Refactor XML processing

eclipse-equinox · Aug 1, 2023 · cfed903 · cfed903
1 parent 3bd3dbd
commit cfed903
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 9 deletions.
diff --git a/bundles/org.eclipse.equinox.registry/src/org/eclipse/core/runtime/spi/RegistryStrategy.java b/bundles/org.eclipse.equinox.registry/src/org/eclipse/core/runtime/spi/RegistryStrategy.java
@@ -382,8 +382,15 @@ public long getContributionsTimestamp() {
 	 * @see org.eclipse.core.runtime.IExtensionRegistry#addContribution(java.io.InputStream, IContributor, boolean, String, ResourceBundle, Object)
 	 */
 	public SAXParserFactory getXMLParser() {
-		if (theXMLParserFactory == null)
+		if (theXMLParserFactory == null) {
 			theXMLParserFactory = SAXParserFactory.newInstance();
+			try {
+				// force org.xml.sax.SAXParseException for any DOCTYPE:
+				theXMLParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); //$NON-NLS-1$
+			} catch (Exception e) {
+				throw new RuntimeException(e);
+			}
+		}
 		return theXMLParserFactory;
 	}
 

diff --git a/...ansforms.xslt/src/org/eclipse/equinox/internal/transforms/xslt/XSLTStreamTransformer.java b/...ansforms.xslt/src/org/eclipse/equinox/internal/transforms/xslt/XSLTStreamTransformer.java
@@ -19,6 +19,7 @@
 import java.net.URL;
 import java.util.HashMap;
 import java.util.Map;
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.sax.SAXSource;
 import javax.xml.transform.stream.StreamResult;
@@ -113,17 +114,14 @@ public XSLTStreamTransformer(ServiceTracker<FrameworkLog, FrameworkLog> logTrack
 	public InputStream getInputStream(InputStream inputStream, URL transformerUrl) throws IOException {
 		Templates template = getTemplate(transformerUrl);
 		if (template != null) {
-
-			Transformer transformer = null;
 			try {
-				transformer = template.newTransformer();
+				Transformer transformer = template.newTransformer();
 				XSLTPipe pipe = new XSLTPipe(inputStream, transformer);
 				return pipe.getPipedInputStream();
 			} catch (TransformerConfigurationException e) {
 				log(FrameworkEvent.ERROR, "Could not perform transform.", e); //$NON-NLS-1$
 			}
 		}
-
 		return null;
 	}
 
@@ -148,6 +146,8 @@ private synchronized Templates getTemplate(URL transformerURL) {
 			TransformerFactory tFactory = null;
 			try {
 				tFactory = TransformerFactory.newInstance();
+				tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); //$NON-NLS-1$
+				tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); //$NON-NLS-1$
 
 				InputSource inputSource = new InputSource(xsltStream);
 				XMLReader reader = XMLReaderFactory.createXMLReader();

diff --git a/...ipse.osgi/container/src/org/eclipse/osgi/internal/framework/XMLParsingServiceFactory.java b/...ipse.osgi/container/src/org/eclipse/osgi/internal/framework/XMLParsingServiceFactory.java
@@ -14,8 +14,11 @@
 package org.eclipse.osgi.internal.framework;
 
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParserFactory;
-import org.osgi.framework.*;
+import org.osgi.framework.Bundle;
+import org.osgi.framework.ServiceFactory;
+import org.osgi.framework.ServiceRegistration;
 import org.osgi.framework.wiring.BundleWiring;
 
 class XMLParsingServiceFactory implements ServiceFactory<Object> {
@@ -55,9 +58,27 @@ public Object getService(Bundle bundle, ServiceRegistration<Object> registration
 	}
 
 	private Object createService() {
-		if (isSax)
-			return SAXParserFactory.newInstance();
-		return DocumentBuilderFactory.newInstance();
+		if (isSax) {
+			SAXParserFactory factory = SAXParserFactory.newInstance();
+			try {
+				// ignore DOCTYPE:
+				factory.setFeature("http://xml.org/sax/features/external-general-entities", false); //$NON-NLS-1$
+				factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); //$NON-NLS-1$
+				factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); //$NON-NLS-1$
+			} catch (Exception e) {
+				throw new IllegalStateException(e);
+			}
+			return factory;
+		}
+		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+		try {
+			// completely disable external entities declarations:
+			factory.setFeature("http://xml.org/sax/features/external-general-entities", false); //$NON-NLS-1$
+			factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); //$NON-NLS-1$
+		} catch (ParserConfigurationException e) {
+			throw new IllegalStateException(e.getMessage(), e);
+		}
+		return factory;
 	}
 
 	@Override