You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by co...@apache.org on 2019/10/24 09:22:57 UTC
svn commit: r1868858 - in
/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security:
encryption/TransformSerializer.java stax/config/XIncludeHandler.java
transforms/implementations/TransformXSLT.java
Author: coheigea
Date: Thu Oct 24 09:22:56 2019
New Revision: 1868858
URL: http://svn.apache.org/viewvc?rev=1868858&view=rev
Log:
Disable external DTDs/stylesheets when secure validation is enabled
Modified:
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java
santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java?rev=1868858&r1=1868857&r2=1868858&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java Thu Oct 24 09:22:56 2019
@@ -84,6 +84,10 @@ public class TransformSerializer extends
if (transformerFactory == null) {
transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ if (secureValidation) {
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ }
}
Transformer transformer = transformerFactory.newTransformer();
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java?rev=1868858&r1=1868857&r2=1868858&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java Thu Oct 24 09:22:56 2019
@@ -153,6 +153,9 @@ public class XIncludeHandler extends Def
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
SAXTransformerFactory saxTransformerFactory = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
saxTransformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ saxTransformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ saxTransformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+
TransformerHandler transformerHandler = saxTransformerFactory.newTransformerHandler();
transformerHandler.setResult(domResult);
xmlReader.setContentHandler(new XIncludeHandler(transformerHandler, uriDocMap));
@@ -177,6 +180,9 @@ public class XIncludeHandler extends Def
try {
TransformerFactory transformerFactory = TransformerFactory.newInstance();
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+
Transformer transformer = transformerFactory.newTransformer();
if (xpointer == null) {
transformer.transform(new DOMSource(document, document.getDocumentURI()), saxResult);
Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java?rev=1868858&r1=1868857&r2=1868858&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java Thu Oct 24 09:22:56 2019
@@ -93,6 +93,10 @@ public class TransformXSLT extends Trans
TransformerFactory tFactory = TransformerFactory.newInstance();
// Process XSLT stylesheets in a secure manner
tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ if (secureValidation) {
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ }
/*
* This transform requires an octet stream as input. If the actual