prevent access to XSD
diff --git a/src/main/java/org/apache/log4j/chainsaw/receivers/ReceiversPanel.java b/src/main/java/org/apache/log4j/chainsaw/receivers/ReceiversPanel.java
index b71db59..505b120 100644
--- a/src/main/java/org/apache/log4j/chainsaw/receivers/ReceiversPanel.java
+++ b/src/main/java/org/apache/log4j/chainsaw/receivers/ReceiversPanel.java
@@ -47,6 +47,7 @@
import javax.swing.tree.DefaultMutableTreeNode;
import javax.swing.tree.ExpandVetoException;
import javax.swing.tree.TreePath;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.transform.OutputKeys;
@@ -372,6 +373,9 @@
try {
//we programmatically register the ZeroConf plugin in the plugin registry
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.newDocument();
@@ -403,6 +407,7 @@
}
TransformerFactory transformerFactory = TransformerFactory.newInstance();
+
Transformer transformer = transformerFactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
diff --git a/src/main/java/org/apache/log4j/xml/UtilLoggingXMLDecoder.java b/src/main/java/org/apache/log4j/xml/UtilLoggingXMLDecoder.java
index 9e3ddfa..4715979 100644
--- a/src/main/java/org/apache/log4j/xml/UtilLoggingXMLDecoder.java
+++ b/src/main/java/org/apache/log4j/xml/UtilLoggingXMLDecoder.java
@@ -17,6 +17,7 @@
package org.apache.log4j.xml;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.apache.log4j.spi.Decoder;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
@@ -24,6 +25,7 @@
import org.xml.sax.InputSource;
import javax.swing.*;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -84,24 +86,13 @@
/**
* Create new instance.
- *
- * @param o owner
- */
- public UtilLoggingXMLDecoder(final Component o) {
- this();
- this.owner = o;
- }
-
- /**
- * Create new instance.
*/
public UtilLoggingXMLDecoder() {
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
- dbf.setValidating(false);
-
try {
+ DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
docBuilder = dbf.newDocumentBuilder();
-// docBuilder.setErrorHandler(new SAXErrorHandler());
docBuilder.setEntityResolver(new UtilLoggingEntityResolver());
} catch (ParserConfigurationException pce) {
System.err.println("Unable to get document builder");
@@ -127,6 +118,7 @@
* @param data XML fragment
* @return dom document
*/
+ @SuppressFBWarnings // applied security practices
private Document parse(final String data) {
if (docBuilder == null || data == null) {
return null;
@@ -173,6 +165,7 @@
* @return Vector of LoggingEvents
* @throws IOException if IO error during processing.
*/
+ @SuppressFBWarnings // TODO: loading files like this is dangerous - at least in web. see if we can do better
public Vector<ChainsawLoggingEvent> decode(final URL url) throws IOException {
LineNumberReader reader;
boolean isZipFile = url.getPath().toLowerCase().endsWith(".zip");
@@ -316,11 +309,10 @@
String threadName = null;
String message = null;
String ndc = null;
- String[] exception = null;
String className = null;
String methodName = null;
String fileName = null;
- String lineNumber = null;
+ String lineNumber = "0"; // TODO this is not working
Hashtable properties = new Hashtable();
//format of date: 2003-05-04T11:04:52
@@ -389,10 +381,6 @@
}
}
}
- if (exceptionList.size() > 0) {
- exception =
- (String[]) exceptionList.toArray(new String[exceptionList.size()]);
- }
}
}
diff --git a/src/main/java/org/apache/log4j/xml/XMLDecoder.java b/src/main/java/org/apache/log4j/xml/XMLDecoder.java
index 14aa96b..6f58baa 100644
--- a/src/main/java/org/apache/log4j/xml/XMLDecoder.java
+++ b/src/main/java/org/apache/log4j/xml/XMLDecoder.java
@@ -17,6 +17,7 @@
package org.apache.log4j.xml;
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import org.apache.log4j.spi.Decoder;
import org.w3c.dom.Document;
import org.w3c.dom.Node;
@@ -24,6 +25,7 @@
import org.xml.sax.InputSource;
import javax.swing.*;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -114,9 +116,10 @@
*/
public XMLDecoder() {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
- dbf.setValidating(false);
-
try {
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ dbf.setValidating(false);
docBuilder = dbf.newDocumentBuilder();
// docBuilder.setErrorHandler(new SAXErrorHandler());
docBuilder.setEntityResolver(new Log4jEntityResolver());