MNT-10589: Merged V4.2-BUG-FIX (4.2.2) to V4.2.1 (4.2.1)

60891: Merged BRANCHES/DEV/V4.1-BUG-FIX to BRANCHES/DEV/V4.2-BUG-FIX:
      60889: Merged BRANCHES/DEV/V3.4-BUG-FIX to BRANCHES/DEV/V4.1-BUG-FIX:
           60873: MNT-10560: Security: The Apache Xerces XML parser exposes security vulnerabilities
           60876: MNT-10560: Security: The Apache Xerces XML parser exposes security vulnerabilities
           60887: MNT-10560: Security: The Apache Xerces XML parser exposes security vulnerabilities


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/PATCHES/V4.2.1/root@60909 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261

source/java/org/alfresco/repo/web/scripts/bean/ADMRemoteStore.java

@@ -70,6 +70,7 @@ import org.alfresco.service.cmr.site.SiteInfo;
 import org.alfresco.service.cmr.site.SiteService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.namespace.QName;
+import org.alfresco.util.XMLUtil;
 import org.apache.axis.utils.ByteArrayOutputStream;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -391,7 +392,7 @@ public class ADMRemoteStore extends BaseRemoteStore
     {
         try
         {
-            DocumentBuilder documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); 
+            DocumentBuilder documentBuilder = XMLUtil.getDocumentBuilderFactory(true, false).newDocumentBuilder(); 
             Document document;
             document = documentBuilder.parse(in);
             Element docEl = document.getDocumentElement();

source/java/org/alfresco/repo/web/scripts/bean/AVMRemoteStore.java

@@ -47,6 +47,7 @@ import org.alfresco.service.cmr.repository.ContentIOException;
 import org.alfresco.service.cmr.repository.ContentReader;
 import org.alfresco.service.cmr.repository.ContentWriter;
 import org.alfresco.service.cmr.search.SearchService;
+import org.alfresco.util.XMLUtil;
 import org.apache.axis.utils.ByteArrayOutputStream;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -288,7 +289,7 @@ public class AVMRemoteStore extends BaseRemoteStore
                 try
                 {
                     Set<String> checkedPaths = new HashSet<String>(16);
-                    DocumentBuilder documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); 
+                    DocumentBuilder documentBuilder = XMLUtil.getDocumentBuilder(); 
                     Document document = documentBuilder.parse(in);
                     Element docEl = document.getDocumentElement();
                     Transformer transformer = AVMRemoteStore.this.transformer.get();

source/java/org/alfresco/repo/webdav/WebDAVMethod.java

@@ -67,6 +67,7 @@ import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.transaction.TransactionService;
 import org.alfresco.util.TempFileProvider;
+import org.alfresco.util.XMLUtil;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.dom4j.DocumentHelper;
@@ -533,19 +534,7 @@ public abstract class WebDAVMethod
 
             try
             {
-                DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-                factory.setFeature("http://xml.org/sax/features/validation", false);
-                factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
-                factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
-                factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
-                factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-                factory.setFeature("http://xml.org/sax/features/use-entity-resolver2", false);   
-                factory.setFeature("http://apache.org/xml/features/validation/unparsed-entity-checking", false);
-                factory.setFeature("http://apache.org/xml/features/validation/dynamic", false);
-                factory.setFeature("http://apache.org/xml/features/validation/schema/augment-psvi", false);
-                factory.setNamespaceAware(true);
-
-                DocumentBuilder builder = factory.newDocumentBuilder();
+                DocumentBuilder builder = XMLUtil.getDocumentBuilderFactory(true, false).newDocumentBuilder();
                 if (m_request.getCharacterEncoding() == null)
                 {
                     // Let the XML parser work out the encoding if it is not explicitly declared in the HTTP header