1 | // License: GPL. For details, see LICENSE file.
|
---|
2 | package org.openstreetmap.josm.tools;
|
---|
3 |
|
---|
4 | import java.io.IOException;
|
---|
5 | import java.io.InputStream;
|
---|
6 |
|
---|
7 | import javax.xml.XMLConstants;
|
---|
8 | import javax.xml.parsers.DocumentBuilder;
|
---|
9 | import javax.xml.parsers.DocumentBuilderFactory;
|
---|
10 | import javax.xml.parsers.ParserConfigurationException;
|
---|
11 | import javax.xml.parsers.SAXParser;
|
---|
12 | import javax.xml.parsers.SAXParserFactory;
|
---|
13 | import javax.xml.stream.XMLInputFactory;
|
---|
14 | import javax.xml.transform.TransformerConfigurationException;
|
---|
15 | import javax.xml.transform.TransformerFactory;
|
---|
16 | import javax.xml.validation.SchemaFactory;
|
---|
17 | import javax.xml.validation.SchemaFactoryConfigurationError;
|
---|
18 |
|
---|
19 | import org.w3c.dom.Document;
|
---|
20 | import org.xml.sax.InputSource;
|
---|
21 | import org.xml.sax.SAXException;
|
---|
22 | import org.xml.sax.helpers.DefaultHandler;
|
---|
23 |
|
---|
24 | /**
|
---|
25 | * XML utils, mainly used to construct safe factories.
|
---|
26 | * @since 13901
|
---|
27 | */
|
---|
28 | public final class XmlUtils {
|
---|
29 |
|
---|
30 | private XmlUtils() {
|
---|
31 | // Hide default constructor for utils classes
|
---|
32 | }
|
---|
33 |
|
---|
34 | /**
|
---|
35 | * Returns the W3C XML Schema factory implementation. Robust method dealing with ContextClassLoader problems.
|
---|
36 | * @return the W3C XML Schema factory implementation
|
---|
37 | */
|
---|
38 | public static SchemaFactory newXmlSchemaFactory() {
|
---|
39 | try {
|
---|
40 | return SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
|
---|
41 | } catch (SchemaFactoryConfigurationError e) {
|
---|
42 | Logging.debug(e);
|
---|
43 | // Can happen with icedtea-web. Use workaround from https://issues.apache.org/jira/browse/GERONIMO-6185
|
---|
44 | Thread currentThread = Thread.currentThread();
|
---|
45 | ClassLoader old = currentThread.getContextClassLoader();
|
---|
46 | currentThread.setContextClassLoader(null);
|
---|
47 | try {
|
---|
48 | return SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
|
---|
49 | } finally {
|
---|
50 | currentThread.setContextClassLoader(old);
|
---|
51 | }
|
---|
52 | }
|
---|
53 | }
|
---|
54 |
|
---|
55 | /**
|
---|
56 | * Returns a new secure DOM builder, supporting XML namespaces.
|
---|
57 | * @return a new secure DOM builder, supporting XML namespaces
|
---|
58 | * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration.
|
---|
59 | */
|
---|
60 | public static DocumentBuilder newSafeDOMBuilder() throws ParserConfigurationException {
|
---|
61 | DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
|
---|
62 | builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
---|
63 | builderFactory.setNamespaceAware(true);
|
---|
64 | builderFactory.setValidating(false);
|
---|
65 | return builderFactory.newDocumentBuilder();
|
---|
66 | }
|
---|
67 |
|
---|
68 | /**
|
---|
69 | * Parse the content given {@link InputStream} as XML.
|
---|
70 | * This method uses a secure DOM builder, supporting XML namespaces.
|
---|
71 | *
|
---|
72 | * @param is The InputStream containing the content to be parsed.
|
---|
73 | * @return the result DOM document
|
---|
74 | * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration.
|
---|
75 | * @throws IOException if any IO errors occur.
|
---|
76 | * @throws SAXException for SAX errors.
|
---|
77 | */
|
---|
78 | public static Document parseSafeDOM(InputStream is) throws ParserConfigurationException, IOException, SAXException {
|
---|
79 | long start = System.currentTimeMillis();
|
---|
80 | Logging.debug("Starting DOM parsing of {0}", is);
|
---|
81 | Document result = newSafeDOMBuilder().parse(is);
|
---|
82 | if (Logging.isDebugEnabled()) {
|
---|
83 | Logging.debug("DOM parsing done in {0}", Utils.getDurationString(System.currentTimeMillis() - start));
|
---|
84 | }
|
---|
85 | return result;
|
---|
86 | }
|
---|
87 |
|
---|
88 | /**
|
---|
89 | * Returns a new secure SAX parser, supporting XML namespaces.
|
---|
90 | * @return a new secure SAX parser, supporting XML namespaces
|
---|
91 | * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration.
|
---|
92 | * @throws SAXException for SAX errors.
|
---|
93 | */
|
---|
94 | public static SAXParser newSafeSAXParser() throws ParserConfigurationException, SAXException {
|
---|
95 | SAXParserFactory parserFactory = SAXParserFactory.newInstance();
|
---|
96 | parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
---|
97 | parserFactory.setNamespaceAware(true);
|
---|
98 | return parserFactory.newSAXParser();
|
---|
99 | }
|
---|
100 |
|
---|
101 | /**
|
---|
102 | * Parse the content given {@link org.xml.sax.InputSource} as XML using the specified {@link org.xml.sax.helpers.DefaultHandler}.
|
---|
103 | * This method uses a secure SAX parser, supporting XML namespaces.
|
---|
104 | *
|
---|
105 | * @param is The InputSource containing the content to be parsed.
|
---|
106 | * @param dh The SAX DefaultHandler to use.
|
---|
107 | * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration.
|
---|
108 | * @throws SAXException for SAX errors.
|
---|
109 | * @throws IOException if any IO errors occur.
|
---|
110 | */
|
---|
111 | public static void parseSafeSAX(InputSource is, DefaultHandler dh) throws ParserConfigurationException, SAXException, IOException {
|
---|
112 | long start = System.currentTimeMillis();
|
---|
113 | Logging.debug("Starting SAX parsing of {0} using {1}", is, dh);
|
---|
114 | newSafeSAXParser().parse(is, dh);
|
---|
115 | if (Logging.isDebugEnabled()) {
|
---|
116 | Logging.debug("SAX parsing done in {0}", Utils.getDurationString(System.currentTimeMillis() - start));
|
---|
117 | }
|
---|
118 | }
|
---|
119 |
|
---|
120 | /**
|
---|
121 | * Returns a new secure {@link XMLInputFactory}.
|
---|
122 | * @return a new secure {@code XMLInputFactory}, for which external entities are not loaded
|
---|
123 | */
|
---|
124 | public static XMLInputFactory newSafeXMLInputFactory() {
|
---|
125 | XMLInputFactory factory = XMLInputFactory.newInstance();
|
---|
126 | // do not try to load external entities, nor validate the XML
|
---|
127 | factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
|
---|
128 | factory.setProperty(XMLInputFactory.IS_VALIDATING, Boolean.FALSE);
|
---|
129 | factory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
|
---|
130 | return factory;
|
---|
131 | }
|
---|
132 |
|
---|
133 | /**
|
---|
134 | * Returns a new secure {@link TransformerFactory}.
|
---|
135 | * @return a new secure {@link TransformerFactory}
|
---|
136 | * @throws TransformerConfigurationException if the factory or the Transformers or Templates it creates cannot support this feature.
|
---|
137 | */
|
---|
138 | public static TransformerFactory newSafeTransformerFactory() throws TransformerConfigurationException {
|
---|
139 | TransformerFactory factory = TransformerFactory.newInstance();
|
---|
140 | factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
---|
141 | return factory;
|
---|
142 | }
|
---|
143 | }
|
---|