aboutsummaryrefslogtreecommitdiff
path: root/moaSig/common/src/main/java/at/gv
diff options
context:
space:
mode:
authortlenz <thomas.lenz@egiz.gv.at>2017-06-27 10:40:58 +0200
committertlenz <thomas.lenz@egiz.gv.at>2017-06-27 10:40:58 +0200
commit64bbeb4c3326ca9f99840f2a9f0c5cb59a87ad92 (patch)
tree1cd7d2253c666a7973c369482c7e80d4599a48bf /moaSig/common/src/main/java/at/gv
parentd69e3b6fb1dec68c0142eda193d1302f5a1ea383 (diff)
downloadmoa-sig-64bbeb4c3326ca9f99840f2a9f0c5cb59a87ad92.tar.gz
moa-sig-64bbeb4c3326ca9f99840f2a9f0c5cb59a87ad92.tar.bz2
moa-sig-64bbeb4c3326ca9f99840f2a9f0c5cb59a87ad92.zip
add Xerces SecurityManager
Diffstat (limited to 'moaSig/common/src/main/java/at/gv')
-rw-r--r--moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/DOMUtils.java18
1 files changed, 17 insertions, 1 deletions
diff --git a/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/DOMUtils.java b/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/DOMUtils.java
index c5550ad..2a907e7 100644
--- a/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/DOMUtils.java
+++ b/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/DOMUtils.java
@@ -48,9 +48,11 @@ import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
+import org.apache.xerces.impl.Constants;
import org.apache.xerces.parsers.DOMParser;
import org.apache.xerces.parsers.SAXParser;
import org.apache.xerces.parsers.XMLGrammarPreparser;
+import org.apache.xerces.util.SecurityManager;
import org.apache.xerces.util.SymbolTable;
import org.apache.xerces.util.XMLGrammarPoolImpl;
import org.apache.xerces.xni.grammars.XMLGrammarDescription;
@@ -118,6 +120,9 @@ public class DOMUtils {
private static final String DISALLOW_DOCTYPE_FEATURE =
"http://apache.org/xml/features/disallow-doctype-decl";
+ //Security Manager feature for XERCES XML parser
+ private static final String SECURITY_MANAGER =
+ Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
/** Property URI for the Xerces grammar pool. */
@@ -236,6 +241,8 @@ public class DOMUtils {
parser = new DOMParser();
}
+
+
// set parser features and properties
try {
parser.setFeature(NAMESPACES_FEATURE, true);
@@ -247,6 +254,9 @@ public class DOMUtils {
parser.setFeature(EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
parser.setFeature(EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
+ SecurityManager xmlParserSecManager = new org.apache.xerces.util.SecurityManager();
+ parser.setProperty(SECURITY_MANAGER, xmlParserSecManager);
+
//fix XXE problem
//parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
@@ -324,7 +334,10 @@ public class DOMUtils {
parser.setFeature(NORMALIZED_VALUE_FEATURE, false);
parser.setFeature(INCLUDE_IGNORABLE_WHITESPACE_FEATURE, true);
parser.setFeature(CREATE_ENTITY_REF_NODES_FEATURE, false);
-
+
+ SecurityManager xmlParserSecManager = new org.apache.xerces.util.SecurityManager();
+ parser.setProperty(SECURITY_MANAGER, xmlParserSecManager);
+
parser.parse(new InputSource(inputStream));
return parser.getDocument();
@@ -591,6 +604,9 @@ public class DOMUtils {
parser.setFeature(VALIDATION_FEATURE, true);
parser.setFeature(SCHEMA_VALIDATION_FEATURE, true);
+ SecurityManager xmlParserSecManager = new org.apache.xerces.util.SecurityManager();
+ parser.setProperty(SECURITY_MANAGER, xmlParserSecManager);
+
if (externalSchemaLocations != null) {
parser.setProperty(
EXTERNAL_SCHEMA_LOCATION_PROPERTY,