jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ju...@apache.org
Subject svn commit: r617384 - in /jackrabbit/trunk/jackrabbit-jcr-commons/src: main/java/org/apache/jackrabbit/commons/xml/ParsingContentHandler.java test/java/org/apache/jackrabbit/commons/xml/ParsingContentHandlerTest.java
Date Fri, 01 Feb 2008 09:15:03 GMT
Author: jukka
Date: Fri Feb  1 01:15:02 2008
New Revision: 617384

URL: http://svn.apache.org/viewvc?rev=617384&view=rev
Log:
JCR-1355: XML import should not access external entities
    - Override the resolveEntity() method to disable external entities
    - Added a test case

Modified:
    jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/xml/ParsingContentHandler.java
    jackrabbit/trunk/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/commons/xml/ParsingContentHandlerTest.java

Modified: jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/xml/ParsingContentHandler.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/xml/ParsingContentHandler.java?rev=617384&r1=617383&r2=617384&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/xml/ParsingContentHandler.java
(original)
+++ jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/xml/ParsingContentHandler.java
Fri Feb  1 01:15:02 2008
@@ -16,6 +16,7 @@
  */
 package org.apache.jackrabbit.commons.xml;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 
@@ -47,7 +48,8 @@
 
     /**
      * Utility method that parses the given input stream using this handler.
-     * The parser is namespace-aware.
+     * The parser is namespace-aware and will not resolve external entity
+     * references.
      *
      * @param in XML input stream
      * @throws IOException if an I/O error occurs
@@ -61,6 +63,15 @@
         } catch (ParserConfigurationException e) {
             throw new SAXException("SAX parser configuration error", e);
         }
+    }
+
+    /**
+     * Returns an empty stream to prevent the XML parser from attempting
+     * to resolve external entity references.
+     */
+    public InputSource resolveEntity(String publicId, String systemId)
+            throws SAXException {
+        return new InputSource(new ByteArrayInputStream(new byte[0]));
     }
 
 }

Modified: jackrabbit/trunk/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/commons/xml/ParsingContentHandlerTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/commons/xml/ParsingContentHandlerTest.java?rev=617384&r1=617383&r2=617384&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/commons/xml/ParsingContentHandlerTest.java
(original)
+++ jackrabbit/trunk/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/commons/xml/ParsingContentHandlerTest.java
Fri Feb  1 01:15:02 2008
@@ -22,10 +22,11 @@
 import junit.framework.TestCase;
 
 import org.xml.sax.ContentHandler;
+import org.xml.sax.helpers.DefaultHandler;
 
 public class ParsingContentHandlerTest extends TestCase {
 
-    public void testSerializingContentHandler() throws Exception {
+    public void testParsingContentHandler() throws Exception {
         String source =
             "<p:a xmlns:p=\"uri\"><b p:foo=\"bar\">abc</b><c/>xyz</p:a>";
         StringWriter writer = new StringWriter();
@@ -49,6 +50,22 @@
         assertContains(xml, "<c/>");
         assertContains(xml, "xyz");
         assertContains(xml, "</p:a>");
+    }
+
+    /**
+     * Test case for JCR-1355.
+     * 
+     * @see https://issues.apache.org/jira/browse/JCR-1355
+     */
+    public void testExternalEntities() {
+        try {
+            String source =
+                "<!DOCTYPE foo SYSTEM \"http://invalid.address/\"><foo/>";
+            new ParsingContentHandler(new DefaultHandler()).parse(
+                    new ByteArrayInputStream(source.getBytes("UTF-8")));
+        } catch (Exception e) {
+            fail("JCR-1355: XML import should not access external entities");
+        }
     }
 
     private void assertContains(String haystack, String needle) {



Mime
View raw message