You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@poi.apache.org by fa...@apache.org on 2018/08/17 23:03:52 UTC
svn commit: r1838294 - in
/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common:
DocumentHelper.java SAXHelper.java XMLBeansConstants.java XmlStreamUtils.java
Author: fanningpj
Date: Fri Aug 17 23:03:51 2018
New Revision: 1838294
URL: http://svn.apache.org/viewvc?rev=1838294&view=rev
Log:
reduce entity expansion limit default to 1
Added:
xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XMLBeansConstants.java
- copied, changed from r1838236, poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/POIXMLConstants.java
Modified:
xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java
xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java
xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XmlStreamUtils.java
Modified: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java
URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java?rev=1838294&r1=1838293&r2=1838294&view=diff
==============================================================================
--- xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java (original)
+++ xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java Fri Aug 17 23:03:51 2018
@@ -95,11 +95,13 @@ public final class DocumentHelper {
static {
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setValidating(false);
- trySetSAXFeature(documentBuilderFactory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ trySetFeature(documentBuilderFactory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ trySetFeature(documentBuilderFactory, XMLBeansConstants.FEATURE_LOAD_DTD_GRAMMAR, XMLBeansConstants.isLoadDtdGrammar());
+ trySetFeature(documentBuilderFactory, XMLBeansConstants.FEATURE_LOAD_EXTERNAL_DTD, XMLBeansConstants.isLoadExternalDtd());
trySetXercesSecurityManager(documentBuilderFactory);
}
- private static void trySetSAXFeature(DocumentBuilderFactory dbf, String feature, boolean enabled) {
+ private static void trySetFeature(DocumentBuilderFactory dbf, String feature, boolean enabled) {
try {
dbf.setFeature(feature, enabled);
} catch (Exception e) {
@@ -118,8 +120,8 @@ public final class DocumentHelper {
try {
Object mgr = Class.forName(securityManagerClassName).newInstance();
Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
- setLimit.invoke(mgr, 4096);
- dbf.setAttribute("http://apache.org/xml/properties/security-manager", mgr);
+ setLimit.invoke(mgr, XMLBeansConstants.getEntityExpansionLimit());
+ dbf.setAttribute(XMLBeansConstants.XML_PROPERTY_SECURITY_MANAGER, mgr);
// Stop once one can be setup without error
return;
} catch (ClassNotFoundException e) {
@@ -130,7 +132,7 @@ public final class DocumentHelper {
}
// separate old version of Xerces not found => use the builtin way of setting the property
- dbf.setAttribute("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit", 4096);
+ dbf.setAttribute(XMLBeansConstants.XML_PROPERTY_ENTITY_EXPANSION_LIMIT, XMLBeansConstants.getEntityExpansionLimit());
}
/**
Modified: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java
URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java?rev=1838294&r1=1838293&r2=1838294&view=diff
==============================================================================
--- xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java (original)
+++ xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java Fri Aug 17 23:03:51 2018
@@ -33,11 +33,6 @@ import org.xml.sax.XMLReader;
* Provides handy methods for working with SAX parsers and readers
*/
public final class SAXHelper {
- public static final String PROPERTY_ENTITY_EXPANSION_LIMIT = "xmlbeans.sax.entity.expansion.limit";
- public static final int DEFAULT_ENTITY_EXPANSION_LIMIT = 10;
- private static final int ENTITY_EXPANSION_LIMIT = Integer.getInteger(PROPERTY_ENTITY_EXPANSION_LIMIT, DEFAULT_ENTITY_EXPANSION_LIMIT);
- private static final String XML_PROPERTY_ENTITY_EXPANSION_LIMIT = "http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit";
- private static final String XML_PROPERTY_SECURITY_MANAGER = "http://apache.org/xml/properties/security-manager";
private static final XBLogger logger = XBLogFactory.getLogger(SAXHelper.class);
private static long lastLog;
@@ -67,8 +62,21 @@ public final class SAXHelper {
saxFactory = SAXParserFactory.newInstance();
saxFactory.setValidating(false);
saxFactory.setNamespaceAware(true);
+ trySetSAXFeature(saxFactory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ trySetSAXFeature(saxFactory, XMLBeansConstants.FEATURE_LOAD_DTD_GRAMMAR, XMLBeansConstants.isLoadDtdGrammar());
+ trySetSAXFeature(saxFactory, XMLBeansConstants.FEATURE_LOAD_EXTERNAL_DTD, XMLBeansConstants.isLoadExternalDtd());
}
-
+
+ private static void trySetSAXFeature(SAXParserFactory spf, String feature, boolean flag) {
+ try {
+ spf.setFeature(feature, flag);
+ } catch (Exception e) {
+ logger.log(XBLogger.WARN, "SAX Feature unsupported", feature, e);
+ } catch (AbstractMethodError ame) {
+ logger.log(XBLogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", feature, ame);
+ }
+ }
+
private static void trySetSAXFeature(XMLReader xmlReader, String feature) {
try {
xmlReader.setFeature(feature, true);
@@ -88,8 +96,8 @@ public final class SAXHelper {
try {
Object mgr = Class.forName(securityManagerClassName).newInstance();
Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
- setLimit.invoke(mgr, ENTITY_EXPANSION_LIMIT);
- xmlReader.setProperty(XML_PROPERTY_SECURITY_MANAGER, mgr);
+ setLimit.invoke(mgr, XMLBeansConstants.getEntityExpansionLimit());
+ xmlReader.setProperty(XMLBeansConstants.XML_PROPERTY_SECURITY_MANAGER, mgr);
// Stop once one can be setup without error
return;
} catch (Throwable e) { // NOSONAR - also catch things like NoClassDefError here
@@ -103,7 +111,7 @@ public final class SAXHelper {
// separate old version of Xerces not found => use the builtin way of setting the property
try {
- xmlReader.setProperty(XML_PROPERTY_ENTITY_EXPANSION_LIMIT, ENTITY_EXPANSION_LIMIT);
+ xmlReader.setProperty(XMLBeansConstants.XML_PROPERTY_ENTITY_EXPANSION_LIMIT, XMLBeansConstants.getEntityExpansionLimit());
} catch (SAXException e) { // NOSONAR - also catch things like NoClassDefError here
// throttle the log somewhat as it can spam the log otherwise
if(System.currentTimeMillis() > lastLog + TimeUnit.MINUTES.toMillis(5)) {
Copied: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XMLBeansConstants.java (from r1838236, poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/POIXMLConstants.java)
URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XMLBeansConstants.java?p2=xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XMLBeansConstants.java&p1=poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/POIXMLConstants.java&r1=1838236&r2=1838294&rev=1838294&view=diff
==============================================================================
--- poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/POIXMLConstants.java (original)
+++ xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XMLBeansConstants.java Fri Aug 17 23:03:51 2018
@@ -1,25 +1,37 @@
-/* ====================================================================
- Licensed to the Apache Software Foundation (ASF) under one or more
- contributor license agreements. See the NOTICE file distributed with
- this work for additional information regarding copyright ownership.
- The ASF licenses this file to You under the Apache License, Version 2.0
- (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
+/* Copyright 2004-2018 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
- http://www.apache.org/licenses/LICENSE-2.0
+package org.apache.xmlbeans.impl.common;
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
-==================================================================== */
-
-package org.apache.poi.ooxml.util;
-
-public class POIXMLConstants {
+public class XMLBeansConstants {
+ public static final String PROPERTY_ENTITY_EXPANSION_LIMIT = "xmlbeans.entity.expansion.limit";
+ public static final String PROPERTY_LOAD_DTD_GRAMMAR = "xmlbeans.load.dtd.grammar";
+ public static final String PROPERTY_LOAD_EXTERNAL_DTD = "xmlbeans.load.external.dtd";
+ public static final int DEFAULT_ENTITY_EXPANSION_LIMIT = 1;
+ public static final String XML_PROPERTY_ENTITY_EXPANSION_LIMIT = "http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit";
+ public static final String XML_PROPERTY_SECURITY_MANAGER = "http://apache.org/xml/properties/security-manager";
public static final String FEATURE_LOAD_DTD_GRAMMAR = "http://apache.org/xml/features/nonvalidating/load-dtd-grammar";
public static final String FEATURE_LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
- public static final String PROPERTY_ENTITY_EXPANSION_LIMIT = "http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit";
- public static final String PROPERTY_SECURITY_MANAGER = "http://apache.org/xml/properties/security-manager";
+
+ static int getEntityExpansionLimit() {
+ return Integer.getInteger(PROPERTY_ENTITY_EXPANSION_LIMIT, DEFAULT_ENTITY_EXPANSION_LIMIT);
+ }
+ static boolean isLoadDtdGrammar() {
+ return Boolean.getBoolean(PROPERTY_LOAD_DTD_GRAMMAR);
+ }
+ static boolean isLoadExternalDtd() {
+ return Boolean.getBoolean(PROPERTY_LOAD_EXTERNAL_DTD);
+ }
}
Modified: xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XmlStreamUtils.java
URL: http://svn.apache.org/viewvc/xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XmlStreamUtils.java?rev=1838294&r1=1838293&r2=1838294&view=diff
==============================================================================
--- xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XmlStreamUtils.java (original)
+++ xmlbeans/trunk/src/common/org/apache/xmlbeans/impl/common/XmlStreamUtils.java Fri Aug 17 23:03:51 2018
@@ -24,7 +24,7 @@ public final class XmlStreamUtils
{
public static String printEvent(XMLStreamReader xmlr)
{
- StringBuffer b = new StringBuffer();
+ StringBuilder b = new StringBuilder();
b.append("EVENT:[" + xmlr.getLocation().getLineNumber() + "][" +
xmlr.getLocation().getColumnNumber() + "] ");
b.append(getName(xmlr.getEventType()));
@@ -132,14 +132,14 @@ public final class XmlStreamUtils
private static void printName(String prefix,
String uri,
String localName,
- StringBuffer b)
+ StringBuilder b)
{
if (uri != null && !("".equals(uri))) b.append("['" + uri + "']:");
if (prefix != null && !("".equals(prefix))) b.append(prefix + ":");
if (localName != null) b.append(localName);
}
- private static void printName(XMLStreamReader xmlr, StringBuffer b)
+ private static void printName(XMLStreamReader xmlr, StringBuilder b)
{
if (xmlr.hasName()) {
String prefix = xmlr.getPrefix();
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org