Projects
Eulaceura:Mainline:GA
checkstyle
_service:obs_scm:0001-Do-not-load-external-DTDs...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:obs_scm:0001-Do-not-load-external-DTDs-by-default.patch of Package checkstyle
From a9160d06bf5b8c9c11666ab408ea8a09afa108a9 Mon Sep 17 00:00:00 2001 From: Mikolaj Izdebski <mizdebsk@redhat.com> Date: Tue, 2 Apr 2019 15:10:53 +0200 Subject: [PATCH] Do not load external DTDs by default --- .../tools/checkstyle/api/AbstractLoader.java | 43 ++++++++++++++++++- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java index a414492f3..76c72b767 100644 --- a/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java +++ b/src/main/java/com/puppycrawl/tools/checkstyle/api/AbstractLoader.java @@ -83,8 +83,7 @@ public abstract class AbstractLoader throws SAXException, ParserConfigurationException { this.publicIdToResourceNameMap = new HashMap<>(publicIdToResourceNameMap); final SAXParserFactory factory = SAXParserFactory.newInstance(); - factory.setFeature(LOAD_EXTERNAL_DTD, true); - factory.setFeature(EXTERNAL_GENERAL_ENTITIES, true); + LoadExternalDtdFeatureProvider.setFeaturesBySystemProperty(factory); factory.setValidating(true); factory.setNamespaceAware(true); parser = factory.newSAXParser().getXMLReader(); @@ -133,4 +132,44 @@ public abstract class AbstractLoader public void fatalError(SAXParseException exception) throws SAXException { throw exception; } + + /** + * Used for setting specific for secure java installations features to SAXParserFactory. + * Pulled out as a separate class in order to suppress Pitest mutations. + */ + public static final class LoadExternalDtdFeatureProvider { + + /** System property name to enable external DTD load. */ + public static final String ENABLE_EXTERNAL_DTD_LOAD = "checkstyle.enableExternalDtdLoad"; + + /** Feature that enables loading external DTD when loading XML files. */ + private static final String LOAD_EXTERNAL_DTD = + "http://apache.org/xml/features/nonvalidating/load-external-dtd"; + /** Feature that enables including external general entities in XML files. */ + private static final String EXTERNAL_GENERAL_ENTITIES = + "http://xml.org/sax/features/external-general-entities"; + + /** Stop instances being created. **/ + private LoadExternalDtdFeatureProvider() { + } + + /** + * Configures SAXParserFactory with features required + * to use external DTD file loading, this is not activated by default to no allow + * usage of schema files that checkstyle do not know + * it is even security problem to allow files from outside. + * @param factory factory to be configured with special features + * @throws SAXException if an error occurs + * @throws ParserConfigurationException if an error occurs + */ + public static void setFeaturesBySystemProperty(SAXParserFactory factory) + throws SAXException, ParserConfigurationException { + + final boolean enableExternalDtdLoad = Boolean.valueOf( + System.getProperty(ENABLE_EXTERNAL_DTD_LOAD, "false")); + + factory.setFeature(LOAD_EXTERNAL_DTD, enableExternalDtdLoad); + factory.setFeature(EXTERNAL_GENERAL_ENTITIES, enableExternalDtdLoad); + } + } } -- 2.20.1
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2