cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dk...@apache.org
Subject [3/9] cxf git commit: [CXF-6217] Fix a couple of the secure processing thigns
Date Thu, 09 Jul 2015 16:20:36 GMT
[CXF-6217] Fix a couple of the secure processing thigns


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/34359c95
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/34359c95
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/34359c95

Branch: refs/heads/3.0.x-fixes
Commit: 34359c952209dd5b66ede5255f83bcdd729b53de
Parents: e439993
Author: Daniel Kulp <dkulp@apache.org>
Authored: Wed Jul 1 10:04:31 2015 -0400
Committer: Daniel Kulp <dkulp@apache.org>
Committed: Thu Jul 9 12:20:26 2015 -0400

----------------------------------------------------------------------
 .../org/apache/cxf/jaxrs/ext/xml/XMLSource.java | 29 ++++++++++++++++----
 .../cxf/jaxrs/provider/XSLTJaxbProvider.java    |  2 ++
 .../bootstrapping/SimpleXMLSettingsStorage.java |  9 +++++-
 3 files changed, 34 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/34359c95/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/xml/XMLSource.java
----------------------------------------------------------------------
diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/xml/XMLSource.java b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/xml/XMLSource.java
index 062338d..f1816d6 100644
--- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/xml/XMLSource.java
+++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/ext/xml/XMLSource.java
@@ -26,6 +26,7 @@ import java.util.Iterator;
 import java.util.LinkedHashMap;
 import java.util.Map;
 
+import javax.xml.XMLConstants;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.Unmarshaller;
 import javax.xml.bind.annotation.XmlRootElement;
@@ -39,6 +40,7 @@ import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
+import javax.xml.xpath.XPathFactoryConfigurationException;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
@@ -283,16 +285,33 @@ public class XMLSource {
     
     
     private Object evaluate(String expression, Map<String, String> namespaces, QName
type) {
-        XPath xpath = XPathFactory.newInstance().newXPath();
+        XPathFactory factory = XPathFactory.newInstance();
+        try {
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        } catch (XPathFactoryConfigurationException e) {
+            throw new RuntimeException(e);
+        }
+        XPath xpath = factory.newXPath();
         xpath.setNamespaceContext(new NamespaceContextImpl(namespaces));
+        boolean releaseDoc = false;
         try {
-            if (stream == null) {
-                return xpath.compile(expression).evaluate(doc, type);
-            } else {
-                return xpath.compile(expression).evaluate(new InputSource(stream), type);
+            if (stream != null) {
+                //xalan xpath evaluate parses to a DOM via a DocumentBuilderFactory, but
doesn't 
+                //set the SecureProcessing on that. Since a DOM is always created, might
as well 
+                //do it via stax and avoid the service factory performance hits that the

+                //DocumentBuilderFactory will entail as well as get the extra security 
+                //that woodstox provides
+                setBuffering();
+                releaseDoc = true;
             }
+            return xpath.compile(expression).evaluate(doc, type);
         } catch (XPathExpressionException ex) {
             throw new IllegalArgumentException("Illegal XPath expression '" + expression
+ "'", ex);
+        } finally {
+            if (releaseDoc) {
+                //don't need to maintain the doc
+                doc = null;
+            }
         }
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/34359c95/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XSLTJaxbProvider.java
----------------------------------------------------------------------
diff --git a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XSLTJaxbProvider.java
b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XSLTJaxbProvider.java
index 528ad80..bf1e13e 100644
--- a/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XSLTJaxbProvider.java
+++ b/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/provider/XSLTJaxbProvider.java
@@ -41,6 +41,7 @@ import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.PathSegment;
 import javax.ws.rs.core.UriInfo;
 import javax.ws.rs.ext.Provider;
+import javax.xml.XMLConstants;
 import javax.xml.bind.JAXBException;
 import javax.xml.bind.Marshaller;
 import javax.xml.bind.Unmarshaller;
@@ -519,6 +520,7 @@ public class XSLTJaxbProvider<T> extends JAXBElementProvider<T>
{
             source.setSystemId(urlStream.toExternalForm());
             if (factory == null) {
                 factory = (SAXTransformerFactory)TransformerFactory.newInstance();
+                factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
                 if (uriResolver != null) {
                     factory.setURIResolver(uriResolver);
                 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/34359c95/rt/management-web/src/main/java/org/apache/cxf/management/web/browser/bootstrapping/SimpleXMLSettingsStorage.java
----------------------------------------------------------------------
diff --git a/rt/management-web/src/main/java/org/apache/cxf/management/web/browser/bootstrapping/SimpleXMLSettingsStorage.java
b/rt/management-web/src/main/java/org/apache/cxf/management/web/browser/bootstrapping/SimpleXMLSettingsStorage.java
index ceecd31..7142564 100644
--- a/rt/management-web/src/main/java/org/apache/cxf/management/web/browser/bootstrapping/SimpleXMLSettingsStorage.java
+++ b/rt/management-web/src/main/java/org/apache/cxf/management/web/browser/bootstrapping/SimpleXMLSettingsStorage.java
@@ -20,12 +20,14 @@
 package org.apache.cxf.management.web.browser.bootstrapping;
 
 import java.io.File;
+import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.GregorianCalendar;
 import java.util.List;
+
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
 import javax.xml.bind.Marshaller;
@@ -37,8 +39,10 @@ import javax.xml.bind.annotation.XmlSchemaType;
 import javax.xml.datatype.DatatypeConfigurationException;
 import javax.xml.datatype.DatatypeFactory;
 import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.stream.XMLStreamReader;
 
 import org.apache.commons.lang.Validate;
+import org.apache.cxf.staxutils.StaxUtils;
 
 public class SimpleXMLSettingsStorage implements SettingsStorage {
     private static final String DEFAULT_FILENAME = "logbrowser-settings.xml";
@@ -68,12 +72,15 @@ public class SimpleXMLSettingsStorage implements SettingsStorage {
             File file = new File(filename);
             if (file.exists()) {
                 Unmarshaller unmarshaller = context.createUnmarshaller();
-                entries = (Entries) unmarshaller.unmarshal(file);
+                XMLStreamReader reader = StaxUtils.createXMLStreamReader(new FileInputStream(file));
+                entries = (Entries) unmarshaller.unmarshal(reader);
             }
 
             if (entries == null) {
                 entries = new Entries();
             }
+        } catch (FileNotFoundException e) {
+            throw new RuntimeException(e);
         } catch (JAXBException e) {
             throw new RuntimeException(e);
         }


Mime
View raw message