You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/03/08 12:16:45 UTC

[cxf] branch master updated: Adding the secure processing feature in a few more places

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new 6ea2fa6  Adding the secure processing feature in a few more places
6ea2fa6 is described below

commit 6ea2fa690b4b75d340919b2cac1cda3a93cd1bb5
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Mar 8 12:16:28 2018 +0000

    Adding the secure processing feature in a few more places
---
 core/src/main/java/org/apache/cxf/helpers/DOMUtils.java              | 2 ++
 .../src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java      | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java b/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java
index a8da819..5b79367 100644
--- a/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java
+++ b/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java
@@ -99,6 +99,7 @@ public final class DOMUtils {
             DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
             f.setNamespaceAware(true);
             f.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             return f.newDocumentBuilder();
         }
         DocumentBuilder factory = DOCUMENT_BUILDERS.get(loader);
@@ -106,6 +107,7 @@ public final class DOMUtils {
             DocumentBuilderFactory f2 = DocumentBuilderFactory.newInstance();
             f2.setNamespaceAware(true);
             f2.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            f2.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             factory = f2.newDocumentBuilder();
             DOCUMENT_BUILDERS.put(loader, factory);
         }
diff --git a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java
index f9d1ff5..a9de412 100644
--- a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java
+++ b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java
@@ -115,6 +115,11 @@ public class XMLTypeCreator extends AbstractTypeCreator {
     static {
         AEGIS_DOCUMENT_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
         AEGIS_DOCUMENT_BUILDER_FACTORY.setNamespaceAware(true);
+        try {
+            AEGIS_DOCUMENT_BUILDER_FACTORY.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        } catch (javax.xml.parsers.ParserConfigurationException ex) {
+            // ignore
+        }
 
         String path = "/META-INF/cxf/aegis.xsd";
         InputStream is = XMLTypeCreator.class.getResourceAsStream(path);

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.