You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by dk...@apache.org on 2015/07/01 16:05:00 UTC
[2/2] cxf git commit: [CXF-6217] Fix a couple of the secure
processing thigns
[CXF-6217] Fix a couple of the secure processing thigns
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6afd8f9e
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6afd8f9e
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6afd8f9e
Branch: refs/heads/master
Commit: 6afd8f9e25f7685e296fade372308b9d312342af
Parents: df628c9
Author: Daniel Kulp <dk...@apache.org>
Authored: Wed Jul 1 10:04:31 2015 -0400
Committer: Daniel Kulp <dk...@apache.org>
Committed: Wed Jul 1 10:04:31 2015 -0400
----------------------------------------------------------------------
.../org/apache/cxf/jaxrs/ext/xml/XMLSource.java | 29 ++++++++++++++++----
.../cxf/jaxrs/provider/XSLTJaxbProvider.java | 2 ++
.../bootstrapping/SimpleXMLSettingsStorage.java | 9 +++++-
3 files changed, 34 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/cxf/blob/6afd8f9e/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/xml/XMLSource.java
----------------------------------------------------------------------
diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/xml/XMLSource.java b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/xml/XMLSource.java
index 062338d..f1816d6 100644
--- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/xml/XMLSource.java
+++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/xml/XMLSource.java
@@ -26,6 +26,7 @@ import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
+import javax.xml.XMLConstants;
import javax.xml.bind.JAXBContext;
import javax.xml.bind.Unmarshaller;
import javax.xml.bind.annotation.XmlRootElement;
@@ -39,6 +40,7 @@ import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
+import javax.xml.xpath.XPathFactoryConfigurationException;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -283,16 +285,33 @@ public class XMLSource {
private Object evaluate(String expression, Map<String, String> namespaces, QName type) {
- XPath xpath = XPathFactory.newInstance().newXPath();
+ XPathFactory factory = XPathFactory.newInstance();
+ try {
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ } catch (XPathFactoryConfigurationException e) {
+ throw new RuntimeException(e);
+ }
+ XPath xpath = factory.newXPath();
xpath.setNamespaceContext(new NamespaceContextImpl(namespaces));
+ boolean releaseDoc = false;
try {
- if (stream == null) {
- return xpath.compile(expression).evaluate(doc, type);
- } else {
- return xpath.compile(expression).evaluate(new InputSource(stream), type);
+ if (stream != null) {
+ //xalan xpath evaluate parses to a DOM via a DocumentBuilderFactory, but doesn't
+ //set the SecureProcessing on that. Since a DOM is always created, might as well
+ //do it via stax and avoid the service factory performance hits that the
+ //DocumentBuilderFactory will entail as well as get the extra security
+ //that woodstox provides
+ setBuffering();
+ releaseDoc = true;
}
+ return xpath.compile(expression).evaluate(doc, type);
} catch (XPathExpressionException ex) {
throw new IllegalArgumentException("Illegal XPath expression '" + expression + "'", ex);
+ } finally {
+ if (releaseDoc) {
+ //don't need to maintain the doc
+ doc = null;
+ }
}
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/6afd8f9e/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XSLTJaxbProvider.java
----------------------------------------------------------------------
diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XSLTJaxbProvider.java b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XSLTJaxbProvider.java
index 528ad80..bf1e13e 100644
--- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XSLTJaxbProvider.java
+++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XSLTJaxbProvider.java
@@ -41,6 +41,7 @@ import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.PathSegment;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Provider;
+import javax.xml.XMLConstants;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;
import javax.xml.bind.Unmarshaller;
@@ -519,6 +520,7 @@ public class XSLTJaxbProvider<T> extends JAXBElementProvider<T> {
source.setSystemId(urlStream.toExternalForm());
if (factory == null) {
factory = (SAXTransformerFactory)TransformerFactory.newInstance();
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
if (uriResolver != null) {
factory.setURIResolver(uriResolver);
}
http://git-wip-us.apache.org/repos/asf/cxf/blob/6afd8f9e/rt/management-web/src/main/java/org/apache/cxf/management/web/browser/bootstrapping/SimpleXMLSettingsStorage.java
----------------------------------------------------------------------
diff --git a/rt/management-web/src/main/java/org/apache/cxf/management/web/browser/bootstrapping/SimpleXMLSettingsStorage.java b/rt/management-web/src/main/java/org/apache/cxf/management/web/browser/bootstrapping/SimpleXMLSettingsStorage.java
index ceecd31..7142564 100644
--- a/rt/management-web/src/main/java/org/apache/cxf/management/web/browser/bootstrapping/SimpleXMLSettingsStorage.java
+++ b/rt/management-web/src/main/java/org/apache/cxf/management/web/browser/bootstrapping/SimpleXMLSettingsStorage.java
@@ -20,12 +20,14 @@
package org.apache.cxf.management.web.browser.bootstrapping;
import java.io.File;
+import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.util.ArrayList;
import java.util.GregorianCalendar;
import java.util.List;
+
import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller;
@@ -37,8 +39,10 @@ import javax.xml.bind.annotation.XmlSchemaType;
import javax.xml.datatype.DatatypeConfigurationException;
import javax.xml.datatype.DatatypeFactory;
import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.stream.XMLStreamReader;
import org.apache.commons.lang.Validate;
+import org.apache.cxf.staxutils.StaxUtils;
public class SimpleXMLSettingsStorage implements SettingsStorage {
private static final String DEFAULT_FILENAME = "logbrowser-settings.xml";
@@ -68,12 +72,15 @@ public class SimpleXMLSettingsStorage implements SettingsStorage {
File file = new File(filename);
if (file.exists()) {
Unmarshaller unmarshaller = context.createUnmarshaller();
- entries = (Entries) unmarshaller.unmarshal(file);
+ XMLStreamReader reader = StaxUtils.createXMLStreamReader(new FileInputStream(file));
+ entries = (Entries) unmarshaller.unmarshal(reader);
}
if (entries == null) {
entries = new Entries();
}
+ } catch (FileNotFoundException e) {
+ throw new RuntimeException(e);
} catch (JAXBException e) {
throw new RuntimeException(e);
}