Skip to content

Commit

Permalink
LDEV-3451 add back support for pass thru of additional xml feature se…
Browse files Browse the repository at this point in the history
  • Loading branch information
zspitzer committed Jul 20, 2023
1 parent 50a1f84 commit fff836f
Show file tree
Hide file tree
Showing 4 changed files with 48 additions and 16 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,15 @@ public static Struct call(PageContext pc, boolean suppressFunctions) throws Page
sxml.setEL("secure", xmlFeatures.get("secure", true));
sxml.setEL("disallowDoctypeDecl", xmlFeatures.get("disallowDoctypeDecl", true));
sxml.setEL("externalGeneralEntities", xmlFeatures.get("externalGeneralEntities", false));
if (!xmlFeatures.isEmpty()){ // pass thru other values
Iterator<Key> it = xmlFeatures.keySet().iterator();
Key name;
while (it.hasNext()) {
name = KeyImpl.toKey(it.next());
if (!sxml.containsKey( name ) )
sxml.setEL(name,xmlFeatures.get(name));
}
}
sct.setEL("xmlFeatures", sxml);

sct.setEL("customTagPaths", toArray(ac.getCustomTagMappings()));
Expand Down
34 changes: 18 additions & 16 deletions core/src/main/java/lucee/runtime/text/xml/XMLUtil.java
Original file line number Diff line number Diff line change
Expand Up @@ -333,32 +333,36 @@ private static DocumentBuilderFactory newDocumentBuilderFactory(InputSource vali
boolean featureSecure = true;
boolean disallowDocType = true;
boolean externalGeneralEntities = false;
Struct features = null;

// can be overriden per application
PageContext pc = ThreadLocalPageContext.get();
if (pc != null) {
ApplicationContextSupport ac = ((ApplicationContextSupport) pc.getApplicationContext());
Struct features = ac == null ? null : ac.getXmlFeatures();
features = ac == null ? null : ac.getXmlFeatures();
if (features != null) {
try { // handle feature aliases, e.g. secure
Object obj;

obj = features.get(KEY_FEATURE_SECURE, null);
if (obj != null) featureSecure = Caster.toBoolean(obj);
features.remove(KEY_FEATURE_SECURE, null);

obj = features.get(KEY_FEATURE_DISALLOW_DOCTYPE_DECL, null);
if (obj != null) disallowDocType = Caster.toBoolean(obj);
features.remove(KEY_FEATURE_DISALLOW_DOCTYPE_DECL, null);

obj = features.get(KEY_FEATURE_EXTERNAL_GENERAL_ENTITIES, null);
if (obj != null) externalGeneralEntities = Caster.toBoolean(obj);
features.remove(KEY_FEATURE_EXTERNAL_GENERAL_ENTITIES, null);
}
catch (PageException ex) {
throw new RuntimeException(ex);
}
}
}

try { // handle feature aliases, e.g. secure
try { // set built in feature aliases
if (featureSecure) {
// set features per
// https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
Expand All @@ -371,27 +375,25 @@ private static DocumentBuilderFactory newDocumentBuilderFactory(InputSource vali
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
}
//features.remove(KEY_FEATURE_SECURE);

factory.setFeature(XMLConstants.FEATURE_DISALLOW_DOCTYPE_DECL, disallowDocType);
//features.remove(KEY_FEATURE_DISALLOW_DOCTYPE_DECL);

factory.setFeature(XMLConstants.FEATURE_EXTERNAL_GENERAL_ENTITIES, externalGeneralEntities);
//features.remove(KEY_FEATURE_EXTERNAL_GENERAL_ENTITIES);
}
catch (ParserConfigurationException ex) {
throw new RuntimeException(ex);
}
/*
features.forEach((k, v) -> {
try {
factory.setFeature(k.toString().toLowerCase(), Caster.toBoolean(v));
}
catch (PageException | ParserConfigurationException ex) {
throw new RuntimeException(ex);
}
});
*/
// pass thru any additional feature directives
// https://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
if (features != null){
features.forEach((k, v) -> {
try {
factory.setFeature(k.toString().toLowerCase(), Caster.toBoolean(v));
}
catch (PageException | ParserConfigurationException ex) {
throw new RuntimeException(ex);
}
});
}
return factory;
}

Expand Down
13 changes: 13 additions & 0 deletions test/tickets/LDEV4348.cfc
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,19 @@ component extends = "org.lucee.cfml.test.LuceeTestCase" labels="xml" {
expect( result.externalGeneralEntities ).toBeTrue();
});

it( title="Check xmlFeatures, check pass thru",body = function ( currentSpec ) {
local.result = _InternalRequest(
template : "#uri#/LDEV4348.cfm",
forms : {
scene: "testPassthru"
}
).filecontent.deserializeJson();
expect( result.secure ).toBeFalse();
expect( result.disallowDoctypeDecl ).toBeFalse();
expect( result.externalGeneralEntities ).toBeTrue();
expect( result["http://apache.org/xml/features/validation/id-idref-checking"] ).toBeTrue();
});

});

}
Expand Down
8 changes: 8 additions & 0 deletions test/tickets/LDEV4348/Application.cfc
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,14 @@ component {
"disallowDoctypeDecl": false
};
break;
case "testPassthru":
this.xmlFeatures = {
"externalGeneralEntities": true,
"secure": false,
"disallowDoctypeDecl": false,
"http://apache.org/xml/features/validation/id-idref-checking": true
};
break;
case "default":
break;
default:
Expand Down

0 comments on commit fff836f

Please sign in to comment.