You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2018/03/08 14:06:58 UTC

[cxf] branch 3.1.x-fixes updated: Adding the secure processing feature in a few more places

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.1.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/3.1.x-fixes by this push:
     new aa170ad  Adding the secure processing feature in a few more places
aa170ad is described below

commit aa170adc05a5020587161e2e43988f3b4f529b2a
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Thu Mar 8 12:16:28 2018 +0000

    Adding the secure processing feature in a few more places
---
 core/src/main/java/org/apache/cxf/helpers/DOMUtils.java            | 2 ++
 .../src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java    | 7 ++++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java b/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java
index 2d4697a..626db9e 100644
--- a/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java
+++ b/core/src/main/java/org/apache/cxf/helpers/DOMUtils.java
@@ -72,6 +72,7 @@ public final class DOMUtils {
             DocumentBuilderFactory f = DocumentBuilderFactory.newInstance();
             f.setNamespaceAware(true);
             f.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            f.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             return f.newDocumentBuilder();
         }
         DocumentBuilder factory = DOCUMENT_BUILDERS.get(loader);
@@ -79,6 +80,7 @@ public final class DOMUtils {
             DocumentBuilderFactory f2 = DocumentBuilderFactory.newInstance();
             f2.setNamespaceAware(true);
             f2.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            f2.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             factory = f2.newDocumentBuilder();
             DOCUMENT_BUILDERS.put(loader, factory);
         }
diff --git a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java
index d7f69e6..fbe77d3 100644
--- a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java
+++ b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/XMLTypeCreator.java
@@ -115,7 +115,12 @@ public class XMLTypeCreator extends AbstractTypeCreator {
     static {
         AEGIS_DOCUMENT_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
         AEGIS_DOCUMENT_BUILDER_FACTORY.setNamespaceAware(true);
-        
+        try {
+            AEGIS_DOCUMENT_BUILDER_FACTORY.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        } catch (javax.xml.parsers.ParserConfigurationException ex) {
+            // ignore
+        }
+
         String path = "/META-INF/cxf/aegis.xsd";
         InputStream is = XMLTypeCreator.class.getResourceAsStream(path);
         if (is != null) {

-- 
To stop receiving notification emails like this one, please contact
coheigea@apache.org.