You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by co...@apache.org on 2019/10/24 09:22:57 UTC
svn commit: r1868858 - in /santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security: encryption/TransformSerializer.java stax/config/XIncludeHandler.java transforms/implementations/TransformXSLT.java

Author: coheigea
Date: Thu Oct 24 09:22:56 2019
New Revision: 1868858

URL: http://svn.apache.org/viewvc?rev=1868858&view=rev
Log:
Disable external DTDs/stylesheets when secure validation is enabled

Modified:
    santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java
    santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java
    santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java

Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java?rev=1868858&r1=1868857&r2=1868858&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/encryption/TransformSerializer.java Thu Oct 24 09:22:56 2019
@@ -84,6 +84,10 @@ public class TransformSerializer extends
             if (transformerFactory == null) {
                 transformerFactory = TransformerFactory.newInstance();
                 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+                if (secureValidation) {
+                    transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                    transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+                }
             }
             Transformer transformer = transformerFactory.newTransformer();
 

Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java?rev=1868858&r1=1868857&r2=1868858&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/stax/config/XIncludeHandler.java Thu Oct 24 09:22:56 2019
@@ -153,6 +153,9 @@ public class XIncludeHandler extends Def
                     XMLReader xmlReader = XMLReaderFactory.createXMLReader();
                     SAXTransformerFactory saxTransformerFactory = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
                     saxTransformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+                    saxTransformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                    saxTransformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+
                     TransformerHandler transformerHandler = saxTransformerFactory.newTransformerHandler();
                     transformerHandler.setResult(domResult);
                     xmlReader.setContentHandler(new XIncludeHandler(transformerHandler, uriDocMap));
@@ -177,6 +180,9 @@ public class XIncludeHandler extends Def
             try {
                 TransformerFactory transformerFactory = TransformerFactory.newInstance();
                 transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+                transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+
                 Transformer transformer = transformerFactory.newTransformer();
                 if (xpointer == null) {
                     transformer.transform(new DOMSource(document, document.getDocumentURI()), saxResult);

Modified: santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java
URL: http://svn.apache.org/viewvc/santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java?rev=1868858&r1=1868857&r2=1868858&view=diff
==============================================================================
--- santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java (original)
+++ santuario/xml-security-java/trunk/src/main/java/org/apache/xml/security/transforms/implementations/TransformXSLT.java Thu Oct 24 09:22:56 2019
@@ -93,6 +93,10 @@ public class TransformXSLT extends Trans
             TransformerFactory tFactory = TransformerFactory.newInstance();
             // Process XSLT stylesheets in a secure manner
             tFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+            if (secureValidation) {
+                tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+            }
 
             /*
              * This transform requires an octet stream as input. If the actual