--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java +++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java @@ -21,6 +21,7 @@ import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; +import java.io.StringReader; import java.io.UnsupportedEncodingException; import java.lang.reflect.GenericArrayType; import java.lang.reflect.ParameterizedType; @@ -69,6 +70,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; +import org.xml.sax.EntityResolver; import org.xml.sax.InputSource; import org.xml.sax.SAXException; import org.xml.sax.XMLReader; @@ -668,8 +670,11 @@ if (xmlReader == null) { xmlReader = XMLReaderFactory.createXMLReader(); } - xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", - this.processExternalEntities); + String name = "http://xml.org/sax/features/external-general-entities"; + xmlReader.setFeature(name, isProcessExternalEntities()); + if (!isProcessExternalEntities()) { + xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER); + } return new SAXSource(xmlReader, inputSource); } @@ -865,4 +870,11 @@ } } + + private static final EntityResolver NO_OP_ENTITY_RESOLVER = new EntityResolver() { + public InputSource resolveEntity(String publicId, String systemId) { + return new InputSource(new StringReader("")); + } + }; + } --- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java +++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java @@ -20,6 +20,7 @@ import java.io.InputStream; import java.io.OutputStream; import java.io.Reader; +import java.io.StringReader; import java.io.Writer; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -42,6 +43,7 @@ import org.apache.commons.logging.LogFactory; import org.w3c.dom.Node; import org.xml.sax.ContentHandler; +import org.xml.sax.EntityResolver; import org.xml.sax.InputSource; import org.xml.sax.SAXException; import org.xml.sax.XMLReader; @@ -203,6 +205,9 @@ protected XMLReader createXmlReader() throws SAXException { XMLReader xmlReader = XMLReaderFactory.createXMLReader(); xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", isProcessExternalEntities()); + if (!isProcessExternalEntities()) { + xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER); + } return xmlReader; } @@ -563,4 +568,11 @@ protected abstract Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource) throws XmlMappingException, IOException; + + private static final EntityResolver NO_OP_ENTITY_RESOLVER = new EntityResolver() { + public InputSource resolveEntity(String publicId, String systemId) { + return new InputSource(new StringReader("")); + } + }; + } --- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java +++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java @@ -17,6 +17,7 @@ package org.springframework.http.converter.xml; import java.io.IOException; +import java.io.StringReader; import javax.xml.bind.JAXBElement; import javax.xml.bind.JAXBException; import javax.xml.bind.MarshalException; @@ -28,6 +29,8 @@ import javax.xml.bind.annotation.XmlType; import javax.xml.transform.Result; import javax.xml.transform.Source; +import javax.xml.transform.sax.SAXSource; +import javax.xml.transform.stream.StreamSource; import org.springframework.core.annotation.AnnotationUtils; import org.springframework.http.HttpHeaders; @@ -36,6 +39,11 @@ import org.springframework.http.converter.HttpMessageNotReadableException; import org.springframework.http.converter.HttpMessageNotWritableException; import org.springframework.util.ClassUtils; +import org.xml.sax.EntityResolver; +import org.xml.sax.InputSource; +import org.xml.sax.SAXException; +import org.xml.sax.XMLReader; +import org.xml.sax.helpers.XMLReaderFactory; /** * Implementation of {@link org.springframework.http.converter.HttpMessageConverter HttpMessageConverter} that can read @@ -49,6 +57,21 @@ */ public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessageConverter { + private boolean processExternalEntities = false; + + + /** + * Indicates whether external XML entities are processed when converting to a Source. + *

Default is {@code false}, meaning that external entities are not resolved. + */ + public void setProcessExternalEntities(boolean processExternalEntities) { + this.processExternalEntities = processExternalEntities; + } + + public boolean isProcessExternalEntities() { + return this.processExternalEntities; + } + @Override public boolean canRead(Class clazz, MediaType mediaType) { return (clazz.isAnnotationPresent(XmlRootElement.class) || clazz.isAnnotationPresent(XmlType.class)) && @@ -69,6 +92,7 @@ @Override protected Object readFromSource(Class clazz, HttpHeaders headers, Source source) throws IOException { try { + source = processSource(source); Unmarshaller unmarshaller = createUnmarshaller(clazz); if (clazz.isAnnotationPresent(XmlRootElement.class)) { return unmarshaller.unmarshal(source); @@ -87,6 +111,29 @@ } } + protected Source processSource(Source source) { + if (source instanceof StreamSource) { + StreamSource streamSource = (StreamSource) source; + InputSource inputSource = new InputSource(streamSource.getInputStream()); + try { + XMLReader xmlReader = XMLReaderFactory.createXMLReader(); + String featureName = "http://xml.org/sax/features/external-general-entities"; + xmlReader.setFeature(featureName, isProcessExternalEntities()); + if (!isProcessExternalEntities()) { + xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER); + } + return new SAXSource(xmlReader, inputSource); + } + catch (SAXException ex) { + logger.warn("Processing of external entities could not be disabled", ex); + return source; + } + } + else { + return source; + } + } + @Override protected void writeToResult(Object o, HttpHeaders headers, Result result) throws IOException { try { @@ -109,4 +156,11 @@ } } + + private static final EntityResolver NO_OP_ENTITY_RESOLVER = new EntityResolver() { + public InputSource resolveEntity(String publicId, String systemId) { + return new InputSource(new StringReader("")); + } + }; + } --- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java +++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java @@ -21,9 +21,11 @@ import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; +import java.io.StringReader; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; +import javax.xml.stream.XMLResolver; import javax.xml.stream.XMLInputFactory; import javax.xml.stream.XMLStreamException; import javax.xml.stream.XMLStreamReader; @@ -38,6 +40,7 @@ import javax.xml.transform.stream.StreamSource; import org.w3c.dom.Document; +import org.xml.sax.EntityResolver; import org.xml.sax.InputSource; import org.xml.sax.SAXException; import org.xml.sax.XMLReader; @@ -125,8 +128,11 @@ try { DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setNamespaceAware(true); - documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", processExternalEntities); + documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", isProcessExternalEntities()); DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); + if (!isProcessExternalEntities()) { + documentBuilder.setEntityResolver(NO_OP_ENTITY_RESOLVER); + } Document document = documentBuilder.parse(body); return new DOMSource(document); } @@ -141,8 +147,11 @@ private SAXSource readSAXSource(InputStream body) throws IOException { try { XMLReader reader = XMLReaderFactory.createXMLReader(); - reader.setFeature("http://xml.org/sax/features/external-general-entities", processExternalEntities); + reader.setFeature("http://xml.org/sax/features/external-general-entities", isProcessExternalEntities()); byte[] bytes = StreamUtils.copyToByteArray(body); + if (!isProcessExternalEntities()) { + reader.setEntityResolver(NO_OP_ENTITY_RESOLVER); + } return new SAXSource(reader, new InputSource(new ByteArrayInputStream(bytes))); } catch (SAXException ex) { @@ -219,4 +228,17 @@ } } + + private static final EntityResolver NO_OP_ENTITY_RESOLVER = new EntityResolver() { + public InputSource resolveEntity(String publicId, String systemId) { + return new InputSource(new StringReader("")); + } + }; + + private static final XMLResolver NO_OP_XML_RESOLVER = new XMLResolver() { + public Object resolveEntity(String publicID, String systemID, String base, String ns) { + return new ByteArrayInputStream(new byte[0]); + } + }; + } --- a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTest.java +++ b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTest.java @@ -98,6 +98,33 @@ assertEquals("Invalid result", "Hello World", result.s); } + @Test + public void readXmlRootElementExternalEntityDisabled() throws Exception { + Resource external = new ClassPathResource("external.txt", getClass()); + String content = "\n" + + " ]>" + + " &ext;"; + MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8")); + RootElement rootElement = (RootElement) converter.read(RootElement.class, inputMessage); + + assertEquals("", rootElement.external); + } + + @Test + public void readXmlRootElementExternalEntityEnabled() throws Exception { + Resource external = new ClassPathResource("external.txt", getClass()); + String content = "\n" + + " ]>" + + " &ext;"; + MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8")); + this.converter.setProcessExternalEntities(true); + RootElement rootElement = (RootElement) converter.read(RootElement.class, inputMessage); + + assertEquals("Foo Bar", rootElement.external); + } + @Test public void writeXmlRootElement() throws Exception { MockHttpOutputMessage outputMessage = new MockHttpOutputMessage(); --- a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java +++ b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java @@ -67,9 +67,10 @@ converter = new SourceHttpMessageConverter(); Resource external = new ClassPathResource("external.txt", getClass()); - bodyExternal = "\n" + - " ]>&ext;"; + bodyExternal = "\n" + + " ]>&ext;"; + } @Test