You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@cocoon.apache.org by ja...@apache.org on 2022/12/18 22:03:23 UTC
svn commit: r1906079 - /cocoon/branches/cocoon-2.2.1/core/cocoon-core/src/main/java/org/apache/cocoon/generation/StreamGenerator.java
Author: javier
Date: Sun Dec 18 22:03:23 2022
New Revision: 1906079
URL: http://svn.apache.org/viewvc?rev=1906079&view=rev
Log:
COCOON-2372: Do not use Excalibur's SAXParser to prevent XXE injections.
Modified:
cocoon/branches/cocoon-2.2.1/core/cocoon-core/src/main/java/org/apache/cocoon/generation/StreamGenerator.java
Modified: cocoon/branches/cocoon-2.2.1/core/cocoon-core/src/main/java/org/apache/cocoon/generation/StreamGenerator.java
URL: http://svn.apache.org/viewvc/cocoon/branches/cocoon-2.2.1/core/cocoon-core/src/main/java/org/apache/cocoon/generation/StreamGenerator.java?rev=1906079&r1=1906078&r2=1906079&view=diff
==============================================================================
--- cocoon/branches/cocoon-2.2.1/core/cocoon-core/src/main/java/org/apache/cocoon/generation/StreamGenerator.java (original)
+++ cocoon/branches/cocoon-2.2.1/core/cocoon-core/src/main/java/org/apache/cocoon/generation/StreamGenerator.java Sun Dec 18 22:03:23 2022
@@ -5,9 +5,9 @@
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
- *
+ *
* http://www.apache.org/licenses/LICENSE-2.0
- *
+ *
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -20,11 +20,13 @@ import java.io.IOException;
import java.io.InputStreamReader;
import java.io.Reader;
import java.io.StringReader;
-import javax.servlet.http.HttpServletRequest;
-import org.apache.avalon.framework.service.ServiceException;
-import org.apache.excalibur.xml.sax.SAXParser;
+import javax.servlet.http.HttpServletRequest;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
+import org.apache.avalon.framework.activity.Initializable;
import org.apache.cocoon.ProcessingException;
import org.apache.cocoon.ResourceNotFoundException;
import org.apache.cocoon.environment.ObjectModelHelper;
@@ -32,9 +34,9 @@ import org.apache.cocoon.environment.Req
import org.apache.cocoon.environment.http.HttpEnvironment;
import org.apache.cocoon.servlet.multipart.Part;
import org.apache.cocoon.util.PostInputStream;
-
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
/**
* The <code>StreamGenerator</code> is a class that reads XML from a request
@@ -67,17 +69,28 @@ import org.xml.sax.SAXException;
*
* @version $Id$
*/
-public class StreamGenerator extends ServiceableGenerator {
+public class StreamGenerator extends ServiceableGenerator implements Initializable {
/** The parameter holding the name associated with the xml data **/
public static final String FORM_NAME = "form-name";
+
+ private SAXParserFactory factory;
+
+ @Override
+ public void initialize() throws Exception {
+ factory = SAXParserFactory.newInstance();
+ factory.setNamespaceAware(true);
+ factory.setXIncludeAware(false);
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ }
+
/**
* Generate XML data out of request InputStream.
*/
public void generate()
throws IOException, SAXException, ProcessingException {
- SAXParser parser = null;
int len = 0;
String contentType;
@@ -110,7 +123,7 @@ public class StreamGenerator extends Ser
} else if (xmlObject instanceof Part) {
xmlReader = new InputStreamReader(((Part) xmlObject).getInputStream());
} else {
- throw new ProcessingException("Unknown request object encountered named " +
+ throw new ProcessingException("Unknown request object encountered named " +
parameter + " : " + xmlObject);
}
@@ -143,19 +156,22 @@ public class StreamGenerator extends Ser
source.setEncoding(charset);
}
- parser = (SAXParser) this.manager.lookup(SAXParser.ROLE);
- parser.parse(source, super.xmlConsumer);
+ SAXParser parser = factory.newSAXParser();
+ XMLReader xmlReader = parser.getXMLReader();
+ xmlReader.setContentHandler(super.xmlConsumer);
+ xmlReader.setProperty( "http://xml.org/sax/properties/lexical-handler", super.xmlConsumer );
+ xmlReader.setFeature( "http://xml.org/sax/features/namespaces", true );
+
+ xmlReader.parse(source);
} catch (IOException e) {
getLogger().error("StreamGenerator.generate()", e);
throw new ResourceNotFoundException("StreamGenerator could not find resource", e);
} catch (SAXException e) {
getLogger().error("StreamGenerator.generate()", e);
throw(e);
- } catch (ServiceException e) {
+ } catch (ParserConfigurationException e) {
getLogger().error("Could not get parser", e);
throw new ProcessingException("Exception in StreamGenerator.generate()", e);
- } finally {
- this.manager.release(parser);
}
}