[JBEAP-19150] JSF trying to load DTD over the network

jboss · Apr 30, 2020 · 249b7f3 · 249b7f3
1 parent e2d3e41
commit 249b7f3
Showing 1 changed file with 33 additions and 4 deletions.
diff --git a/jsf-ri/src/main/java/com/sun/faces/util/Util.java b/jsf-ri/src/main/java/com/sun/faces/util/Util.java
@@ -91,6 +91,7 @@
 import javax.servlet.ServletRegistration;
 import javax.xml.namespace.NamespaceContext;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParserFactory;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.validation.SchemaFactory;
@@ -99,6 +100,7 @@
 import javax.xml.xpath.XPathFactory;
 
 import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
 
 import com.sun.faces.RIConstants;
 import com.sun.faces.config.WebConfiguration;
@@ -1328,11 +1330,25 @@ public static String getFacesConfigXmlVersion(FacesContext facesContext) {
                 XPath xpath = factory.newXPath();
                 xpath.setNamespaceContext(new JavaeeNamespaceContext());
                 stream = url.openStream();
-                result = xpath.evaluate("string(/javaee:faces-config/@version)", new InputSource(stream));
+                DocumentBuilderFactory dbf = createDocumentBuilderFactory();
+				try {
+					dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+					dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+					dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
+				} catch (ParserConfigurationException pce) {
+				}
+				dbf.setNamespaceAware(true);
+				dbf.setValidating(false);
+				dbf.setXIncludeAware(false);
+				dbf.setExpandEntityReferences(false);
+				result = xpath.evaluate("string(/javaee:faces-config/@version)",
+						dbf.newDocumentBuilder().parse(stream));
             }
         } catch (MalformedURLException mue) {
         } catch (XPathExpressionException | IOException xpee) {
-        } finally {
+        } catch (Exception e) {
+		} finally {
             if (stream != null) {
                 try {
                     stream.close();
@@ -1358,11 +1374,24 @@ public static String getWebXmlVersion(FacesContext facesContext) {
                 XPath xpath = factory.newXPath();
                 xpath.setNamespaceContext(new JavaeeNamespaceContext());
                 stream = url.openStream();
-                result = xpath.evaluate("string(/javaee:web-app/@version)", new InputSource(stream));
+                DocumentBuilderFactory dbf = createDocumentBuilderFactory();
+				try {
+					dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+					dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+					dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
+				} catch (ParserConfigurationException e) {
+				}
+				dbf.setNamespaceAware(true);
+				dbf.setValidating(false);
+				dbf.setXIncludeAware(false);
+				dbf.setExpandEntityReferences(false);
+				result = xpath.evaluate("string(/javaee:web-app/@version)", dbf.newDocumentBuilder().parse(stream));
             }
         } catch (MalformedURLException mue) {
         } catch (XPathExpressionException | IOException xpee) {
-        } finally {
+        } catch (Exception e) {
+		} finally {
             if (stream != null) {
                 try {
                     stream.close();