[458571] XXE on Eclipse IDE (DTD)
Signed-off-by: Nitin Dahyabhai <thatnitind@gmail.com>
diff --git a/xml/bundles/org.eclipse.wst.dtd.core/META-INF/MANIFEST.MF b/xml/bundles/org.eclipse.wst.dtd.core/META-INF/MANIFEST.MF
index 33a8455..810388d 100644
--- a/xml/bundles/org.eclipse.wst.dtd.core/META-INF/MANIFEST.MF
+++ b/xml/bundles/org.eclipse.wst.dtd.core/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@
Bundle-ManifestVersion: 2
Bundle-Name: %pluginName
Bundle-SymbolicName: org.eclipse.wst.dtd.core; singleton:=true
-Bundle-Version: 1.2.0.qualifier
+Bundle-Version: 1.2.100.qualifier
Bundle-Activator: org.eclipse.wst.dtd.core.internal.DTDCorePlugin
Bundle-Vendor: %providerName
Bundle-Localization: plugin
diff --git a/xml/bundles/org.eclipse.wst.dtd.core/pom.xml b/xml/bundles/org.eclipse.wst.dtd.core/pom.xml
index c11976f..f47acde 100644
--- a/xml/bundles/org.eclipse.wst.dtd.core/pom.xml
+++ b/xml/bundles/org.eclipse.wst.dtd.core/pom.xml
@@ -21,7 +21,7 @@
<groupId>org.eclipse.webtools.sourceediting</groupId>
<artifactId>org.eclipse.wst.dtd.core</artifactId>
- <version>1.2.0-SNAPSHOT</version>
+ <version>1.2.100-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
<build>
diff --git a/xml/bundles/org.eclipse.wst.dtd.core/saxparser/org/eclipse/wst/dtd/core/internal/saxparser/DTDParser.java b/xml/bundles/org.eclipse.wst.dtd.core/saxparser/org/eclipse/wst/dtd/core/internal/saxparser/DTDParser.java
index 418bbb5..1d09a55 100644
--- a/xml/bundles/org.eclipse.wst.dtd.core/saxparser/org/eclipse/wst/dtd/core/internal/saxparser/DTDParser.java
+++ b/xml/bundles/org.eclipse.wst.dtd.core/saxparser/org/eclipse/wst/dtd/core/internal/saxparser/DTDParser.java
@@ -1,5 +1,5 @@
/*******************************************************************************
- * Copyright (c) 2001, 2012 IBM Corporation and others.
+ * Copyright (c) 2001, 2020 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License 2.0
* which accompanies this distribution, and is available at
@@ -24,9 +24,12 @@
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
+import org.eclipse.core.runtime.preferences.InstanceScope;
import org.eclipse.wst.common.uriresolver.internal.provisional.URIResolver;
import org.eclipse.wst.common.uriresolver.internal.provisional.URIResolverPlugin;
import org.eclipse.wst.common.uriresolver.internal.util.URIHelper;
+import org.eclipse.wst.xml.core.internal.XMLCorePlugin;
+import org.eclipse.wst.xml.core.internal.preferences.XMLCorePreferenceNames;
import org.eclipse.wst.xml.core.internal.validation.core.LazyURLInputStream;
import org.xml.sax.ContentHandler;
import org.xml.sax.DTDHandler;
@@ -105,6 +108,10 @@
reader.setDTDHandler(this);
reader.setErrorHandler(this);
reader.setEntityResolver(this);
+
+ boolean resolveExternalEntities = InstanceScope.INSTANCE.getNode(XMLCorePlugin.getDefault().getBundle().getSymbolicName()).getBoolean(XMLCorePreferenceNames.RESOLVE_EXTERNAL_ENTITIES, false);
+ reader.setFeature("http://xml.org/sax/features/external-general-entities", resolveExternalEntities); //$NON-NLS-1$
+ reader.setFeature("http://xml.org/sax/features/external-parameter-entities", resolveExternalEntities); //$NON-NLS-1$
}
catch (Exception e) {
e.printStackTrace();
@@ -553,8 +560,13 @@
elementPool.put(name, baseNode);
break;
}
- case DeclNode.INTERNAL_ENTITY :
case DeclNode.EXTERNAL_ENTITY : {
+ boolean resolveExternalEntities = InstanceScope.INSTANCE.getNode(XMLCorePlugin.getDefault().getBundle().getSymbolicName()).getBoolean(XMLCorePreferenceNames.RESOLVE_EXTERNAL_ENTITIES, false);
+ if (!resolveExternalEntities) {
+ break;
+ }
+ }
+ case DeclNode.INTERNAL_ENTITY : {
if (!parseExternalPEReference(declarationString)) {
scanner = new DTDScanner(currentDTD.getName(), declarationString);
baseNode = scanner.scanEntityDecl();
diff --git a/xml/bundles/org.eclipse.wst.dtd.core/src-validation/org/eclipse/wst/dtd/core/internal/validation/DTDValidator.java b/xml/bundles/org.eclipse.wst.dtd.core/src-validation/org/eclipse/wst/dtd/core/internal/validation/DTDValidator.java
index 4e2886f..0fc88ae 100644
--- a/xml/bundles/org.eclipse.wst.dtd.core/src-validation/org/eclipse/wst/dtd/core/internal/validation/DTDValidator.java
+++ b/xml/bundles/org.eclipse.wst.dtd.core/src-validation/org/eclipse/wst/dtd/core/internal/validation/DTDValidator.java
@@ -1,5 +1,5 @@
/*******************************************************************************
- * Copyright (c) 2001, 2011 IBM Corporation and others.
+ * Copyright (c) 2001, 2020 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License 2.0
* which accompanies this distribution, and is available at
@@ -27,9 +27,12 @@
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
+import org.eclipse.core.runtime.preferences.InstanceScope;
import org.eclipse.osgi.util.NLS;
import org.eclipse.wst.common.uriresolver.internal.provisional.URIResolver;
import org.eclipse.wst.common.uriresolver.internal.provisional.URIResolverPlugin;
+import org.eclipse.wst.xml.core.internal.XMLCorePlugin;
+import org.eclipse.wst.xml.core.internal.preferences.XMLCorePreferenceNames;
import org.eclipse.wst.xml.core.internal.validation.core.LazyURLInputStream;
import org.eclipse.wst.xml.core.internal.validation.core.ValidationInfo;
import org.eclipse.wst.xml.core.internal.validation.core.ValidationReport;
@@ -425,6 +428,10 @@
reader.setEntityResolver(new DTDEntityResolver(fResolver, uri));
String document = "<!DOCTYPE root SYSTEM \"" + uri + "\"><root/>"; //$NON-NLS-1$ //$NON-NLS-2$
+ boolean resolveExternalEntities = InstanceScope.INSTANCE.getNode(XMLCorePlugin.getDefault().getBundle().getSymbolicName()).getBoolean(XMLCorePreferenceNames.RESOLVE_EXTERNAL_ENTITIES, false);
+ reader.setFeature("http://xml.org/sax/features/external-general-entities", resolveExternalEntities); //$NON-NLS-1$
+ reader.setFeature("http://xml.org/sax/features/external-parameter-entities", resolveExternalEntities); //$NON-NLS-1$
+
reader.parse(new InputSource(new StringReader(document)));
Map elemDecls = dtdHandler.getElementDeclarations();
