Author: chtompki
Date: Thu Aug 24 11:04:49 2017
New Revision: 1806026
URL: http://svn.apache.org/viewvc?rev=1806026&view=rev
Log:
JELLY-293: accommodating toggling off DTD external entities
Added:
commons/proper/jelly/branches/1.X/pom.xml
commons/proper/jelly/branches/1.X/src/test/org/apache/commons/jelly/TestDoctypeDefinitionXXE.java
commons/proper/jelly/branches/1.X/src/test/org/apache/commons/jelly/doctypeDefinitionXXE.jelly
Modified:
commons/proper/jelly/branches/1.X/ (props changed)
commons/proper/jelly/branches/1.X/build.xml
commons/proper/jelly/branches/1.X/src/java/org/apache/commons/jelly/JellyContext.java
commons/proper/jelly/branches/1.X/src/java/org/apache/commons/jelly/parser/XMLParser.java
commons/proper/jelly/branches/1.X/xdocs/changes.xml
Propchange: commons/proper/jelly/branches/1.X/
------------------------------------------------------------------------------
--- svn:ignore (original)
+++ svn:ignore Thu Aug 24 11:04:49 2017
@@ -10,3 +10,5 @@ target
tmp
*.log
*.gz
+libs
+downloadlibs.sh
Modified: commons/proper/jelly/branches/1.X/build.xml
URL:
http://svn.apache.org/viewvc/commons/proper/jelly/branches/1.X/build.xml?rev=1806026&r1=1806025&r2=1806026&view=diff
==============================================================================
--- commons/proper/jelly/branches/1.X/build.xml (original)
+++ commons/proper/jelly/branches/1.X/build.xml Thu Aug 24 11:04:49 2017
@@ -26,7 +26,7 @@
</property>
<property name="javadocdir" value="${basedir}/dist/docs/api">
</property>
- <property name="final.name" value="commons-jelly-1.0">
+ <property name="final.name" value="commons-jelly-1.0.1">
</property>
<property name="proxy.host" value="">
</property>
Added: commons/proper/jelly/branches/1.X/pom.xml
URL:
http://svn.apache.org/viewvc/commons/proper/jelly/branches/1.X/pom.xml?rev=1806026&view=auto
==============================================================================
--- commons/proper/jelly/branches/1.X/pom.xml (added)
+++ commons/proper/jelly/branches/1.X/pom.xml Thu Aug 24 11:04:49 2017
@@ -0,0 +1,514 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Copyright 2002,2004 The Apache Software Foundation.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project>
+ <modelVersion>4.0.0</modelVersion>
+ <groupId>commons-jelly</groupId>
+ <artifactId>commons-jelly</artifactId>
+ <name>commons-jelly</name>
+ <version>1.0.1</version>
+ <description>
+ Jelly is a Java and XML based scripting engine. Jelly combines the best
ideas from JSTL, Velocity, DVSL, Ant and Cocoon all together in a simple yet
powerful scripting engine.
+ </description>
+ <url>http://commons.apache.org/commons/jelly/</url>
+ <issueManagement>
+ <url>
+ http://issues.apache.org/jira/secure/BrowseProject.jspa?id=10012
+ </url>
+ </issueManagement>
+ <ciManagement>
+ <notifiers>
+ <notifier>
+ <configuration>
+ <address>commons-...@jakarta.apache.org</address>
+ </configuration>
+ </notifier>
+ </notifiers>
+ </ciManagement>
+ <inceptionYear>2002</inceptionYear>
+ <mailingLists>
+ <mailingList>
+ <name>Commons Dev List</name>
+ <subscribe>commons-dev-subscr...@jakarta.apache.org</subscribe>
+ <unsubscribe>commons-dev-unsubscr...@jakarta.apache.org</unsubscribe>
+ <archive>
+
http://mail-archives.apache.org/eyebrowse/SummarizeList?listName=commons-...@jakarta.apache.org
+ </archive>
+ </mailingList>
+ <mailingList>
+ <name>Commons User List</name>
+ <subscribe>commons-user-subscr...@jakarta.apache.org</subscribe>
+ <unsubscribe>commons-user-unsubscr...@jakarta.apache.org</unsubscribe>
+ <archive>
+
http://mail-archives.apache.org/eyebrowse/SummarizeList?listName=commons-u...@jakarta.apache.org
+ </archive>
+ </mailingList>
+ </mailingLists>
+ <developers>
+ <developer>
+ <id>jstrachan</id>
+ <name>James Strachan</name>
+ <email>jstrac...@apache.org</email>
+ <url/>
+ <organization>SpiritSoft, Inc.</organization>
+ <timezone/>
+ </developer>
+ <developer>
+ <id>geirm</id>
+ <name>Geir Magnusson Jr.</name>
+ <email>ge...@adeptra.com</email>
+ <url/>
+ <organization>Adeptra, Inc.</organization>
+ <timezone/>
+ </developer>
+ <developer>
+ <id>werken</id>
+ <name>Bob McWhirter</name>
+ <email>b...@eng.werken.com</email>
+ <url/>
+ <organization>The Werken Company</organization>
+ <timezone/>
+ </developer>
+ <developer>
+ <id>dion</id>
+ <name>dIon Gillard</name>
+ <email>d...@multitask.com.au</email>
+ <url/>
+ <organization>Multitask Consulting</organization>
+ <roles>
+ <role>Interested party</role>
+ </roles>
+ <timezone/>
+ </developer>
+ <developer>
+ <id>morgand</id>
+ <name>Morgan Delagrange</name>
+ <email>morg...@apache.org</email>
+ <url/>
+ <organization/>
+ <timezone/>
+ </developer>
+ <developer>
+ <id>rwaldhoff</id>
+ <name>Rodney Waldhoff</name>
+ <email>rwaldh...@apache.org</email>
+ <url/>
+ <organization/>
+ <timezone/>
+ </developer>
+ <developer>
+ <id>proyal</id>
+ <name>Peter Royal</name>
+ <email>pro...@apache.org</email>
+ <url/>
+ <organization/>
+ <timezone/>
+ </developer>
+ <developer>
+ <id>mvdb</id>
+ <name>Martin van den Bemt</name>
+ <email>mar...@mvdb.net</email>
+ <url/>
+ <organization/>
+ <timezone/>
+ </developer>
+ <developer>
+ <id>polx</id>
+ <name>Paul Libbrecht</name>
+ <email>p...@activemath.org</email>
+ <url/>
+ <organization/>
+ <timezone/>
+ </developer>
+ <developer>
+ <id>rdonkin</id>
+ <name>Robert Burrell Donkin</name>
+ <email>rdon...@apache.org</email>
+ <url/>
+ <organization/>
+ <timezone/>
+ </developer>
+ <developer>
+ <id>dfs</id>
+ <name>Daniel F. Savarese</name>
+ <email>dfs -> apache.org</email>
+ <url/>
+ <organization/>
+ <timezone/>
+ </developer>
+ <developer>
+ <id>brett</id>
+ <name>Brett Porter</name>
+ <email>br...@apache.org</email>
+ <url/>
+ <organization/>
+ <timezone/>
+ </developer>
+ <developer>
+ <id>hgilde</id>
+ <name>Hans Gilde</name>
+ <email>hgi...@apache.org</email>
+ <url/>
+ <organization/>
+ <timezone/>
+ </developer>
+ <developer>
+ <id>chtompki</id>
+ <name>Rob Tompkins</name>
+ <email>chtom...@apache.org</email>
+ <url/>
+ <organization/>
+ <timezone/>
+ </developer>
+ </developers>
+ <contributors>
+ <contributor>
+ <name>Erik Fransen</name>
+ <email>erik...@xs4all.nl</email>
+ <url/>
+ <organization/>
+ <roles>
+ <role>Logo designer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Calvin Yu</name>
+ <email/>
+ <url/>
+ <organization/>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Stephen Haberman</name>
+ <email>steph...@chase3000.com</email>
+ <url/>
+ <organization/>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Vinay Chandran</name>
+ <email>sahilvi...@yahoo.com</email>
+ <url/>
+ <organization/>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Theo Niemeijer</name>
+ <email/>
+ <url/>
+ <organization/>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Joe Walnes</name>
+ <email>j...@thoughtworks.com</email>
+ <url/>
+ <organization>ThoughtWorks, Inc.</organization>
+ <roles>
+ <role>Inventor of Mock Tags</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Otto von Wachter</name>
+ <email>von...@yahoo.com</email>
+ <url/>
+ <organization/>
+ <roles>
+ <role>Author of the tutorials</role>
+ <role>Developer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Robert Leftwich</name>
+ <email>rob...@leftwich.info</email>
+ <url/>
+ <organization/>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Jim Birchfield</name>
+ <email>jim.birchfi...@genscape.com</email>
+ <url/>
+ <organization>Genscape, Inc.</organization>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Jason Horman</name>
+ <email>jhor...@musicmatch.com</email>
+ <url/>
+ <organization/>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Tim Anderson</name>
+ <email>t...@intalio.com</email>
+ <url/>
+ <organization>Intalio, Inc.</organization>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Theo Niemeijer</name>
+ <email>theo.niemei...@getthere.nl</email>
+ <url/>
+ <organization/>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>J. Matthew Pryor</name>
+ <email>matthew_pr...@versata.com</email>
+ <url/>
+ <organization/>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Knut Wannheden</name>
+ <email/>
+ <url/>
+ <organization/>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Kelvin Tan</name>
+ <email/>
+ <url/>
+ <organization/>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Todd Jonker</name>
+ <email/>
+ <url/>
+ <organization/>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Christiaan ten Klooster</name>
+ <email/>
+ <url/>
+ <organization/>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ <contributor>
+ <name>Pete Kazmier</name>
+ <email>k...@apache.org</email>
+ <url/>
+ <organization/>
+ <roles>
+ <role>Developer</role>
+ </roles>
+ <timezone/>
+ </contributor>
+ </contributors>
+ <scm>
+ <connection>
+
scm:svn:http://svn.apache.org/repos/asf/jakarta/commons/proper/jelly/trunk
+ </connection>
+ <developerConnection>
+
scm:svn:https://svn.apache.org/repos/asf/jakarta/commons/proper/jelly/trunk
+ </developerConnection>
+ <url>
+ http://svn.apache.org/viewcvs.cgi/jakarta/commons/proper/jelly/trunk
+ </url>
+ </scm>
+ <organization>
+ <name>Apache Software Foundation</name>
+ <url>http://jakarta.apache.org</url>
+ </organization>
+ <build>
+ <sourceDirectory>
+ c:\home\Brett\cvs\apache\jakarta-commons\jelly/src/java
+ </sourceDirectory>
+ <testSourceDirectory>
+ c:\home\Brett\cvs\apache\jakarta-commons\jelly/src/test
+ </testSourceDirectory>
+ <resources>
+ <resource>
+ <targetPath>META-INF</targetPath>
+ <directory>c:\home\Brett\cvs\apache\jakarta-commons\jelly</directory>
+ <includes>
+ <include>NOTICE.txt</include>
+ </includes>
+ </resource>
+ <resource>
+ <targetPath/>
+ <directory>
+ c:\home\Brett\cvs\apache\jakarta-commons\jelly/src/java
+ </directory>
+ <includes>
+ <include>**/*.properties</include>
+ </includes>
+ </resource>
+ </resources>
+ <testResources>
+ <testResource>
+ <targetPath/>
+ <directory>src/test</directory>
+ <includes>
+ <include>META-INF/services/*</include>
+ <include>**/*.jelly</include>
+ <include>**/*.xml</include>
+ <include>**/*.xsl</include>
+ <include>**/*.rng</include>
+ <include>**/*.dtd</include>
+ <include>**/*.properties</include>
+ <include>**/*.html</include>
+ </includes>
+ </testResource>
+ </testResources>
+ <plugins>
+ <plugin>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <configuration>
+ <includes>
+ <include>**/Test*.java</include>
+ </includes>
+ <excludes>
+ <exclude>**/TestCoreMemoryLeak.java</exclude>
+ </excludes>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+ <dependencies>
+ <dependency>
+ <groupId>servletapi</groupId>
+ <artifactId>servletapi</artifactId>
+ <version>2.3</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-cli</groupId>
+ <artifactId>commons-cli</artifactId>
+ <version>1.0</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-lang</groupId>
+ <artifactId>commons-lang</artifactId>
+ <version>2.0</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-discovery</groupId>
+ <artifactId>commons-discovery</artifactId>
+ <version>20030211.213356</version>
+ </dependency>
+ <dependency>
+ <groupId>forehead</groupId>
+ <artifactId>forehead</artifactId>
+ <version>1.0-beta-5</version>
+ </dependency>
+ <dependency>
+ <groupId>jstl</groupId>
+ <artifactId>jstl</artifactId>
+ <version>1.0.6</version>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>3.8.1</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-jexl</groupId>
+ <artifactId>commons-jexl</artifactId>
+ <version>1.0</version>
+ </dependency>
+ <dependency>
+ <groupId>xml-apis</groupId>
+ <artifactId>xml-apis</artifactId>
+ <version>1.0.b2</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-beanutils</groupId>
+ <artifactId>commons-beanutils</artifactId>
+ <version>1.6</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-collections</groupId>
+ <artifactId>commons-collections</artifactId>
+ <version>2.1</version>
+ </dependency>
+ <dependency>
+ <groupId>commons-logging</groupId>
+ <artifactId>commons-logging</artifactId>
+ <version>1.0.3</version>
+ </dependency>
+ <dependency>
+ <groupId>dom4j</groupId>
+ <artifactId>dom4j</artifactId>
+ <version>1.5.2</version>
+ </dependency>
+ <dependency>
+ <groupId>jaxen</groupId>
+ <artifactId>jaxen</artifactId>
+ <version>1.1-beta-4</version>
+ </dependency>
+ <dependency>
+ <groupId>xerces</groupId>
+ <artifactId>xerces</artifactId>
+ <version>2.2.1</version>
+ </dependency>
+ </dependencies>
+ <distributionManagement>
+ <repository>
+ <id>default</id>
+ <name>Default Repository</name>
+ <url>
+ cvs.apache.org//www/jakarta.apache.org/builds/jakarta-commons/jelly/
+ </url>
+ </repository>
+ <site>
+ <id>default</id>
+ <name>Default Site</name>
+ <url>
+ scp://cvs.apache.org//www/jakarta.apache.org/commons/jelly/
+ </url>
+ </site>
+ </distributionManagement>
+</project>
\ No newline at end of file
Modified:
commons/proper/jelly/branches/1.X/src/java/org/apache/commons/jelly/JellyContext.java
URL:
http://svn.apache.org/viewvc/commons/proper/jelly/branches/1.X/src/java/org/apache/commons/jelly/JellyContext.java?rev=1806026&r1=1806025&r2=1806026&view=diff
==============================================================================
---
commons/proper/jelly/branches/1.X/src/java/org/apache/commons/jelly/JellyContext.java
(original)
+++
commons/proper/jelly/branches/1.X/src/java/org/apache/commons/jelly/JellyContext.java
Thu Aug 24 11:04:49 2017
@@ -51,6 +51,9 @@ public class JellyContext {
/** Default for export of variables **/
private static final boolean DEFAULT_EXPORT = false;
+ /** Default for DTD calling out to external entities. */
+ private static final boolean DEFAULT_ALLOW_DTD_CALLS_TO_EXTERNAL_ENTITIES
= false;
+
/** String used to denote a script can't be parsed */
private static final String BAD_PARSE = "Could not parse Jelly script";
@@ -89,6 +92,9 @@ public class JellyContext {
/** Do we export our variables to parent context? */
private boolean export = JellyContext.DEFAULT_EXPORT;
+ /** Do we allow our doctype definitions to call out to external entities?
*/
+ private boolean allowDtdToCallExternalEntities =
JellyContext.DEFAULT_ALLOW_DTD_CALLS_TO_EXTERNAL_ENTITIES;
+
/** Should we export tag libraries to our parents context */
private boolean exportLibraries = true;
@@ -564,7 +570,7 @@ public class JellyContext {
* is created - such as to overload what the default ExpressionFactory
should be.
*/
protected XMLParser createXMLParser() {
- return new XMLParser();
+ return new XMLParser(allowDtdToCallExternalEntities);
}
/**
@@ -846,6 +852,19 @@ public class JellyContext {
return this.inherit;
}
+ /**
+ * Sets whether we should allow our doctype definitions to call out to
external entities.
+ */
+ public void setAllowDtdToCallExternalEntities(boolean
allowDtdToCallExternalEntities) {
+ this.allowDtdToCallExternalEntities = allowDtdToCallExternalEntities;
+ }
+
+ /**
+ * @return whether we should allow our doctype definitions to call out to
external entities.
+ */
+ public boolean isAllowDtdToCallExternalEntities() {
+ return this.allowDtdToCallExternalEntities;
+ }
/**
* Return the class loader to be used for instantiating application objects
Modified:
commons/proper/jelly/branches/1.X/src/java/org/apache/commons/jelly/parser/XMLParser.java
URL:
http://svn.apache.org/viewvc/commons/proper/jelly/branches/1.X/src/java/org/apache/commons/jelly/parser/XMLParser.java?rev=1806026&r1=1806025&r2=1806026&view=diff
==============================================================================
---
commons/proper/jelly/branches/1.X/src/java/org/apache/commons/jelly/parser/XMLParser.java
(original)
+++
commons/proper/jelly/branches/1.X/src/java/org/apache/commons/jelly/parser/XMLParser.java
Thu Aug 24 11:04:49 2017
@@ -100,6 +100,9 @@ public class XMLParser extends DefaultHa
/** The current text buffer where non-custom tags get written */
private StringBuffer textBuffer;
+ /** Do we allow our doctype definitions to call out to external entities?
*/
+ private boolean allowDtdToCallExternalEntities = false;
+
/**
* The class loader to use for instantiating application objects.
* If not specified, the context class loader, or the class loader
@@ -186,6 +189,21 @@ public class XMLParser extends DefaultHa
}
/**
+ * Construct a new XMLParser, with the boolean
+ * allowDtdToCallExternalEntities being passed in. If this is set to false,
+ * the XMLParser will be created with:
+ * XMLReader spf = XMLReaderFactory.createXMLReader();
+ * spf.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
+ *
spf.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
+ *
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
+ * as given by
+ *
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader
+ */
+ public XMLParser(boolean allowDtdToCallExternalEntities) {
+ this.allowDtdToCallExternalEntities = allowDtdToCallExternalEntities;
+ }
+
+ /**
* Construct a new XMLParser, allowing a SAXParser to be passed in. This
* allows XMLParser to be used in environments which are unfriendly to
* JAXP1.1 (such as WebLogic 6.0). Thanks for the request to change go to
@@ -494,6 +512,11 @@ public class XMLParser extends DefaultHa
public synchronized XMLReader getXMLReader() throws SAXException {
if (reader == null) {
reader = getParser().getXMLReader();
+ if (!allowDtdToCallExternalEntities) {
+
reader.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
+
reader.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
+
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
false);
+ }
if (this.defaultNamespaceURI != null) {
reader = new
DefaultNamespaceFilter(this.defaultNamespaceURI,reader);
}
Added:
commons/proper/jelly/branches/1.X/src/test/org/apache/commons/jelly/TestDoctypeDefinitionXXE.java
URL:
http://svn.apache.org/viewvc/commons/proper/jelly/branches/1.X/src/test/org/apache/commons/jelly/TestDoctypeDefinitionXXE.java?rev=1806026&view=auto
==============================================================================
---
commons/proper/jelly/branches/1.X/src/test/org/apache/commons/jelly/TestDoctypeDefinitionXXE.java
(added)
+++
commons/proper/jelly/branches/1.X/src/test/org/apache/commons/jelly/TestDoctypeDefinitionXXE.java
Thu Aug 24 11:04:49 2017
@@ -0,0 +1,59 @@
+package org.apache.commons.jelly;
+
+import junit.framework.TestCase;
+
+import java.net.URL;
+
+/**
+ * A test class to validate doctype definitions' declaration of external
+ * calls using custom xml tags. Specifically we test some changes in {@link
JellyContext}
+ * along with {@link org.apache.commons.jelly.parser.XMLParser}.
+ *
+ * @author chotmpki
+ */
+public class TestDoctypeDefinitionXXE extends TestCase
+{
+ public TestDoctypeDefinitionXXE( String s )
+ {
+ super( s );
+ }
+
+ public void testDoctypeDefinitionXXEDefaultMode() throws JellyException
+ {
+ JellyContext context = new JellyContext();
+ URL url = this.getClass().getResource("doctypeDefinitionXXE.jelly");
+ try
+ {
+ context.runScript(url, null);
+ } catch (JellyException e) {
+ Throwable cause = e.getCause();
+ if (cause instanceof java.net.ConnectException) {
+ fail("doctypeDefinitionXXE.jelly attempted to connect to
http://127.0.0.1:4444";);
+ } else if (cause instanceof org.xml.sax.SAXParseException) {
+ // Success.
+ } else {
+ fail("Unknown exception: " + e.getMessage());
+ }
+ }
+ }
+
+ public void testDoctypeDefinitionXXEAllowDTDCalls() throws JellyException
+ {
+ JellyContext context = new JellyContext();
+ context.setAllowDtdToCallExternalEntities(true);
+ URL url = this.getClass().getResource("doctypeDefinitionXXE.jelly");
+ try
+ {
+ context.runScript(url, null);
+ } catch (JellyException e) {
+ Throwable cause = e.getCause();
+ if (cause instanceof java.net.ConnectException) {
+ //success
+ } else if (cause instanceof org.xml.sax.SAXParseException) {
+ fail("doctypeDefinitionXXE.jelly did not attempt to connect to
http://127.0.0.1:4444";);
+ } else {
+ fail("Unknown exception: " + e.getMessage());
+ }
+ }
+ }
+}
Added:
commons/proper/jelly/branches/1.X/src/test/org/apache/commons/jelly/doctypeDefinitionXXE.jelly
URL:
http://svn.apache.org/viewvc/commons/proper/jelly/branches/1.X/src/test/org/apache/commons/jelly/doctypeDefinitionXXE.jelly?rev=1806026&view=auto
==============================================================================
---
commons/proper/jelly/branches/1.X/src/test/org/apache/commons/jelly/doctypeDefinitionXXE.jelly
(added)
+++
commons/proper/jelly/branches/1.X/src/test/org/apache/commons/jelly/doctypeDefinitionXXE.jelly
Thu Aug 24 11:04:49 2017
@@ -0,0 +1,10 @@
+<?xml version="1.0"?>
+<!DOCTYPE r [
+ <!ELEMENT r ANY >
+ <!ENTITY sp SYSTEM "http://127.0.0.1:4444/";>
+ ]>
+<r>&sp;</r>
+<j:jelly trim="false" xmlns:j="jelly:core"
+ xmlns:x="jelly:xml"
+ xmlns:html="jelly:html">
+</j:jelly>
\ No newline at end of file
Modified: commons/proper/jelly/branches/1.X/xdocs/changes.xml
URL:
http://svn.apache.org/viewvc/commons/proper/jelly/branches/1.X/xdocs/changes.xml?rev=1806026&r1=1806025&r2=1806026&view=diff
==============================================================================
--- commons/proper/jelly/branches/1.X/xdocs/changes.xml (original)
+++ commons/proper/jelly/branches/1.X/xdocs/changes.xml Thu Aug 24 11:04:49 2017
@@ -24,6 +24,9 @@
<author email="d...@apache.org">dIon Gillard</author>
</properties>
<body>
+ <release version="1.0.1" date="tbd">
+ <action dev="chtompki" type="fix" issue="JELLY-293">Accommodate toggling
off DTD external entities.</action>
+ </release>
<release version="1.0" date="2005-06-12">
<action dev="brett" type="fix" due-to="Hans Gilde">Improve tag caching
to improve memory consumption</action>
<action dev="dion" type="fix" issue="JELLY-196">SwitchTag can not be
reused if default encountered.</action>
