{@link XMLHandlerHints#ENTITY_RESOLVER} - control entry resolution
+ *
{@link #DISABLE_EXTERNAL_ENTITIES} - Boolean.TRUE to disable entity resolution
+ *
*
* @author dzwiers, Refractions Research, Inc. http://www.refractions.net
- * @author $Author:$ (last modification)
- *
*
* @source $URL$
* http://svn.osgeo.org/geotools/trunk/modules/library/xml/src/main/java/org/geotools/xml
@@ -56,6 +65,13 @@ public class DocumentFactory {
* the resulting objects is weekend by turning this param to false.
*/
public static final String VALIDATION_HINT = "DocumentFactory_VALIDATION_HINT";
+
+ /**
+ * When this hint is contained and set to Boolean.TRUE, external entities will be disabled. This
+ * setting is used to alivate XXE attacks, preventing both {@link #VALIDATION_HINT} and
+ * {@link XMLHandlerHints#ENTITY_RESOLVER} from being effective.
+ */
+ public static final String DISABLE_EXTERNAL_ENTITIES = "DocumentFactory_DISABLE_EXTERNAL_ENTITIES";
/**
*
- * Parses the instance data provided. This method assumes that the XML document is fully
- * described using XML Schemas. Failure to be fully described as Schemas will result in errors,
- * as opposed to a vid parse.
- *
- * Parses the instance data provided. This method assumes that the XML document is fully
- * described using XML Schemas. Failure to be fully described as Schemas will result in errors,
- * as opposed to a vid parse.
- *
- *
- * @param is
- * @param hints
- * May be null.
- * @param level
- * @param parseExternalEntities
- *
- * @return Object
- *
- * @throws SAXException
- */
- public static Object getInstance(InputStream is, Map hints, Level level,
- boolean parseExternalEntities) throws SAXException {
- SAXParser parser = getParser(parseExternalEntities);
+ public static Object getInstance(InputStream is, Map hints, Level level) throws SAXException {
+ SAXParser parser = getParser(hints);
XMLSAXHandler xmlContentHandler = new XMLSAXHandler(hints);
XMLSAXHandler.setLogLevel(level);
@@ -191,19 +164,22 @@ public static Object getInstance(InputStream is, Map hints, Level level,
/*
* Convenience method to create an instance of a SAXParser if it is null.
*/
- private static SAXParser getParser(boolean parseExternalEntities) throws SAXException {
+ private static SAXParser getParser(Map hints) throws SAXException {
SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setNamespaceAware(true);
spf.setValidating(false);
-
try {
- if(!parseExternalEntities) {
+ if (hints != null && hints.containsKey(DISABLE_EXTERNAL_ENTITIES)
+ && Boolean.TRUE.equals(hints.get(DISABLE_EXTERNAL_ENTITIES))) {
// The following configuration prevents XML External Entity Injection (XXE) attacks
// See for more information:
// https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
}
+ // This is an XML Schema driven parser, no DTD required (XMLSaxHandler will reject all dtd references)
+ spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
SAXParser sp = spf.newSAXParser();
return sp;
diff --git a/modules/library/xml/src/main/java/org/geotools/xml/XMLHandlerHints.java b/modules/library/xml/src/main/java/org/geotools/xml/XMLHandlerHints.java
index 136c58e2dc4..e40610d8774 100644
--- a/modules/library/xml/src/main/java/org/geotools/xml/XMLHandlerHints.java
+++ b/modules/library/xml/src/main/java/org/geotools/xml/XMLHandlerHints.java
@@ -30,7 +30,7 @@
*
* @source $URL$
*/
-public class XMLHandlerHints implements Map {
+public class XMLHandlerHints implements Map {
/**
* Declares the schemas to use for parsing.
@@ -44,6 +44,8 @@ public class XMLHandlerHints implements Map {
public static final String STREAM_HINT = "org.geotools.xml.gml.STREAM_HINT";
/** Sets the level of compliance that the filter encoder should use */
public static final String FILTER_COMPLIANCE_STRICTNESS = "org.geotools.xml.filter.FILTER_COMPLIANCE_STRICTNESS";
+ /** Supplied {@link EntityResolver} for Schema and/or DTD validation */
+ public final static String ENTITY_RESOLVER ="org.xml.sax.EntityResolver";
/**
* The value so that the parser will encode all Geotools filters with no modifications.
*/
@@ -119,7 +121,7 @@ public class XMLHandlerHints implements Map {
public static final Integer VALUE_FILTER_COMPLIANCE_HIGH = new Integer(2);
- private Map map=new HashMap();
+ private Map map=new HashMap();
public void clear() {
map.clear();
}
@@ -132,7 +134,7 @@ public boolean containsValue( Object value ) {
return map.containsValue(value);
}
- public Set entrySet() {
+ public Set> entrySet() {
return map.entrySet();
}
@@ -152,16 +154,16 @@ public boolean isEmpty() {
return map.isEmpty();
}
- public Set keySet() {
+ public Set keySet() {
return map.keySet();
}
- public Object put( Object arg0, Object arg1 ) {
- return map.put(arg0, arg1);
+ public Object put( String key, Object value ) {
+ return map.put(key, value);
}
- public void putAll( Map arg0 ) {
- map.putAll(arg0);
+ public void putAll( Map extends String,? extends Object> other ) {
+ map.putAll(other);
}
public Object remove( Object key ) {
@@ -172,7 +174,7 @@ public int size() {
return map.size();
}
- public Collection values() {
+ public Collection
+ *
+ *
+ * This is an XML Schema driven parser and {@link #resolveEntity(String, String)} will
+ * ignore all dtd references. If an {@link EntityResolver} is provided it will be used.
+ *