[prettyfaces] r462 committed - Prevent downloading of web.xml DTD

1 view
Skip to first unread message

prett...@googlecode.com

unread,
Nov 4, 2010, 12:48:14 PM11/4/10
to prettyfac...@googlegroups.com
Revision: 462
Author: chkalt
Date: Thu Nov 4 09:47:36 2010
Log: Prevent downloading of web.xml DTD
http://code.google.com/p/prettyfaces/source/detail?r=462

Added:

/prettyfaces/trunk/core/src/main/java/com/ocpsoft/pretty/faces/util/EmptyEntityResolver.java
Modified:
/prettyfaces/trunk/CHANGELOG.txt

/prettyfaces/trunk/core/src/main/java/com/ocpsoft/pretty/faces/config/servlet/WebXmlParser.java

/prettyfaces/trunk/core/src/main/java/com/ocpsoft/pretty/faces/el/resolver/FacesConfigBeanNameResolver.java

=======================================
--- /dev/null
+++
/prettyfaces/trunk/core/src/main/java/com/ocpsoft/pretty/faces/util/EmptyEntityResolver.java
Thu Nov 4 09:47:36 2010
@@ -0,0 +1,27 @@
+package com.ocpsoft.pretty.faces.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+/**
+ * <p>
+ * Empty {@link EntityResolver} to disable downloading of external
entities.
+ * Will work without problems for the parts of the
<code>faces-config.xml</code>
+ * we are parsing.
+ * </p>
+ *
+ * @see http://wiki.apache.org/commons/Digester/FAQ
+ */
+public class EmptyEntityResolver implements EntityResolver
+{
+
+ public InputSource resolveEntity(String publicId, String systemId)
throws SAXException, IOException
+ {
+ return new InputSource(new ByteArrayInputStream(new byte[0]));
+ }
+
+}
=======================================
--- /prettyfaces/trunk/CHANGELOG.txt Mon Oct 18 13:39:15 2010
+++ /prettyfaces/trunk/CHANGELOG.txt Thu Nov 4 09:47:36 2010
@@ -15,10 +15,10 @@
* PrettyFilter no longer wraps application exceptions in ServletException

Bugfixes:
-
* Fixed compatibility with Java 1.5
* Fixed EL method invocation in JSF 1.1 branch.
* Removed HttpSession accesses that could potentially create an unwanted
user session. (#62)
+* Prevent downloading of web.xml DTDs


------------------------------------
=======================================
---
/prettyfaces/trunk/core/src/main/java/com/ocpsoft/pretty/faces/config/servlet/WebXmlParser.java
Fri Oct 1 07:10:34 2010
+++
/prettyfaces/trunk/core/src/main/java/com/ocpsoft/pretty/faces/config/servlet/WebXmlParser.java
Thu Nov 4 09:47:36 2010
@@ -30,6 +30,7 @@

import com.ocpsoft.pretty.PrettyException;
import com.ocpsoft.pretty.faces.config.PrettyConfigParser;
+import com.ocpsoft.pretty.faces.util.EmptyEntityResolver;

/**
* Digester-based implementation of {@link PrettyConfigParser}.
@@ -128,6 +129,9 @@
*/
digester.setUseContextClassLoader(true);

+ // prevent downloading of DTDs
+ digester.setEntityResolver(new EmptyEntityResolver());
+
digester.addObjectCreate("web-app/servlet", ServletDefinition.class);

digester.addCallMethod("web-app/servlet/servlet-name", "setServletName", 0);

digester.addCallMethod("web-app/servlet/servlet-class", "setServletClass",
0);
=======================================
---
/prettyfaces/trunk/core/src/main/java/com/ocpsoft/pretty/faces/el/resolver/FacesConfigBeanNameResolver.java
Wed Aug 4 12:20:11 2010
+++
/prettyfaces/trunk/core/src/main/java/com/ocpsoft/pretty/faces/el/resolver/FacesConfigBeanNameResolver.java
Thu Nov 4 09:47:36 2010
@@ -1,6 +1,5 @@
package com.ocpsoft.pretty.faces.el.resolver;

-import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
@@ -23,11 +22,10 @@
import org.apache.commons.digester.Digester;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.xml.sax.EntityResolver;
-import org.xml.sax.InputSource;
import org.xml.sax.SAXException;

import com.ocpsoft.pretty.faces.el.BeanNameResolver;
+import com.ocpsoft.pretty.faces.util.EmptyEntityResolver;

/**
*
@@ -253,9 +251,11 @@
* This fixes ClassNotFoundExceptions on Geronimo.
*/
digester.setUseContextClassLoader(true);
-
- digester.setValidating(false);
+
+ // prevent downloading of DTDs
digester.setEntityResolver(new EmptyEntityResolver());
+
+ digester.setValidating(false);
digester.push(facesConfigEntries);
digester.addObjectCreate("faces-config/managed-bean",
FacesConfigEntry.class);

digester.addCallMethod("faces-config/managed-bean/managed-bean-name", "setName",
0);
@@ -345,22 +345,6 @@
{
this.beanClass = beanClass;
}
-
- }
-
- /**
- * Empty {@link EntityResolver} to disable downloading of external
entities.
- * Will work without problems for the parts of the
- * <code>faces-config.xml</code> we are parsing. See:
- * http://wiki.apache.org/commons/Digester/FAQ
- */
- private static class EmptyEntityResolver implements EntityResolver
- {
-
- public InputSource resolveEntity(String publicId, String systemId)
throws SAXException, IOException
- {
- return new InputSource(new ByteArrayInputStream(new byte[0]));
- }

}

Reply all
Reply to author
Forward
0 new messages