You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@uima.apache.org by sc...@apache.org on 2019/06/25 19:44:56 UTC
svn commit: r1862083 - in /uima/uimaj/trunk:
uima-docbook-references/src/docbook/ref.config.xml
uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java
Author: schor
Date: Tue Jun 25 19:44:56 2019
New Revision: 1862083
URL: http://svn.apache.org/viewvc?rev=1862083&view=rev
Log:
[UIMA-6064]
Modified:
uima/uimaj/trunk/uima-docbook-references/src/docbook/ref.config.xml
uima/uimaj/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java
Modified: uima/uimaj/trunk/uima-docbook-references/src/docbook/ref.config.xml
URL: http://svn.apache.org/viewvc/uima/uimaj/trunk/uima-docbook-references/src/docbook/ref.config.xml?rev=1862083&r1=1862082&r2=1862083&view=diff
==============================================================================
--- uima/uimaj/trunk/uima-docbook-references/src/docbook/ref.config.xml (original)
+++ uima/uimaj/trunk/uima-docbook-references/src/docbook/ref.config.xml Tue Jun 25 19:44:56 2019
@@ -104,6 +104,21 @@ under the License.
<!-- ******************************************************************************* -->
<row>
+ <entry><para>XML: enable doctype declarations</para></entry>
+ <entry><para><code>uima.xml.enable.doctype_decl</code> (default is false)</para>
+
+ <para>See <ulink url="https://issues.apache.org/jira/browse/UIMA-6064">UIMA-6064</ulink>
+ Normally, this is turned off to avoid exposure to malicious XML; see
+ <ulink url="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">
+ XML External Entity processing vulnerability</ulink>.
+ </para>
+ </entry>
+
+ <entry><para>2.10.4, 3.0.3</para></entry>
+ </row>
+
+ <!-- ******************************************************************************* -->
+ <row>
<entry><para>Allow duplicate addToIndexes for identical Feature Structures</para></entry>
<entry><para><code>uima.allow_duplicate_add_to_indexes</code> (default is false)</para>
Modified: uima/uimaj/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java
URL: http://svn.apache.org/viewvc/uima/uimaj/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java?rev=1862083&r1=1862082&r2=1862083&view=diff
==============================================================================
--- uima/uimaj/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java (original)
+++ uima/uimaj/trunk/uimaj-core/src/main/java/org/apache/uima/internal/util/XMLUtils.java Tue Jun 25 19:44:56 2019
@@ -31,6 +31,7 @@ import javax.xml.transform.sax.SAXTransf
import org.apache.uima.UIMAFramework;
import org.apache.uima.util.Level;
+import org.apache.uima.util.Misc;
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
@@ -44,10 +45,19 @@ import org.xml.sax.helpers.XMLReaderFact
/**
* Some utilities for working with XML.
*
- *
+ * abstract only to prevent instantiation - all methods are static
*/
public abstract class XMLUtils {
+ /** see https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.md */
+
+ /**
+ * -Duima.xml.enable.doctype_decl
+ *
+ */
+ private static final String XML_ENABLE_DOCTYPE_DECL = "uima.xml.enable.doctype_decl";
+ private static final boolean IS_XML_ENABLE_DOCTYPE_DECL = Misc.getNoValueSystemProperty(XML_ENABLE_DOCTYPE_DECL);
+
// constants - not all Java versions define these
private static final String ACCESS_EXTERNAL_STYLESHEET = "http://javax.xml.XMLConstants/property/accessExternalStylesheet";
@@ -57,6 +67,7 @@ public abstract class XMLUtils {
private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
private static final String EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
private static final String EXTERNAL_PARAMETER_ENTITIES = "http://xml.org/sax/features/external-parameter-entities";
+
/**
* Normalizes the given string for output to XML. This converts all special characters, e.g. <,
* %gt;, &, to their XML representations, e.g. &lt;, &gt;, &amp;. The normalized
@@ -542,7 +553,9 @@ public abstract class XMLUtils {
public static SAXParserFactory createSAXParserFactory() {
SAXParserFactory factory = SAXParserFactory.newInstance();
try {
- factory.setFeature(DISALLOW_DOCTYPE_DECL, true);
+ if ( ! IS_XML_ENABLE_DOCTYPE_DECL) { // https://issues.apache.org/jira/browse/UIMA-6064
+ factory.setFeature(DISALLOW_DOCTYPE_DECL, true);
+ }
} catch (SAXNotRecognizedException e) {
UIMAFramework.getLogger().log(Level.WARNING,
"SAXParserFactory didn't recognize feature " + DISALLOW_DOCTYPE_DECL);
@@ -647,7 +660,9 @@ public abstract class XMLUtils {
public static DocumentBuilderFactory createDocumentBuilderFactory() {
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
try {
- documentBuilderFactory.setFeature(DISALLOW_DOCTYPE_DECL, true);
+ if ( ! IS_XML_ENABLE_DOCTYPE_DECL) { // https://issues.apache.org/jira/browse/UIMA-6064
+ documentBuilderFactory.setFeature(DISALLOW_DOCTYPE_DECL, true);
+ }
} catch (ParserConfigurationException e1) {
UIMAFramework.getLogger().log(Level.WARNING,
"DocumentBuilderFactory didn't recognize setting feature " + DISALLOW_DOCTYPE_DECL);