--- old/jaxws/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java 2017-06-01 18:21:43.953569511 +0100 +++ new/jaxws/src/jdk.xml.ws/share/classes/com/sun/tools/internal/ws/wsdl/parser/DOMForest.java 2017-06-01 18:21:43.893569511 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -115,12 +115,26 @@ try { // secure xml processing can be switched off if input requires it boolean secureProcessingEnabled = options == null || !options.disableXmlSecurity; - DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(secureProcessingEnabled); + DocumentBuilderFactory dbf = XmlUtil.newDocumentBuilderFactory(!secureProcessingEnabled); dbf.setNamespaceAware(true); this.documentBuilder = dbf.newDocumentBuilder(); this.parserFactory = XmlUtil.newSAXParserFactory(secureProcessingEnabled); this.parserFactory.setNamespaceAware(true); + + if(secureProcessingEnabled){ + dbf.setExpandEntityReferences(false); + try { + parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + parserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + parserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + } catch (SAXNotRecognizedException e){ + throw new ParserConfigurationException(e.getMessage()); + } catch (SAXNotSupportedException e) { + throw new ParserConfigurationException(e.getMessage()); + } + } + } catch (ParserConfigurationException e) { throw new AssertionError(e); }