Index: jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/client/methods/DavMethodBase.java
===================================================================
--- jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/client/methods/DavMethodBase.java (revision 1678320)
+++ jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/client/methods/DavMethodBase.java (working copy)
@@ -27,6 +27,7 @@
import org.apache.jackrabbit.webdav.DavServletResponse;
import org.apache.jackrabbit.webdav.MultiStatus;
import org.apache.jackrabbit.webdav.header.Header;
+import org.apache.jackrabbit.webdav.xml.DavDocumentBuilderFactory;
import org.apache.jackrabbit.webdav.xml.XmlSerializable;
import org.apache.jackrabbit.webdav.xml.DomUtil;
import org.slf4j.Logger;
@@ -39,6 +40,7 @@
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
+
import java.io.IOException;
import java.io.InputStream;
@@ -49,7 +51,7 @@
private static Logger log = LoggerFactory.getLogger(DavMethodBase.class);
- static final DocumentBuilderFactory BUILDER_FACTORY = DomUtil.BUILDER_FACTORY;
+ static final DavDocumentBuilderFactory BUILDER_FACTORY = DomUtil.BUILDER_FACTORY;
private boolean success;
private Document responseDocument;
Index: jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
===================================================================
--- jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java (revision 1678320)
+++ jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java (working copy)
@@ -28,7 +28,6 @@
import org.w3c.dom.Text;
import org.w3c.dom.NamedNodeMap;
-import javax.xml.parsers.DocumentBuilderFactory;
import java.util.ArrayList;
import java.util.List;
@@ -40,16 +39,10 @@
private static Logger log = LoggerFactory.getLogger(DomUtil.class);
/**
- * Constant for DocumentBuilderFactory which is used
+ * Constant for DavDocumentBuilderFactory which is used
* widely to create new Documents
*/
- public static DocumentBuilderFactory BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
- static {
- BUILDER_FACTORY.setNamespaceAware(true);
- BUILDER_FACTORY.setIgnoringComments(true);
- BUILDER_FACTORY.setIgnoringElementContentWhitespace(true);
- BUILDER_FACTORY.setCoalescing(true);
- }
+ public static DavDocumentBuilderFactory BUILDER_FACTORY = new DavDocumentBuilderFactory();
/**
* Returns the value of the named attribute of the current element.
Index: jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
===================================================================
--- jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java (revision 0)
+++ jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java (working copy)
@@ -0,0 +1,78 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the \"License\"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an \"AS IS\" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.webdav.xml;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.UnsupportedEncodingException;
+
+import junit.framework.TestCase;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+public class ParserTest extends TestCase {
+
+ // see
+ public void testBillionLaughs() throws UnsupportedEncodingException {
+
+ String testBody = "" + "" + " "
+ + " "
+ + " "
+ + " "
+ + " "
+ + " "
+ + " "
+ + " "
+ + " "
+ + " " + "]>" + "&lol9;";
+ InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
+
+ try {
+ DomUtil.BUILDER_FACTORY.newDocumentBuilder().parse(is);
+ fail("parsing this document should cause an exception");
+ } catch (Exception expected) {
+ }
+ }
+
+ public void testExternalEntities() throws IOException {
+
+ String dname = "target";
+ String fname = "test.xml";
+
+ File f = new File(dname, fname);
+ OutputStream os = new FileOutputStream(f);
+ os.write("testdata".getBytes());
+ os.close();
+
+ String testBody = "\n"
+ + "]>\n&test;";
+ InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
+
+ try {
+ Document d = DomUtil.BUILDER_FACTORY.newDocumentBuilder().parse(is);
+ Element root = d.getDocumentElement();
+ String text = DomUtil.getText(root);
+ fail("parsing this document should cause an exception, but the following external content was included: " + text);
+ } catch (Exception expected) {
+ }
+ }
+}
\ No newline at end of file
Index: jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
===================================================================
--- jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java (revision 0)
+++ jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java (working copy)
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.webdav.xml;
+
+import junit.framework.Test;
+import junit.framework.TestCase;
+import junit.framework.TestSuite;
+
+/**
+ * Test suite that includes all testcases for package org.apache.jackrabbit.webdav.xml.
+ */
+public class TestAll extends TestCase {
+
+ /**
+ * Returns a Test suite that executes all tests inside this
+ * package.
+ */
+ public static Test suite() {
+ TestSuite suite = new TestSuite("org.apache.jackrabbit.webdav.xml tests");
+
+ suite.addTestSuite(ParserTest.class);
+
+ return suite;
+ }
+}