9 Cdiff jaxws/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java

jaxws/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java


*** 1,7 ****
  /*
!  * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
   * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   *
   * This code is free software; you can redistribute it and/or modify it
   * under the terms of the GNU General Public License version 2 only, as
   * published by the Free Software Foundation.  Oracle designates this
--- 1,7 ----
  /*
!  * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
   * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   *
   * This code is free software; you can redistribute it and/or modify it
   * under the terms of the GNU General Public License version 2 only, as
   * published by the Free Software Foundation.  Oracle designates this
*** 113,128 ****
          this.errorReceiver = errReceiver;
          this.logic = logic;
          try {
              // secure xml processing can be switched off if input requires it
              boolean secureProcessingEnabled = options == null || !options.disableXmlSecurity;
!             DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(secureProcessingEnabled);
              dbf.setNamespaceAware(true);
              this.documentBuilder = dbf.newDocumentBuilder();
  
              this.parserFactory = XmlUtil.newSAXParserFactory(secureProcessingEnabled);
              this.parserFactory.setNamespaceAware(true);
          } catch (ParserConfigurationException e) {
              throw new AssertionError(e);
          }
      }
  
--- 113,142 ----
          this.errorReceiver = errReceiver;
          this.logic = logic;
          try {
              // secure xml processing can be switched off if input requires it
              boolean secureProcessingEnabled = options == null || !options.disableXmlSecurity;
!             DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(!secureProcessingEnabled);
              dbf.setNamespaceAware(true);
              this.documentBuilder = dbf.newDocumentBuilder();
  
              this.parserFactory = XmlUtil.newSAXParserFactory(secureProcessingEnabled);
              this.parserFactory.setNamespaceAware(true);
+ 
+             if(secureProcessingEnabled){
+                 dbf.setExpandEntityReferences(false);
+                 try {
+                 parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+                 parserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                 parserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+               } catch (SAXNotRecognizedException e){
+                 throw new ParserConfigurationException(e.getMessage());
+               } catch (SAXNotSupportedException e) {
+                 throw new ParserConfigurationException(e.getMessage());
+               }
+             }
+ 
          } catch (ParserConfigurationException e) {
              throw new AssertionError(e);
          }
      }
< prev index next >