TEIID-2911 fully disabling dtd by default, but offering an option to

reenable support
teiid · Jul 11, 2014 · 568ca5c · 568ca5c
1 parent 4e48483
commit 568ca5c
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 10 deletions.
diff --git a/common-core/src/main/java/org/teiid/core/types/SQLXMLImpl.java b/common-core/src/main/java/org/teiid/core/types/SQLXMLImpl.java
@@ -129,7 +129,10 @@ public <T extends Source> T getSource(Class<T> sourceClass) throws SQLException
 			try {
 				DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
 				dbf.setNamespaceAware(true);
-		        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); //$NON-NLS-1$
+				if (!XMLType.SUPPORT_DTD) {
+			        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); //$NON-NLS-1$
+			        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false); //$NON-NLS-1$
+				}
 				DocumentBuilder docBuilder = dbf.newDocumentBuilder();
 	            Node doc = docBuilder.parse(new InputSource(getBinaryStream()));
 	            return (T) new DOMSource(doc);

diff --git a/common-core/src/main/java/org/teiid/core/types/XMLType.java b/common-core/src/main/java/org/teiid/core/types/XMLType.java
@@ -45,6 +45,7 @@
 
 import org.teiid.core.types.InputStreamFactory.StorageMode;
 import org.teiid.core.util.ExternalizeUtil;
+import org.teiid.core.util.PropertiesUtils;
 
 /**
  * This class represents the SQLXML object along with the Streamable interface.
@@ -59,6 +60,7 @@ public enum Type {
 	}
 
 	private static final long serialVersionUID = -7922647237095135723L;
+	static final boolean SUPPORT_DTD = PropertiesUtils.getBooleanProperty(System.getProperties(), "org.teiid.supportDTD", false);
 
 	private static ThreadLocal<XMLInputFactory> threadLocalFactory = new ThreadLocal<XMLInputFactory>() {
 		protected XMLInputFactory initialValue() {
@@ -69,15 +71,19 @@ protected XMLInputFactory initialValue() {
 	private static XMLInputFactory createXMLInputFactory()
 			throws FactoryConfigurationError {
 		XMLInputFactory factory = XMLInputFactory.newInstance();
-		factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.FALSE);
-		factory.setXMLResolver(new XMLResolver() {
-
-			@Override
-			public Object resolveEntity(String arg0, String arg1, String arg2,
-					String arg3) throws XMLStreamException {
-				throw new XMLStreamException("Reading external entities is disabled");
-			}
-		});
+		if (!SUPPORT_DTD) {
+			factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+			//these next ones are somewhat redundant, we set them just in case the DTD support property is not respected
+			factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+			factory.setXMLResolver(new XMLResolver() {
+
+				@Override
+				public Object resolveEntity(String arg0, String arg1, String arg2,
+						String arg3) throws XMLStreamException {
+					throw new XMLStreamException("Reading external entities is disabled");
+				}
+			});
+		}
 		return factory;
 	}