[jbossws-commits] JBossWS SVN: r12721 - in thirdparty/cxf/branches/cxf-2.2.6: rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider and 1 other directory.
jbossws-commits at lists.jboss.org
jbossws-commits at lists.jboss.org
Tue Aug 3 11:44:07 EDT 2010
Author: fnasser at redhat.com
Date: 2010-08-03 11:44:06 -0400 (Tue, 03 Aug 2010)
New Revision: 12721
Modified:
thirdparty/cxf/branches/cxf-2.2.6/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java
thirdparty/cxf/branches/cxf-2.2.6/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java
Log:
CVE-2010-2076 Fix (Alesio Soldano)
Modified: thirdparty/cxf/branches/cxf-2.2.6/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java
===================================================================
--- thirdparty/cxf/branches/cxf-2.2.6/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java 2010-08-03 15:15:05 UTC (rev 12720)
+++ thirdparty/cxf/branches/cxf-2.2.6/common/common/src/main/java/org/apache/cxf/staxutils/StaxUtils.java 2010-08-03 15:44:06 UTC (rev 12721)
@@ -38,6 +38,7 @@
import javax.xml.stream.StreamFilter;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLOutputFactory;
+import javax.xml.stream.XMLResolver;
import javax.xml.stream.XMLStreamConstants;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
@@ -135,8 +136,7 @@
private static XMLInputFactory getXMLInputFactory() {
XMLInputFactory f = NS_AWARE_INPUT_FACTORY_POOL.poll();
if (f == null) {
- f = XMLInputFactory.newInstance();
- f.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, true);
+ f = createXMLInputFactory(true);
}
return f;
}
@@ -165,6 +165,16 @@
public static XMLInputFactory createXMLInputFactory(boolean nsAware) {
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, nsAware);
+ factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+ factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.FALSE);
+ factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+ factory.setXMLResolver(new XMLResolver() {
+ public Object resolveEntity(String publicID, String systemID,
+ String baseURI, String namespace)
+ throws XMLStreamException {
+ throw new XMLStreamException("Reading external entities is disabled");
+ }
+ });
return factory;
}
Modified: thirdparty/cxf/branches/cxf-2.2.6/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java
===================================================================
--- thirdparty/cxf/branches/cxf-2.2.6/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java 2010-08-03 15:15:05 UTC (rev 12720)
+++ thirdparty/cxf/branches/cxf-2.2.6/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XMLBeanStreamSerializer.java 2010-08-03 15:44:06 UTC (rev 12721)
@@ -24,12 +24,12 @@
import java.io.IOException;
import java.io.InputStream;
-import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamConstants;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.XMLStreamWriter;
+import org.apache.cxf.staxutils.StaxUtils;
import org.apache.xmlbeans.XmlObject;
/**
@@ -61,7 +61,7 @@
xObj.save(tmpFile);
InputStream tmpIn = new FileInputStream(tmpFile);
- XMLStreamReader rdr = XMLInputFactory.newInstance().createXMLStreamReader(tmpIn);
+ XMLStreamReader rdr = StaxUtils.createXMLStreamReader(tmpIn);
while (rdr.hasNext()) {
More information about the jbossws-commits
mailing list