Author: jukka
Date: Fri Feb 1 01:15:02 2008
New Revision: 617384
URL: http://svn.apache.org/viewvc?rev=617384&view=rev
Log:
JCR-1355: XML import should not access external entities
- Override the resolveEntity() method to disable external entities
- Added a test case
Modified:
jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/xml/ParsingContentHandler.java
jackrabbit/trunk/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/commons/xml/ParsingContentHandlerTest.java
Modified: jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/xml/ParsingContentHandler.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/xml/ParsingContentHandler.java?rev=617384&r1=617383&r2=617384&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/xml/ParsingContentHandler.java (original)
+++ jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/xml/ParsingContentHandler.java Fri Feb 1 01:15:02 2008
@@ -16,6 +16,7 @@
*/
package org.apache.jackrabbit.commons.xml;
+import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
@@ -47,7 +48,8 @@
/**
* Utility method that parses the given input stream using this handler.
- * The parser is namespace-aware.
+ * The parser is namespace-aware and will not resolve external entity
+ * references.
*
* @param in XML input stream
* @throws IOException if an I/O error occurs
@@ -61,6 +63,15 @@
} catch (ParserConfigurationException e) {
throw new SAXException("SAX parser configuration error", e);
}
+ }
+
+ /**
+ * Returns an empty stream to prevent the XML parser from attempting
+ * to resolve external entity references.
+ */
+ public InputSource resolveEntity(String publicId, String systemId)
+ throws SAXException {
+ return new InputSource(new ByteArrayInputStream(new byte[0]));
}
}
Modified: jackrabbit/trunk/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/commons/xml/ParsingContentHandlerTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/trunk/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/commons/xml/ParsingContentHandlerTest.java?rev=617384&r1=617383&r2=617384&view=diff
==============================================================================
--- jackrabbit/trunk/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/commons/xml/ParsingContentHandlerTest.java (original)
+++ jackrabbit/trunk/jackrabbit-jcr-commons/src/test/java/org/apache/jackrabbit/commons/xml/ParsingContentHandlerTest.java Fri Feb 1 01:15:02 2008
@@ -22,10 +22,11 @@
import junit.framework.TestCase;
import org.xml.sax.ContentHandler;
+import org.xml.sax.helpers.DefaultHandler;
public class ParsingContentHandlerTest extends TestCase {
- public void testSerializingContentHandler() throws Exception {
+ public void testParsingContentHandler() throws Exception {
String source =
"abcxyz";
StringWriter writer = new StringWriter();
@@ -49,6 +50,22 @@
assertContains(xml, "");
assertContains(xml, "xyz");
assertContains(xml, "");
+ }
+
+ /**
+ * Test case for JCR-1355.
+ *
+ * @see https://issues.apache.org/jira/browse/JCR-1355
+ */
+ public void testExternalEntities() {
+ try {
+ String source =
+ "";
+ new ParsingContentHandler(new DefaultHandler()).parse(
+ new ByteArrayInputStream(source.getBytes("UTF-8")));
+ } catch (Exception e) {
+ fail("JCR-1355: XML import should not access external entities");
+ }
}
private void assertContains(String haystack, String needle) {