diff --git a/src/ooxml/java/org/apache/poi/util/DocumentHelper.java b/src/ooxml/java/org/apache/poi/util/DocumentHelper.java index f86e60fd9..569c5ff71 100644 --- a/src/ooxml/java/org/apache/poi/util/DocumentHelper.java +++ b/src/ooxml/java/org/apache/poi/util/DocumentHelper.java @@ -113,8 +113,8 @@ public final class DocumentHelper { private static void trySetXercesSecurityManager(DocumentBuilderFactory dbf) { // Try built-in JVM one first, standalone if not - for (String securityManagerClassName : new String[] { - "com.sun.org.apache.xerces.internal.util.SecurityManager", + for (String securityManagerClassName : new String[]{ + //"com.sun.org.apache.xerces.internal.util.SecurityManager", "org.apache.xerces.util.SecurityManager" }) { try { @@ -124,10 +124,15 @@ public final class DocumentHelper { dbf.setAttribute("http://apache.org/xml/properties/security-manager", mgr); // Stop once one can be setup without error return; + } catch (ClassNotFoundException e) { + // continue without log, this is expected in some setups } catch (Throwable e) { // NOSONAR - also catch things like NoClassDefError here logger.log(POILogger.WARN, "SAX Security Manager could not be setup", e); } } + + // separate old version of Xerces not found => use the builtin way of setting the property + dbf.setAttribute("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit", 4096); } /** diff --git a/src/ooxml/java/org/apache/poi/util/SAXHelper.java b/src/ooxml/java/org/apache/poi/util/SAXHelper.java index fcd86e509..81ab5599f 100644 --- a/src/ooxml/java/org/apache/poi/util/SAXHelper.java +++ b/src/ooxml/java/org/apache/poi/util/SAXHelper.java @@ -95,7 +95,7 @@ public final class SAXHelper { private static void trySetXercesSecurityManager(XMLReader xmlReader) { // Try built-in JVM one first, standalone if not for (String securityManagerClassName : new String[] { - "com.sun.org.apache.xerces.internal.util.SecurityManager", + //"com.sun.org.apache.xerces.internal.util.SecurityManager", "org.apache.xerces.util.SecurityManager" }) { try { @@ -105,6 +105,8 @@ public final class SAXHelper { xmlReader.setProperty("http://apache.org/xml/properties/security-manager", mgr); // Stop once one can be setup without error return; + } catch (ClassNotFoundException e) { + // continue without log, this is expected in some setups } catch (Throwable e) { // NOSONAR - also catch things like NoClassDefError here // throttle the log somewhat as it can spam the log otherwise if(System.currentTimeMillis() > lastLog + TimeUnit.MINUTES.toMillis(5)) { @@ -113,5 +115,16 @@ public final class SAXHelper { } } } + + // separate old version of Xerces not found => use the builtin way of setting the property + try { + xmlReader.setProperty("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit", 4096); + } catch (SAXException e) { // NOSONAR - also catch things like NoClassDefError here + // throttle the log somewhat as it can spam the log otherwise + if(System.currentTimeMillis() > lastLog + TimeUnit.MINUTES.toMillis(5)) { + logger.log(POILogger.WARN, "SAX Security Manager could not be setup [log suppressed for 5 minutes]", e); + lastLog = System.currentTimeMillis(); + } + } } } diff --git a/src/ooxml/testcases/org/apache/poi/util/TestSAXHelper.java b/src/ooxml/testcases/org/apache/poi/util/TestSAXHelper.java index 6d3c038b4..04f3a7a26 100644 --- a/src/ooxml/testcases/org/apache/poi/util/TestSAXHelper.java +++ b/src/ooxml/testcases/org/apache/poi/util/TestSAXHelper.java @@ -33,6 +33,8 @@ public class TestSAXHelper { assertNotSame(reader, SAXHelper.newXMLReader()); assertTrue(reader.getFeature(XMLConstants.FEATURE_SECURE_PROCESSING)); assertEquals(SAXHelper.IGNORING_ENTITY_RESOLVER, reader.getEntityResolver()); + assertNotNull(reader.getProperty("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit")); + assertEquals("4096", reader.getProperty("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit")); assertNotNull(reader.getProperty("http://apache.org/xml/properties/security-manager")); reader.parse(new InputSource(new ByteArrayInputStream("".getBytes("UTF-8"))));