You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tika.apache.org by tp...@apache.org on 2015/03/03 21:21:34 UTC

svn commit: r1663779 - /tika/trunk/tika-core/src/main/java/org/apache/tika/detect/XmlRootExtractor.java

Author: tpalsulich
Date: Tue Mar  3 20:21:33 2015
New Revision: 1663779

URL: http://svn.apache.org/r1663779
Log:
TIKA-1000. Ignore an invalid SAXNotRecognizedException.

Modified:
    tika/trunk/tika-core/src/main/java/org/apache/tika/detect/XmlRootExtractor.java

Modified: tika/trunk/tika-core/src/main/java/org/apache/tika/detect/XmlRootExtractor.java
URL: http://svn.apache.org/viewvc/tika/trunk/tika-core/src/main/java/org/apache/tika/detect/XmlRootExtractor.java?rev=1663779&r1=1663778&r2=1663779&view=diff
==============================================================================
--- tika/trunk/tika-core/src/main/java/org/apache/tika/detect/XmlRootExtractor.java (original)
+++ tika/trunk/tika-core/src/main/java/org/apache/tika/detect/XmlRootExtractor.java Tue Mar  3 20:21:33 2015
@@ -27,6 +27,7 @@ import org.apache.tika.io.CloseShieldInp
 import org.apache.tika.sax.OfflineContentHandler;
 import org.xml.sax.Attributes;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
 import org.xml.sax.helpers.DefaultHandler;
 
 /**
@@ -50,7 +51,14 @@ public class XmlRootExtractor {
             SAXParserFactory factory = SAXParserFactory.newInstance();
             factory.setNamespaceAware(true);
             factory.setValidating(false);
-            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            try {
+                factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            } catch (SAXNotRecognizedException e) {
+                // TIKA-271 and TIKA-1000: Some XML parsers do not support the secure-processing
+                // feature, even though it's required by JAXP in Java 5. Ignoring
+                // the exception is fine here, deployments without this feature
+                // are inherently vulnerable to XML denial-of-service attacks.
+            }
             factory.newSAXParser().parse(
                     new CloseShieldInputStream(stream),
                     new OfflineContentHandler(handler));