13 21:33:35 2017 -0700 @@ -84,6 +84,14 @@ private final static String LEXICAL_HANDLER_PROPERTY = "http://xml.org/sax/properties/lexical-handler"; + private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl"; + + private static final String EXTERNAL_GE = "http://xml.org/sax/features/external-general-entities"; + + private static final String EXTERNAL_PE = "http://xml.org/sax/features/external-parameter-entities"; + + private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; + private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName()); private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.ws.disableXmlSecurity"; @@ -327,10 +335,24 @@ public static DocumentBuilderFactory newDocumentBuilderFactory(boolean disableSecurity) { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; try { - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !xmlSecurityDisabled(disableSecurity)); + boolean securityOn = !xmlSecurityDisabled(disableSecurity); + factory.setFeature(featureToSet, securityOn); + factory.setNamespaceAware(true); + if (securityOn) { + factory.setExpandEntityReferences(false); + featureToSet = DISALLOW_DOCTYPE_DECL; + factory.setFeature(featureToSet, true); + featureToSet = EXTERNAL_GE; + factory.setFeature(featureToSet, false); + featureToSet = EXTERNAL_PE; + factory.setFeature(featureToSet, false); + featureToSet = LOAD_EXTERNAL_DTD; + factory.setFeature(featureToSet, false); + } } catch (ParserConfigurationException e) { - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } ); + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[] {factory.getClass().getName()} ); } return factory; } @@ -347,10 +369,23 @@ public static SAXParserFactory newSAXParserFactory(boolean disableSecurity) { SAXParserFactory factory = SAXParserFactory.newInstance(); + String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING; try { - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !xmlSecurityDisabled(disableSecurity)); + boolean securityOn = !xmlSecurityDisabled(disableSecurity); + factory.setFeature(featureToSet, securityOn); + factory.setNamespaceAware(true); + if (securityOn) { + featureToSet = DISALLOW_DOCTYPE_DECL; + factory.setFeature(featureToSet, true); + featureToSet = EXTERNAL_GE; + factory.setFeature(featureToSet, false); + featureToSet = EXTERNAL_PE; + factory.setFeature(featureToSet, false); + featureToSet = LOAD_EXTERNAL_DTD; + factory.setFeature(featureToSet, false); + } } catch (ParserConfigurationException | SAXNotRecognizedException | SAXNotSupportedException e) { - LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()}); + LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[]{factory.getClass().getName()}); } return factory; } diff -r d23691199308 -r 08e2a28966ff jaxws/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java --- a/jaxws/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java Thu Jul 13 17:32:50 2017 +0000 +++ b/jaxws/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java Thu Jul 13 21:33:35 2017 -0700 @@ -112,29 +112,13 @@ this.entityResolver = entityResolver; this.errorReceiver = errReceiver; this.logic = logic; - try { - // secure xml processing can be switched off if input requires it - boolean secureProcessingEnabled = options == null || !options.disableXmlSecurity; - DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(!secureProcessingEnabled); - dbf.setNamespaceAware(true); - this.documentBuilder = dbf.newDocumentBuilder(); - - this.parserFactory = XmlUtil.newSAXParserFactory(secureProcessingEnabled); - this.parserFactory.setNamespaceAware(true); + // secure xml processing can be switched off if input requires it + boolean disableXmlSecurity = options == null ? false : options.disableXmlSecurity; - if(secureProcessingEnabled){ - dbf.setExpandEntityReferences(false); - try { - parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - parserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); - parserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - } catch (SAXNotRecognizedException e){ - throw new ParserConfigurationException(e.getMessage()); - } catch (SAXNotSupportedException e) { - throw new ParserConfigurationException(e.getMessage()); - } - } - + DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(disableXmlSecurity); + this.parserFactory = XmlUtil.newSAXParserFactory(disableXmlSecurity); + try { + this.documentBuilder = dbf.newDocumentBuilder(); } catch (ParserConfigurationException e) { throw new AssertionError(e); }