changeset 1389:cb9db45ecdc5

Merge
author asaha
date Mon, 26 Jun 2017 15:20:37 -0700
parents 6c0943f9423d 4c06ef2757de
children 199a8d03dde0 b81850d5e6a7
files .hgtags
diffstat 4 files changed, 52 insertions(+), 19 deletions(-) [+]
line wrap: on
line diff
--- a/.hgtags	Mon Jun 26 07:39:33 2017 -0700
+++ b/.hgtags	Mon Jun 26 15:20:37 2017 -0700
@@ -700,6 +700,7 @@
 7f1844127578d6726da60f6813bfa9206b57dda9 jdk8u141-b11
 d8134565e6c8cab3ccd0e356c787e0aa75ef68ee jdk8u141-b12
 27d35df45162afdf75b76983fcf11e1cbf2e3001 jdk8u141-b13
+65d3b0e445513e024157635b970660b1e7211937 jdk8u141-b14
 eb09a34966f43c62cb286c78c10dc722fd12d884 jdk8u151-b00
 c59814f445e808150326012d911b5b4d8caa025b jdk8u151-b01
 d3dec37780f84151b08c03a6a8cba7d68bde0f80 jdk8u151-b02
--- a/src/share/jaxws_classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java	Mon Jun 26 07:39:33 2017 -0700
+++ b/src/share/jaxws_classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java	Mon Jun 26 15:20:37 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -112,15 +112,13 @@
         this.entityResolver = entityResolver;
         this.errorReceiver = errReceiver;
         this.logic = logic;
+        // secure xml processing can be switched off if input requires it
+        boolean disableXmlSecurity = options == null ? false : options.disableXmlSecurity;
+
+        DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(disableXmlSecurity);
+        this.parserFactory = XmlUtil.newSAXParserFactory(disableXmlSecurity);
         try {
-            // secure xml processing can be switched off if input requires it
-            boolean secureProcessingEnabled = options == null || !options.disableXmlSecurity;
-            DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(secureProcessingEnabled);
-            dbf.setNamespaceAware(true);
             this.documentBuilder = dbf.newDocumentBuilder();
-
-            this.parserFactory = XmlUtil.newSAXParserFactory(secureProcessingEnabled);
-            this.parserFactory.setNamespaceAware(true);
         } catch (ParserConfigurationException e) {
             throw new AssertionError(e);
         }
--- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/DOMUtil.java	Mon Jun 26 07:39:33 2017 -0700
+++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/DOMUtil.java	Mon Jun 26 15:20:37 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -57,7 +57,6 @@
             if (db == null) {
                 try {
                     DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory();
-                    dbf.setNamespaceAware(true);
                     db = dbf.newDocumentBuilder();
                 } catch (ParserConfigurationException e) {
                     throw new FactoryConfigurationError(e);
--- a/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java	Mon Jun 26 07:39:33 2017 -0700
+++ b/src/share/jaxws_classes/com/sun/xml/internal/ws/util/xml/XmlUtil.java	Mon Jun 26 15:20:37 2017 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -84,6 +84,14 @@
     private final static String LEXICAL_HANDLER_PROPERTY =
         "http://xml.org/sax/properties/lexical-handler";
 
+    private static final String DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";
+
+    private static final String EXTERNAL_GE = "http://xml.org/sax/features/external-general-entities";
+
+    private static final String EXTERNAL_PE = "http://xml.org/sax/features/external-parameter-entities";
+
+    private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
     private static final Logger LOGGER = Logger.getLogger(XmlUtil.class.getName());
 
     private static final String DISABLE_XML_SECURITY = "com.sun.xml.internal.ws.disableXmlSecurity";
@@ -372,15 +380,29 @@
     };
 
     public static DocumentBuilderFactory newDocumentBuilderFactory() {
-        return newDocumentBuilderFactory(true);
+        return newDocumentBuilderFactory(false);
     }
 
-    public static DocumentBuilderFactory newDocumentBuilderFactory(boolean secureXmlProcessing) {
+    public static DocumentBuilderFactory newDocumentBuilderFactory(boolean disableSecurity) {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING;
         try {
-            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessing));
+            boolean securityOn = !isXMLSecurityDisabled(disableSecurity);
+            factory.setFeature(featureToSet, securityOn);
+            factory.setNamespaceAware(true);
+            if (securityOn) {
+                factory.setExpandEntityReferences(false);
+                featureToSet = DISALLOW_DOCTYPE_DECL;
+                factory.setFeature(featureToSet, true);
+                featureToSet = EXTERNAL_GE;
+                factory.setFeature(featureToSet, false);
+                featureToSet = EXTERNAL_PE;
+                factory.setFeature(featureToSet, false);
+                featureToSet = LOAD_EXTERNAL_DTD;
+                factory.setFeature(featureToSet, false);
+            }
         } catch (ParserConfigurationException e) {
-            LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[] { factory.getClass().getName() } );
+            LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[] {factory.getClass().getName()} );
         }
         return factory;
     }
@@ -399,12 +421,25 @@
         return newTransformerFactory(true);
     }
 
-    public static SAXParserFactory newSAXParserFactory(boolean secureXmlProcessingEnabled) {
+    public static SAXParserFactory newSAXParserFactory(boolean disableSecurity) {
         SAXParserFactory factory = SAXParserFactory.newInstance();
+        String featureToSet = XMLConstants.FEATURE_SECURE_PROCESSING;
         try {
-            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, isXMLSecurityDisabled(secureXmlProcessingEnabled));
-        } catch (Exception e) {
-            LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support secure xml processing!", new Object[]{factory.getClass().getName()});
+            boolean securityOn = !isXMLSecurityDisabled(disableSecurity);
+            factory.setFeature(featureToSet, securityOn);
+            factory.setNamespaceAware(true);
+            if (securityOn) {
+                featureToSet = DISALLOW_DOCTYPE_DECL;
+                factory.setFeature(featureToSet, true);
+                featureToSet = EXTERNAL_GE;
+                factory.setFeature(featureToSet, false);
+                featureToSet = EXTERNAL_PE;
+                factory.setFeature(featureToSet, false);
+                featureToSet = LOAD_EXTERNAL_DTD;
+                factory.setFeature(featureToSet, false);
+            }
+        } catch (ParserConfigurationException | SAXNotRecognizedException | SAXNotSupportedException e) {
+            LOGGER.log(Level.WARNING, "Factory [{0}] doesn't support "+featureToSet+" feature!", new Object[]{factory.getClass().getName()});
         }
         return factory;
     }