You are viewing a plain text version of this content. The canonical link for it is here.
Posted to general@attic.apache.org by fa...@apache.org on 2018/06/10 10:15:30 UTC
svn commit: r1833260 - in /xmlbeans/trunk/src:
common/org/apache/xmlbeans/impl/common/ store/org/apache/xmlbeans/impl/store/
Author: fanningpj
Date: Sun Jun 10 10:15:30 2018
New Revision: 1833260
URL: http://svn.apache.org/viewvc?rev=1833260&view=rev
Log:
use safe XML parsers
Added:
xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java
xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/NullLogger.java
- copied, changed from r1833259, xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/NullLogger.java
xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java
- copied, changed from r1833259, xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java
xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XBLogFactory.java
- copied, changed from r1833259, xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java
xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XBLogger.java
- copied, changed from r1833259, xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/XBLogger.java
Removed:
xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/NullLogger.java
xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java
xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java
xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/XBLogger.java
Modified:
xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/LoadSaveUtils.java
xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/Sax2Dom.java
xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/Locale.java
Added: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java
URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java?rev=1833260&view=auto
==============================================================================
--- xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java (added)
+++ xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java Sun Jun 10 10:15:30 2018
@@ -0,0 +1,165 @@
+/* Copyright 2004-2018 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.xmlbeans.impl.common;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.Method;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.stream.events.Namespace;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.xml.sax.ErrorHandler;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.SAXParseException;
+
+public final class DocumentHelper {
+ private static XBLogger logger = XBLogFactory.getLogger(DocumentHelper.class);
+
+ private DocumentHelper() {}
+
+ private static class DocHelperErrorHandler implements ErrorHandler {
+
+ public void warning(SAXParseException exception) throws SAXException {
+ printError(XBLogger.WARN, exception);
+ }
+
+ public void error(SAXParseException exception) throws SAXException {
+ printError(XBLogger.ERROR, exception);
+ }
+
+ public void fatalError(SAXParseException exception) throws SAXException {
+ printError(XBLogger.FATAL, exception);
+ throw exception;
+ }
+
+ /** Prints the error message. */
+ private void printError(int type, SAXParseException ex) {
+ StringBuilder sb = new StringBuilder();
+
+ String systemId = ex.getSystemId();
+ if (systemId != null) {
+ int index = systemId.lastIndexOf('/');
+ if (index != -1)
+ systemId = systemId.substring(index + 1);
+ sb.append(systemId);
+ }
+ sb.append(':');
+ sb.append(ex.getLineNumber());
+ sb.append(':');
+ sb.append(ex.getColumnNumber());
+ sb.append(": ");
+ sb.append(ex.getMessage());
+
+ logger.log(type, sb.toString(), ex);
+ }
+ }
+
+ /**
+ * Creates a new document builder, with sensible defaults
+ *
+ * @throws IllegalStateException If creating the DocumentBuilder fails, e.g.
+ * due to {@link ParserConfigurationException}.
+ */
+ public static synchronized DocumentBuilder newDocumentBuilder() {
+ try {
+ DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
+ documentBuilder.setEntityResolver(SAXHelper.IGNORING_ENTITY_RESOLVER);
+ documentBuilder.setErrorHandler(new DocHelperErrorHandler());
+ return documentBuilder;
+ } catch (ParserConfigurationException e) {
+ throw new IllegalStateException("cannot create a DocumentBuilder", e);
+ }
+ }
+
+ private static final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+ static {
+ documentBuilderFactory.setNamespaceAware(true);
+ documentBuilderFactory.setValidating(false);
+ trySetSAXFeature(documentBuilderFactory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ trySetXercesSecurityManager(documentBuilderFactory);
+ }
+
+ private static void trySetSAXFeature(DocumentBuilderFactory dbf, String feature, boolean enabled) {
+ try {
+ dbf.setFeature(feature, enabled);
+ } catch (Exception e) {
+ logger.log(XBLogger.WARN, "SAX Feature unsupported", feature, e);
+ } catch (AbstractMethodError ame) {
+ logger.log(XBLogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", feature, ame);
+ }
+ }
+
+ private static void trySetXercesSecurityManager(DocumentBuilderFactory dbf) {
+ // Try built-in JVM one first, standalone if not
+ for (String securityManagerClassName : new String[]{
+ //"com.sun.org.apache.xerces.internal.util.SecurityManager",
+ "org.apache.xerces.util.SecurityManager"
+ }) {
+ try {
+ Object mgr = Class.forName(securityManagerClassName).newInstance();
+ Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
+ setLimit.invoke(mgr, 4096);
+ dbf.setAttribute("http://apache.org/xml/properties/security-manager", mgr);
+ // Stop once one can be setup without error
+ return;
+ } catch (ClassNotFoundException e) {
+ // continue without log, this is expected in some setups
+ } catch (Throwable e) { // NOSONAR - also catch things like NoClassDefError here
+ logger.log(XBLogger.WARN, "SAX Security Manager could not be setup", e);
+ }
+ }
+
+ // separate old version of Xerces not found => use the builtin way of setting the property
+ dbf.setAttribute("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit", 4096);
+ }
+
+ /**
+ * Parses the given stream via the default (sensible)
+ * DocumentBuilder
+ * @param inp Stream to read the XML data from
+ * @return the parsed Document
+ */
+ public static Document readDocument(InputStream inp) throws IOException, SAXException {
+ return newDocumentBuilder().parse(inp);
+ }
+
+ /**
+ * Parses the given stream via the default (sensible)
+ * DocumentBuilder
+ * @param inp sax source to read the XML data from
+ * @return the parsed Document
+ */
+ public static Document readDocument(InputSource inp) throws IOException, SAXException {
+ return newDocumentBuilder().parse(inp);
+ }
+
+ // must only be used to create empty documents, do not use it for parsing!
+ private static final DocumentBuilder documentBuilderSingleton = newDocumentBuilder();
+
+ /**
+ * Creates a new DOM Document
+ */
+ public static synchronized Document createDocument() {
+ return documentBuilderSingleton.newDocument();
+ }
+}
Modified: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/LoadSaveUtils.java
URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/LoadSaveUtils.java?rev=1833260&r1=1833259&r2=1833260&view=diff
==============================================================================
--- xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/LoadSaveUtils.java (original)
+++ xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/LoadSaveUtils.java Sun Jun 10 10:15:30 2018
@@ -22,7 +22,6 @@ package org.apache.xmlbeans.impl.common;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;
-import javax.xml.parsers.SAXParserFactory;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLStreamWriter;
@@ -40,10 +39,7 @@ public class LoadSaveUtils
public static Document xmlText2GenericDom(InputStream is, Document emptyDoc)
throws SAXException, ParserConfigurationException, IOException
{
- SAXParserFactory factory = SAXParserFactory.newInstance();
- factory.setNamespaceAware(true);
-
- SAXParser parser = factory.newSAXParser();
+ SAXParser parser = SAXHelper.saxFactory.newSAXParser();
Sax2Dom handler = new Sax2Dom(emptyDoc);
Copied: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/NullLogger.java (from r1833259, xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/NullLogger.java)
URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/NullLogger.java?p2=xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/NullLogger.java&p1=xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/NullLogger.java&r1=1833259&r2=1833260&rev=1833260&view=diff
==============================================================================
--- xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/NullLogger.java (original)
+++ xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/NullLogger.java Sun Jun 10 10:15:30 2018
@@ -1,4 +1,4 @@
-/* Copyright 2017 The Apache Software Foundation
+/* Copyright 2017, 2018 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,7 +13,7 @@
* limitations under the License.
*/
-package org.apache.xmlbeans.impl.store;
+package org.apache.xmlbeans.impl.common;
/**
* A logger class that strives to make it as easy as possible for
Copied: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java (from r1833259, xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java)
URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java?p2=xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java&p1=xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java&r1=1833259&r2=1833260&rev=1833260&view=diff
==============================================================================
--- xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java (original)
+++ xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java Sun Jun 10 10:15:30 2018
@@ -1,4 +1,4 @@
-/* Copyright 2017 The Apache Software Foundation
+/* Copyright 2017, 2018 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,7 +13,7 @@
* limitations under the License.
*/
-package org.apache.xmlbeans.impl.store;
+package org.apache.xmlbeans.impl.common;
import java.io.IOException;
import java.io.StringReader;
@@ -57,7 +57,7 @@ public final class SAXHelper {
}
};
- private static final SAXParserFactory saxFactory;
+ static final SAXParserFactory saxFactory;
static {
saxFactory = SAXParserFactory.newInstance();
saxFactory.setValidating(false);
Modified: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/Sax2Dom.java
URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/Sax2Dom.java?rev=1833260&r1=1833259&r2=1833260&view=diff
==============================================================================
--- xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/Sax2Dom.java (original)
+++ xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/Sax2Dom.java Sun Jun 10 10:15:30 2018
@@ -28,7 +28,6 @@ import org.xml.sax.helpers.DefaultHandle
import org.xml.sax.ext.LexicalHandler;
import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.DocumentBuilderFactory;
import java.util.Stack;
import java.util.Vector;
@@ -49,9 +48,7 @@ public class Sax2Dom
public Sax2Dom() throws ParserConfigurationException
{
- final DocumentBuilderFactory factory =
- DocumentBuilderFactory.newInstance();
- _document = factory.newDocumentBuilder().newDocument();
+ _document = DocumentHelper.newDocumentBuilder().newDocument();
_root = _document;
}
@@ -68,9 +65,7 @@ public class Sax2Dom
}
else
{
- final DocumentBuilderFactory factory =
- DocumentBuilderFactory.newInstance();
- _document = factory.newDocumentBuilder().newDocument();
+ _document = DocumentHelper.newDocumentBuilder().newDocument();
_root = _document;
}
}
Copied: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XBLogFactory.java (from r1833259, xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java)
URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XBLogFactory.java?p2=xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XBLogFactory.java&p1=xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java&r1=1833259&r2=1833260&rev=1833260&view=diff
==============================================================================
--- xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java (original)
+++ xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XBLogFactory.java Sun Jun 10 10:15:30 2018
@@ -1,4 +1,4 @@
-/* Copyright 2017 The Apache Software Foundation
+/* Copyright 2017, 2018 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,7 +13,7 @@
* limitations under the License.
*/
-package org.apache.xmlbeans.impl.store;
+package org.apache.xmlbeans.impl.common;
import java.util.HashMap;
import java.util.Map;
Copied: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XBLogger.java (from r1833259, xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/XBLogger.java)
URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XBLogger.java?p2=xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XBLogger.java&p1=xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/XBLogger.java&r1=1833259&r2=1833260&rev=1833260&view=diff
==============================================================================
--- xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/XBLogger.java (original)
+++ xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XBLogger.java Sun Jun 10 10:15:30 2018
@@ -1,4 +1,4 @@
-/* Copyright 2017 The Apache Software Foundation
+/* Copyright 2017, 2018 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,7 +13,7 @@
* limitations under the License.
*/
-package org.apache.xmlbeans.impl.store;
+package org.apache.xmlbeans.impl.common;
/**
* A logger interface that strives to make it as easy as possible for
Modified: xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/Locale.java
URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/Locale.java?rev=1833260&r1=1833259&r2=1833260&view=diff
==============================================================================
--- xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/Locale.java (original)
+++ xmlbeans/trunk/src/store/org/apache/xmlbeans/impl/store/Locale.java Sun Jun 10 10:15:30 2018
@@ -1,4 +1,4 @@
-/* Copyright 2004-2017 The Apache Software Foundation
+/* Copyright 2004-2018 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -15,7 +15,6 @@
package org.apache.xmlbeans.impl.store;
-import org.apache.xmlbeans.XmlErrorCodes;
import org.xml.sax.Locator;
import org.xml.sax.Attributes;
import org.xml.sax.ContentHandler;
@@ -42,6 +41,7 @@ import java.io.Reader;
import java.io.StringReader;
import java.io.IOException;
+import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.XMLStreamException;
@@ -56,15 +56,7 @@ import org.apache.xmlbeans.xml.stream.XM
import org.apache.xmlbeans.xml.stream.XMLInputStream;
import org.apache.xmlbeans.xml.stream.XMLName;
-import org.w3c.dom.DOMImplementation;
-import org.w3c.dom.Document;
-import org.w3c.dom.DocumentType;
-import org.w3c.dom.Node;
-import org.w3c.dom.NamedNodeMap;
-import org.w3c.dom.Element;
-
-import javax.xml.namespace.QName;
-
+import org.apache.xmlbeans.impl.common.SAXHelper;
import org.apache.xmlbeans.impl.common.XMLNameHelper;
import org.apache.xmlbeans.impl.common.QNameHelper;
import org.apache.xmlbeans.impl.common.XmlLocale;
@@ -86,10 +78,11 @@ import org.apache.xmlbeans.XmlBeans;
import org.apache.xmlbeans.XmlLineNumber;
import org.apache.xmlbeans.XmlCursor;
import org.apache.xmlbeans.XmlCursor.XmlBookmark;
-import org.apache.xmlbeans.XmlSaxHandler;
+import org.apache.xmlbeans.XmlErrorCodes;
import org.apache.xmlbeans.XmlException;
import org.apache.xmlbeans.XmlObject;
import org.apache.xmlbeans.XmlOptions;
+import org.apache.xmlbeans.XmlSaxHandler;
import org.apache.xmlbeans.SchemaType;
import org.apache.xmlbeans.SchemaTypeLoader;
import org.apache.xmlbeans.XmlTokenSource;
@@ -103,6 +96,13 @@ import org.apache.xmlbeans.impl.values.T
import org.apache.xmlbeans.impl.values.TypeStoreUser;
import org.apache.xmlbeans.impl.values.TypeStoreUserFactory;
+import org.w3c.dom.DOMImplementation;
+import org.w3c.dom.Document;
+import org.w3c.dom.DocumentType;
+import org.w3c.dom.Node;
+import org.w3c.dom.NamedNodeMap;
+import org.w3c.dom.Element;
+
public final class Locale
implements DOMImplementation, SaajCallback, XmlLocale
{