Fix support external entities for DOM driver.

joehni · joehni · commit 25c6704bea14 · 2015-09-30T22:55:08.000+02:00
diff --git a/xstream/src/java/com/thoughtworks/xstream/io/xml/DomDriver.java b/xstream/src/java/com/thoughtworks/xstream/io/xml/DomDriver.java
@@ -64,7 +64,7 @@ public DomDriver(final String encoding, final NameCoder nameCoder) {
         this.encoding = encoding;
         documentBuilderFactory = DocumentBuilderFactory.newInstance();
         try {
-            documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
+            documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         } catch (final ParserConfigurationException e) {
             throw new StreamException(e);
         }
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/xml/DomReaderTest.java b/xstream/src/test/com/thoughtworks/xstream/io/xml/DomReaderTest.java
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004, 2005 Joe Walnes.
- * Copyright (C) 2006, 2007 XStream Committers.
+ * Copyright (C) 2006, 2007, 2015 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -90,8 +90,8 @@ public void testIsXXEVulnerable() throws Exception {
             super.testIsXXEVulnerable();
             fail("Thrown " + XStreamException.class.getName() + " expected");
         } catch (final XStreamException e) {
-            final String message = e.getMessage().toLowerCase();
-            if (message.contains("Package")) {
+            final String message = e.getMessage();
+            if (!message.contains("DOCTYPE")) {
                 throw e;
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -64,7 +64,7 @@ public DomDriver(final String encoding, final NameCoder nameCoder) {`
`64`	`64`	`this.encoding = encoding;`
`65`	`65`	`documentBuilderFactory = DocumentBuilderFactory.newInstance();`
`66`	`66`	`try {`
`67`		`- documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);`
	`67`	`+ documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);`
`68`	`68`	`} catch (final ParserConfigurationException e) {`
`69`	`69`	`throw new StreamException(e);`
`70`	`70`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`/*`
`2`	`2`	`* Copyright (C) 2004, 2005 Joe Walnes.`
`3`		`- * Copyright (C) 2006, 2007 XStream Committers.`
	`3`	`+ * Copyright (C) 2006, 2007, 2015 XStream Committers.`
`4`	`4`	`* All rights reserved.`
`5`	`5`	`*`
`6`	`6`	`* The software in this package is published under the terms of the BSD`
`@@ -90,8 +90,8 @@ public void testIsXXEVulnerable() throws Exception {`
`90`	`90`	`super.testIsXXEVulnerable();`
`91`	`91`	`fail("Thrown " + XStreamException.class.getName() + " expected");`
`92`	`92`	`} catch (final XStreamException e) {`
`93`		`- final String message = e.getMessage().toLowerCase();`
`94`		`- if (message.contains("Package")) {`
	`93`	`+ final String message = e.getMessage();`
	`94`	`+ if (!message.contains("DOCTYPE")) {`
`95`	`95`	`throw e;`
`96`	`96`	`}`
`97`	`97`	`}`