From 249b7f3e52b7093165bb8768bf894eef6289a2ab Mon Sep 17 00:00:00 2001 From: Moulali Shikalwadi Date: Thu, 30 Apr 2020 16:48:41 +0530 Subject: [PATCH] [JBEAP-19150] JSF trying to load DTD over the network --- .../main/java/com/sun/faces/util/Util.java | 37 +++++++++++++++++-- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/jsf-ri/src/main/java/com/sun/faces/util/Util.java b/jsf-ri/src/main/java/com/sun/faces/util/Util.java index 3c1c522f75..1ac9a3668d 100644 --- a/jsf-ri/src/main/java/com/sun/faces/util/Util.java +++ b/jsf-ri/src/main/java/com/sun/faces/util/Util.java @@ -91,6 +91,7 @@ import javax.servlet.ServletRegistration; import javax.xml.namespace.NamespaceContext; import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParserFactory; import javax.xml.transform.TransformerFactory; import javax.xml.validation.SchemaFactory; @@ -99,6 +100,7 @@ import javax.xml.xpath.XPathFactory; import org.xml.sax.InputSource; +import org.xml.sax.SAXException; import com.sun.faces.RIConstants; import com.sun.faces.config.WebConfiguration; @@ -1328,11 +1330,25 @@ public static String getFacesConfigXmlVersion(FacesContext facesContext) { XPath xpath = factory.newXPath(); xpath.setNamespaceContext(new JavaeeNamespaceContext()); stream = url.openStream(); - result = xpath.evaluate("string(/javaee:faces-config/@version)", new InputSource(stream)); + DocumentBuilderFactory dbf = createDocumentBuilderFactory(); + try { + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + + } catch (ParserConfigurationException pce) { + } + dbf.setNamespaceAware(true); + dbf.setValidating(false); + dbf.setXIncludeAware(false); + dbf.setExpandEntityReferences(false); + result = xpath.evaluate("string(/javaee:faces-config/@version)", + dbf.newDocumentBuilder().parse(stream)); } } catch (MalformedURLException mue) { } catch (XPathExpressionException | IOException xpee) { - } finally { + } catch (Exception e) { + } finally { if (stream != null) { try { stream.close(); @@ -1358,11 +1374,24 @@ public static String getWebXmlVersion(FacesContext facesContext) { XPath xpath = factory.newXPath(); xpath.setNamespaceContext(new JavaeeNamespaceContext()); stream = url.openStream(); - result = xpath.evaluate("string(/javaee:web-app/@version)", new InputSource(stream)); + DocumentBuilderFactory dbf = createDocumentBuilderFactory(); + try { + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + + } catch (ParserConfigurationException e) { + } + dbf.setNamespaceAware(true); + dbf.setValidating(false); + dbf.setXIncludeAware(false); + dbf.setExpandEntityReferences(false); + result = xpath.evaluate("string(/javaee:web-app/@version)", dbf.newDocumentBuilder().parse(stream)); } } catch (MalformedURLException mue) { } catch (XPathExpressionException | IOException xpee) { - } finally { + } catch (Exception e) { + } finally { if (stream != null) { try { stream.close();