Merge
diff --git a/src/java.xml.ws/share/classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java b/src/java.xml.ws/share/classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java
index 213b584..8a63b73 100644
--- a/src/java.xml.ws/share/classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java
+++ b/src/java.xml.ws/share/classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java
@@ -84,6 +84,14 @@
private final static String LEXICAL_HANDLER_PROPERTY =
"http://xml.org/sax/properties/lexical-handler";
+ private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
+
+ private static final String EXTERNAL_GE = "http://xml.org/sax/features/external-general-entities";
+
+ private static final String EXTERNAL_PE = "http://xml.org/sax/features/external-parameter-entities";
+
+ private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName());
private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.ws.disableXmlSecurity";
@@ -327,10 +335,24 @@
public static DocumentBuilderFactory newDocumentBuilderFactory(boolean disableSecurity) {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING;
try {
- factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !xmlSecurityDisabled(disableSecurity));
+ boolean securityOn = !xmlSecurityDisabled(disableSecurity);
+ factory.setFeature(featureToSet, securityOn);
+ factory.setNamespaceAware(true);
+ if (securityOn) {
+ factory.setExpandEntityReferences(false);
+ featureToSet = DISALLOW_DOCTYPE_DECL;
+ factory.setFeature(featureToSet, true);
+ featureToSet = EXTERNAL_GE;
+ factory.setFeature(featureToSet, false);
+ featureToSet = EXTERNAL_PE;
+ factory.setFeature(featureToSet, false);
+ featureToSet = LOAD_EXTERNAL_DTD;
+ factory.setFeature(featureToSet, false);
+ }
} catch (ParserConfigurationException e) {
- LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } );
+ LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[] {factory.getClass().getName()} );
}
return factory;
}
@@ -347,10 +369,23 @@
public static SAXParserFactory newSAXParserFactory(boolean disableSecurity) {
SAXParserFactory factory = SAXParserFactory.newInstance();
+ String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING;
try {
- factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, !xmlSecurityDisabled(disableSecurity));
+ boolean securityOn = !xmlSecurityDisabled(disableSecurity);
+ factory.setFeature(featureToSet, securityOn);
+ factory.setNamespaceAware(true);
+ if (securityOn) {
+ featureToSet = DISALLOW_DOCTYPE_DECL;
+ factory.setFeature(featureToSet, true);
+ featureToSet = EXTERNAL_GE;
+ factory.setFeature(featureToSet, false);
+ featureToSet = EXTERNAL_PE;
+ factory.setFeature(featureToSet, false);
+ featureToSet = LOAD_EXTERNAL_DTD;
+ factory.setFeature(featureToSet, false);
+ }
} catch (ParserConfigurationException | SAXNotRecognizedException | SAXNotSupportedException e) {
- LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()});
+ LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[]{factory.getClass().getName()});
}
return factory;
}
diff --git a/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java b/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java
index e105d2f..c7d9aee 100644
--- a/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java
+++ b/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java
@@ -112,29 +112,13 @@
this.entityResolver = entityResolver;
this.errorReceiver = errReceiver;
this.logic = logic;
+ // secure xml processing can be switched off if input requires it
+ boolean disableXmlSecurity = options == null ? false : options.disableXmlSecurity;
+
+ DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(disableXmlSecurity);
+ this.parserFactory = XmlUtil.newSAXParserFactory(disableXmlSecurity);
try {
- // secure xml processing can be switched off if input requires it
- boolean secureProcessingEnabled = options == null || !options.disableXmlSecurity;
- DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(!secureProcessingEnabled);
- dbf.setNamespaceAware(true);
this.documentBuilder = dbf.newDocumentBuilder();
-
- this.parserFactory = XmlUtil.newSAXParserFactory(secureProcessingEnabled);
- this.parserFactory.setNamespaceAware(true);
-
- if(secureProcessingEnabled){
- dbf.setExpandEntityReferences(false);
- try {
- parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
- parserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
- parserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
- } catch (SAXNotRecognizedException e){
- throw new ParserConfigurationException(e.getMessage());
- } catch (SAXNotSupportedException e) {
- throw new ParserConfigurationException(e.getMessage());
- }
- }
-
} catch (ParserConfigurationException e) {
throw new AssertionError(e);
}
