root
/
spring-framework
mirror of https://github.com/spring-projects/spring-framework.git
1
0
Fork 0
Code Issues Actions 8 Packages Projects Releases Wiki Activity

XmlEventDecoder uses common defensive XMLInputFactory (now in StaxUtils) 

Issue: SPR-15797
This commit is contained in:
Juergen Hoeller 2017-07-20 13:17:27 +02:00
parent 40df7b6eca
commit e4651d6b50
5 changed files with 50 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
spring-core/src/main/java/org/springframework/util/xml/StaxUtils.java
View File

@ -20,6 +20,8 @@ import java.util.List;
import javax.xml.stream.XMLEventFactory;
import javax.xml.stream.XMLEventReader;
import javax.xml.stream.XMLEventWriter;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLResolver;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.XMLStreamWriter;
@ -33,13 +35,15 @@ import org.xml.sax.ContentHandler;
import org.xml.sax.XMLReader;
import org.springframework.lang.Nullable;
import org.springframework.util.StreamUtils;
/**
* Convenience methods for working with the StAX API. Partly historic due to JAXP 1.3 compatibility;
* as of Spring 4.0, relying on JAXP 1.4 as included in JDK 1.6 and higher.
* Convenience methods for working with the StAX API. Partly historic due to JAXP 1.3
* compatibility; as of Spring 4.0, relying on JAXP 1.4 as included in JDK 1.6 and higher.
*
* <p>In particular, methods for using StAX ({@code javax.xml.stream}) in combination with the TrAX API
* ({@code javax.xml.transform}), and converting StAX readers/writers into SAX readers/handlers and vice-versa.
* <p>In particular, methods for using StAX ({@code javax.xml.stream}) in combination with
* the TrAX API ({@code javax.xml.transform}), and converting StAX readers/writers into SAX
* readers/handlers and vice-versa.
*
* @author Arjen Poutsma
* @author Juergen Hoeller
@ -47,6 +51,24 @@ import org.springframework.lang.Nullable;
*/
public abstract class StaxUtils {
private static final XMLResolver NO_OP_XML_RESOLVER =
(publicID, systemID, base, ns) -> StreamUtils.emptyInput();
/**
* Create an {@link XMLInputFactory} with Spring's defensive setup,
* i.e. no support for the resolution of DTDs and external entities.
* @return a new input factory to use
* @since 5.0
*/
public static XMLInputFactory createDefensiveInputFactory() {
XMLInputFactory inputFactory = XMLInputFactory.newInstance();
inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
inputFactory.setXMLResolver(NO_OP_XML_RESOLVER);
return inputFactory;
}
/**
* Create a JAXP 1.4 {@link StAXSource} for the given {@link XMLStreamReader}.
* @param streamReader the StAX stream reader
@ -57,7 +79,7 @@ public abstract class StaxUtils {
}
/**
* Create a JAXP 1.4 a {@link StAXSource} for the given {@link XMLEventReader}.
* Create a JAXP 1.4 {@link StAXSource} for the given {@link XMLEventReader}.
* @param eventReader the StAX event reader
* @return a source wrapping the {@code eventReader}
*/

3
spring-web/src/main/java/org/springframework/http/codec/xml/XmlEventDecoder.java
View File

@ -44,6 +44,7 @@ import org.springframework.lang.Nullable;
import org.springframework.util.ClassUtils;
import org.springframework.util.MimeType;
import org.springframework.util.MimeTypeUtils;
import org.springframework.util.xml.StaxUtils;
/**
* Decodes a {@link DataBuffer} stream into a stream of {@link XMLEvent}s.
@ -77,7 +78,7 @@ import org.springframework.util.MimeTypeUtils;
*/
public class XmlEventDecoder extends AbstractDecoder<XMLEvent> {
private static final XMLInputFactory inputFactory = XMLInputFactory.newInstance();
private static final XMLInputFactory inputFactory = StaxUtils.createDefensiveInputFactory();
private static final boolean aaltoPresent = ClassUtils.isPresent(
"com.fasterxml.aalto.AsyncXMLStreamReader", XmlEventDecoder.class.getClassLoader());

27
spring-web/src/main/java/org/springframework/http/converter/json/Jackson2ObjectMapperBuilder.java
View File

@ -26,8 +26,6 @@ import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.TimeZone;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLResolver;
import com.fasterxml.jackson.annotation.JsonFilter;
import com.fasterxml.jackson.annotation.JsonInclude;
@ -62,8 +60,8 @@ import org.springframework.context.ApplicationContext;
import org.springframework.lang.Nullable;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.util.StreamUtils;
import org.springframework.util.StringUtils;
import org.springframework.util.xml.StaxUtils;
/**
* A builder used to create {@link ObjectMapper} instances with a fluent API.
@ -827,38 +825,27 @@ public class Jackson2ObjectMapperBuilder {
private static class XmlObjectMapperInitializer {
public ObjectMapper create() {
return new XmlMapper(xmlInputFactory());
return new XmlMapper(StaxUtils.createDefensiveInputFactory());
}
public ObjectMapper create(boolean defaultUseWrapper) {
JacksonXmlModule module = new JacksonXmlModule();
module.setDefaultUseWrapper(defaultUseWrapper);
return new XmlMapper(new XmlFactory(xmlInputFactory()), module);
return new XmlMapper(new XmlFactory(StaxUtils.createDefensiveInputFactory()), module);
}
private static XMLInputFactory xmlInputFactory() {
XMLInputFactory inputFactory = XMLInputFactory.newInstance();
inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
inputFactory.setXMLResolver(NO_OP_XML_RESOLVER);
return inputFactory;
}
private static final XMLResolver NO_OP_XML_RESOLVER = new XMLResolver() {
@Override
public Object resolveEntity(String publicID, String systemID, String base, String ns) {
return StreamUtils.emptyInput();
}
};
}
private static class SmileFactoryInitializer {
public JsonFactory create() {
return new SmileFactory();
}
}
private static class CborFactoryInitializer {
public JsonFactory create() {
return new CBORFactory();
}

23
spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java
View File

@ -31,7 +31,6 @@ import javax.xml.bind.Unmarshaller;
import javax.xml.bind.annotation.XmlRootElement;
import javax.xml.bind.annotation.XmlType;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLResolver;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import javax.xml.transform.Result;
@ -47,7 +46,7 @@ import org.springframework.http.converter.HttpMessageNotReadableException;
import org.springframework.http.converter.HttpMessageNotWritableException;
import org.springframework.lang.Nullable;
import org.springframework.util.ReflectionUtils;
import org.springframework.util.StreamUtils;
import org.springframework.util.xml.StaxUtils;
/**
* An {@code HttpMessageConverter} that can read XML collections using JAXB2.
@ -242,25 +241,15 @@ public class Jaxb2CollectionHttpMessageConverter<T extends Collection>
}
/**
* Create a {@code XMLInputFactory} that this converter will use to create {@link
* javax.xml.stream.XMLStreamReader} and {@link javax.xml.stream.XMLEventReader} objects.
* Create an {@code XMLInputFactory} that this converter will use to create
* {@link javax.xml.stream.XMLStreamReader} and {@link javax.xml.stream.XMLEventReader}
* objects.
* <p>Can be overridden in subclasses, adding further initialization of the factory.
* The resulting factory is cached, so this method will only be called once.
* @see StaxUtils#createDefensiveInputFactory()
*/
protected XMLInputFactory createXmlInputFactory() {
XMLInputFactory inputFactory = XMLInputFactory.newInstance();
inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
inputFactory.setXMLResolver(NO_OP_XML_RESOLVER);
return inputFactory;
return StaxUtils.createDefensiveInputFactory();
}
private static final XMLResolver NO_OP_XML_RESOLVER = new XMLResolver() {
@Override
public Object resolveEntity(String publicID, String systemID, String base, String ns) {
return StreamUtils.emptyInput();
}
};
}

25
spring-web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 the original author or authors.
* Copyright 2002-2017 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -66,7 +66,13 @@ import org.springframework.util.StreamUtils;
*/
public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMessageConverter<T> {
private static final Set<Class<?>> SUPPORTED_CLASSES = new HashSet<>(5);
private static final EntityResolver NO_OP_ENTITY_RESOLVER =
(publicId, systemId) -> new InputSource(new StringReader(""));
private static final XMLResolver NO_OP_XML_RESOLVER =
(publicID, systemID, base, ns) -> StreamUtils.emptyInput();
private static final Set<Class<?>> SUPPORTED_CLASSES = new HashSet<>(8);
static {
SUPPORTED_CLASSES.add(DOMSource.class);
@ -279,19 +285,4 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
}
}
private static final EntityResolver NO_OP_ENTITY_RESOLVER = new EntityResolver() {
@Override
public InputSource resolveEntity(String publicId, String systemId) {
return new InputSource(new StringReader(""));
}
};
private static final XMLResolver NO_OP_XML_RESOLVER = new XMLResolver() {
@Override
public Object resolveEntity(String publicID, String systemID, String base, String ns) {
return StreamUtils.emptyInput();
}
};
}