moparisthebest
/
poi
1
0
Fork 0
Code Issues Pull Requests Releases 1 Wiki Activity

Merged revision(s) 1617849 from poi/trunk: 

More cleanups for bug #56814 and some more external entity leaks of #56164

git-svn-id: https://svn.apache.org/repos/asf/poi/branches/REL_3_10_BRANCH@1617854 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Uwe Schindler 2014-08-13 23:13:43 +00:00
parent 5af0021fa5
commit bb7a24769a
6 changed files with 179 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
src/ooxml/java/org/apache/poi/util/DocumentHelper.java Normal file
View File

@ -0,0 +1,122 @@
/* ====================================================================
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
==================================================================== */
package org.apache.poi.util;
import java.io.IOException;
import java.io.InputStream;
import java.lang.reflect.Method;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.events.Namespace;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.xml.sax.SAXException;
public final class DocumentHelper {
private static POILogger logger = POILogFactory.getLogger(DocumentHelper.class);
private DocumentHelper() {}
/**
* Creates a new document builder, with sensible defaults
*/
public static synchronized DocumentBuilder newDocumentBuilder() {
try {
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
documentBuilder.setEntityResolver(SAXHelper.IGNORING_ENTITY_RESOLVER);
return documentBuilder;
} catch (ParserConfigurationException e) {
throw new IllegalStateException("cannot create a DocumentBuilder", e);
}
}
private static final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
static {
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setValidating(false);
trySetSAXFeature(documentBuilderFactory, SAXHelper.FEATURE_SECURE_PROCESSING, true);
trySetXercesSecurityManager(documentBuilderFactory);
}
private static void trySetSAXFeature(DocumentBuilderFactory documentBuilderFactory, String feature, boolean enabled) {
try {
documentBuilderFactory.setFeature(feature, enabled);
} catch (Exception e) {
logger.log(POILogger.INFO, "SAX Feature unsupported", feature, e);
}
}
private static void trySetXercesSecurityManager(DocumentBuilderFactory documentBuilderFactory) {
// Try built-in JVM one first, standalone if not
for (String securityManagerClassName : new String[] {
"com.sun.org.apache.xerces.internal.util.SecurityManager",
"org.apache.xerces.util.SecurityManager"
}) {
try {
Object mgr = Class.forName(securityManagerClassName).newInstance();
Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
setLimit.invoke(mgr, 4096);
documentBuilderFactory.setAttribute("http://apache.org/xml/properties/security-manager", mgr);
// Stop once one can be setup without error
return;
} catch (Exception e) {
logger.log(POILogger.INFO, "SAX Security Manager could not be setup", e);
}
}
}
/**
* Parses the given stream via the default (sensible)
* DocumentBuilder
* @param inp Stream to read the XML data from
* @return the parsed Document
*/
public static Document readDocument(InputStream inp) throws IOException, SAXException {
return newDocumentBuilder().parse(inp);
}
// must only be used to create empty documents, do not use it for parsing!
private static final DocumentBuilder documentBuilderSingleton = newDocumentBuilder();
/**
* Creates a new DOM Document
*/
public static synchronized Document createDocument() {
return documentBuilderSingleton.newDocument();
}
/**
* Adds a namespace declaration attribute to the given element.
*/
public static void addNamespaceDeclaration(Element element, String namespacePrefix, String namespaceURI) {
element.setAttributeNS(XMLConstants.XMLNS_ATTRIBUTE_NS_URI,
XMLConstants.XMLNS_ATTRIBUTE + ':' + namespacePrefix,
namespaceURI);
}
/**
* Adds a namespace declaration attribute to the given element.
*/
public static void addNamespaceDeclaration(Element element, Namespace namespace) {
addNamespaceDeclaration(element, namespace.getPrefix(), namespace.getNamespaceURI());
}
}

64
src/ooxml/java/org/apache/poi/util/SAXHelper.java
View File

@ -25,9 +25,13 @@ import java.lang.reflect.Method;
import org.dom4j.Document;
import org.dom4j.DocumentException;
import org.dom4j.io.SAXReader;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.EntityResolver;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.XMLReader;
/**
@ -35,34 +39,47 @@ import org.xml.sax.SAXException;
*/
public final class SAXHelper {
private static POILogger logger = POILogFactory.getLogger(SAXHelper.class);
// remove this constant once on Java 6 and stax-api.jar was removed (which is missing this constant):
private static final String FEATURE_SECURE_PROCESSING = "http://javax.xml.XMLConstants/feature/secure-processing";
private SAXHelper() {}
/**
* Creates a new SAX Reader, with sensible defaults
* Creates a new SAX XMLReader, with sensible defaults
*/
public static SAXReader getSAXReader() {
SAXReader xmlReader = new SAXReader();
xmlReader.setValidation(false);
xmlReader.setEntityResolver(new EntityResolver() {
public InputSource resolveEntity(String publicId, String systemId)
throws SAXException, IOException {
return new InputSource(new StringReader(""));
}
});
public static synchronized XMLReader newXMLReader() throws SAXException, ParserConfigurationException {
XMLReader xmlReader = saxFactory.newSAXParser().getXMLReader();
xmlReader.setEntityResolver(IGNORING_ENTITY_RESOLVER);
trySetSAXFeature(xmlReader, FEATURE_SECURE_PROCESSING, true);
trySetXercesSecurityManager(xmlReader);
return xmlReader;
}
private static void trySetSAXFeature(SAXReader xmlReader, String feature, boolean enabled) {
static final EntityResolver IGNORING_ENTITY_RESOLVER = new EntityResolver() {
// not in Java 5: @Override
public InputSource resolveEntity(String publicId, String systemId)
throws SAXException, IOException {
return new InputSource(new StringReader(""));
}
};
private static final SAXParserFactory saxFactory;
static {
saxFactory = SAXParserFactory.newInstance();
saxFactory.setValidating(false);
saxFactory.setNamespaceAware(true);
}
// remove this constant once on Java 6 and stax-api.jar was removed (which is missing this constant):
static final String FEATURE_SECURE_PROCESSING = "http://javax.xml.XMLConstants/feature/secure-processing";
private static void trySetSAXFeature(XMLReader xmlReader, String feature, boolean enabled) {
try {
xmlReader.setFeature(feature, enabled);
} catch (Exception e) {
logger.log(POILogger.INFO, "SAX Feature unsupported", feature, e);
}
}
private static void trySetXercesSecurityManager(SAXReader xmlReader) {
private static void trySetXercesSecurityManager(XMLReader xmlReader) {
// Try built-in JVM one first, standalone if not
for (String securityManagerClassName : new String[] {
"com.sun.org.apache.xerces.internal.util.SecurityManager",
@ -81,6 +98,21 @@ public final class SAXHelper {
}
}
/**
* Creates a new DOM4J SAXReader, with sensible defaults
*/
public static SAXReader getSAXReader() throws DocumentException {
try {
SAXReader reader = new SAXReader(newXMLReader(), false);
reader.setEntityResolver(IGNORING_ENTITY_RESOLVER);
return reader;
} catch (SAXException saxe) {
throw new DocumentException(saxe);
} catch (ParserConfigurationException pce) {
throw new DocumentException(pce);
}
}
/**
* Parses the given stream via the default (sensible)
* SAX Reader

7
src/ooxml/java/org/apache/poi/xssf/eventusermodel/ReadOnlySharedStringsTable.java
View File

@ -22,12 +22,11 @@ import java.util.ArrayList;
import java.util.List;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.apache.poi.openxml4j.opc.OPCPackage;
import org.apache.poi.openxml4j.opc.PackagePart;
import org.apache.poi.openxml4j.opc.PackageRelationship;
import org.apache.poi.util.SAXHelper;
import org.apache.poi.xssf.usermodel.XSSFRelation;
import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTRst;
import org.xml.sax.Attributes;
@ -135,10 +134,8 @@ public class ReadOnlySharedStringsTable extends DefaultHandler {
*/
public void readFrom(InputStream is) throws IOException, SAXException {
InputSource sheetSource = new InputSource(is);
SAXParserFactory saxFactory = SAXParserFactory.newInstance();
try {
SAXParser saxParser = saxFactory.newSAXParser();
XMLReader sheetParser = saxParser.getXMLReader();
XMLReader sheetParser = SAXHelper.newXMLReader();
sheetParser.setContentHandler(this);
sheetParser.parse(sheetSource);
} catch(ParserConfigurationException e) {

7
src/ooxml/java/org/apache/poi/xssf/extractor/XSSFEventBasedExcelExtractor.java
View File

@ -22,8 +22,6 @@ import java.util.List;
import java.util.Locale;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.apache.poi.POIXMLProperties;
import org.apache.poi.POIXMLTextExtractor;
@ -33,6 +31,7 @@ import org.apache.poi.POIXMLProperties.ExtendedProperties;
import org.apache.poi.openxml4j.exceptions.OpenXML4JException;
import org.apache.poi.openxml4j.opc.OPCPackage;
import org.apache.poi.ss.usermodel.DataFormatter;
import org.apache.poi.util.SAXHelper;
import org.apache.poi.xssf.eventusermodel.ReadOnlySharedStringsTable;
import org.apache.poi.xssf.eventusermodel.XSSFReader;
import org.apache.poi.xssf.eventusermodel.XSSFSheetXMLHandler;
@ -154,10 +153,8 @@ public class XSSFEventBasedExcelExtractor extends POIXMLTextExtractor {
}
InputSource sheetSource = new InputSource(sheetInputStream);
SAXParserFactory saxFactory = SAXParserFactory.newInstance();
try {
SAXParser saxParser = saxFactory.newSAXParser();
XMLReader sheetParser = saxParser.getXMLReader();
XMLReader sheetParser = SAXHelper.newXMLReader();
ContentHandler handler = new XSSFSheetXMLHandler(
styles, strings, sheetContentsExtractor, formatter, formulasNotResults);
sheetParser.setContentHandler(handler);

14
src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java
View File

@ -26,8 +26,6 @@ import java.util.List;
import java.util.Map;
import java.util.Vector;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Source;
@ -41,6 +39,7 @@ import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Validator;
import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
import org.apache.poi.util.DocumentHelper;
import org.apache.poi.xssf.usermodel.XSSFCell;
import org.apache.poi.xssf.usermodel.XSSFMap;
import org.apache.poi.xssf.usermodel.XSSFRow;
@ -101,15 +100,6 @@ public class XSSFExportToXml implements Comparator<String>{
exportToXML(os, "UTF-8", validate);
}
private Document getEmptyDocument() throws ParserConfigurationException{
DocumentBuilderFactory dbfac = DocumentBuilderFactory.newInstance();
DocumentBuilder docBuilder = dbfac.newDocumentBuilder();
Document doc = docBuilder.newDocument();
return doc;
}
/**
* Exports the data in an XML stream
*
@ -127,7 +117,7 @@ public class XSSFExportToXml implements Comparator<String>{
String rootElement = map.getCtMap().getRootElement();
Document doc = getEmptyDocument();
Document doc = DocumentHelper.createDocument();
Element root = null;

8
src/ooxml/java/org/apache/poi/xssf/extractor/XSSFImportFromXML.java
View File

@ -24,13 +24,13 @@ import java.util.List;
import javax.xml.namespace.NamespaceContext;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import org.apache.poi.util.DocumentHelper;
import org.apache.poi.util.POILogFactory;
import org.apache.poi.util.POILogger;
import org.apache.poi.xssf.usermodel.XSSFTable;
@ -75,11 +75,9 @@ public class XSSFImportFromXML {
* @throws ParserConfigurationException if there are problems with XML parser configuration
* @throws IOException if there are problems reading the input string
*/
public void importFromXML(String xmlInputString) throws SAXException, XPathExpressionException, ParserConfigurationException, IOException {
public void importFromXML(String xmlInputString) throws SAXException, XPathExpressionException, IOException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
DocumentBuilder builder = DocumentHelper.newDocumentBuilder();
Document doc = builder.parse(new InputSource(new StringReader(xmlInputString.trim())));