inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged V4.1-BUG-FIX to HEAD

Browse Source 
39828: Merged V4.1 to V4.1-BUG-FIX
      39827: Merged PATCHES/V4.0.2 to V4.1
         39825: ALF-13453 / ALF-13844: Merged V3.4-BUG-FIX to PATCHES/V4.0.2
            39823: ALF-13552, ALF-13978: Reverse merged the following revisions - won't fix due to regressions and not a serious vulnerability
               35341: ALF-13552: Merged V4.0 to V3.4
                  35296: ALF-13453: Merged V4.0-BUG-FIX to V4.0
                     35295: Fix for ALF-13453: Remote Code Execution (can create reverse shell)
                  35304: ALF-13453: Extra fix to ensure xalan namespace isn't declared with global scope and can't be hijacked by an input stylesheet
                  35307: ALF-13453: Duplicated extra fix to duplicate code in XSLTRenderingEngine!
               36101: ALF-13978: Merged V4.0-BUG-FIX to V3.4
                  36014: ALF-13844: XSLT Filtering Not 100% Secure
                     - added more namespaces to the security filter.
                     - verified that include/import uses the security filter.
               36108: ALF-13978: Fixed compilation errors
            39824: ALF-13552, ALF-13978: Fixed compilation errors


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@39829 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Dave Ward
2012-07-26 15:50:56 +00:00
parent b7b3e48342
commit 8e45523e7a
1 changed files with 508 additions and 518 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
source/java/org/alfresco/web/forms/XSLTRenderingEngine.java
View File

@@ -40,9 +40,9 @@ import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamResult;
import org.alfresco.service.namespace.QName; import org.alfresco.service.namespace.QName;
import org.alfresco.util.XMLUtil;
import org.apache.bsf.BSFManager; import org.apache.bsf.BSFManager;
import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.apache.xml.dtm.ref.DTMNodeProxy; import org.apache.xml.dtm.ref.DTMNodeProxy;
@@ -55,8 +55,6 @@ import org.w3c.dom.traversal.NodeFilter;
import org.w3c.dom.traversal.NodeIterator; import org.w3c.dom.traversal.NodeIterator;
import org.xml.sax.SAXException; import org.xml.sax.SAXException;
import org.alfresco.util.XMLUtil;
/** /**
* A rendering engine which uses xsl templates to render renditions of * A rendering engine which uses xsl templates to render renditions of
* form instance data. * form instance data.
@@ -261,12 +259,14 @@ public class XSLTRenderingEngine
final Element docEl = xslTemplate.getDocumentElement(); final Element docEl = xslTemplate.getDocumentElement();
final String XALAN_NS = Constants.S_BUILTIN_EXTENSIONS_URL; final String XALAN_NS = Constants.S_BUILTIN_EXTENSIONS_URL;
final String XALAN_NS_PREFIX = "xalan"; final String XALAN_NS_PREFIX = "xalan";
docEl.setAttribute("xmlns:" + XALAN_NS_PREFIX, XALAN_NS);
final Set<String> excludePrefixes = new HashSet<String>(); final Set<String> excludePrefixes = new HashSet<String>();
if (docEl.hasAttribute("exclude-result-prefixes")) if (docEl.hasAttribute("exclude-result-prefixes"))
{ {
excludePrefixes.addAll(Arrays.asList(docEl.getAttribute("exclude-result-prefixes").split(" "))); excludePrefixes.addAll(Arrays.asList(docEl.getAttribute("exclude-result-prefixes").split(" ")));
} }
excludePrefixes.add(XALAN_NS_PREFIX);
final List<String> result = new LinkedList<String>(); final List<String> result = new LinkedList<String>();
for (QName ns : methods.keySet()) for (QName ns : methods.keySet())
@@ -385,7 +385,7 @@ public class XSLTRenderingEngine
Document xslTemplate = null; Document xslTemplate = null;
try try
{ {
xslTemplate = XMLUtil.secureParseXSL(ret.getInputStream()); xslTemplate = XMLUtil.parse(ret.getInputStream());
} }
catch (final SAXException sax) catch (final SAXException sax)
{ {
@@ -448,7 +448,7 @@ public class XSLTRenderingEngine
try try
{ {
final Document d = XMLUtil.secureParseXSL(in); final Document d = XMLUtil.parse(in);
if (LOGGER.isDebugEnabled()) if (LOGGER.isDebugEnabled())
LOGGER.debug("loaded " + XMLUtil.toString(d)); LOGGER.debug("loaded " + XMLUtil.toString(d));
return new DOMSource(d); return new DOMSource(d);
@@ -481,12 +481,7 @@ public class XSLTRenderingEngine
final StringBuilder msg = new StringBuilder("errors encountered creating tranformer ... \n"); final StringBuilder msg = new StringBuilder("errors encountered creating tranformer ... \n");
for (TransformerException te : errors) for (TransformerException te : errors)
{ {
msg.append(te.getMessageAndLocation()).append("\n"); msg.append(te.getMessageAndLocation()).append("\n");
String cause = ExceptionUtils.getRootCauseMessage(te);
if (cause != null)
{
msg.append(" caused by: " + cause);
}
} }
throw new RenderingEngine.RenderingException(msg.toString()); throw new RenderingEngine.RenderingException(msg.toString());
} }
@@ -522,11 +517,6 @@ public class XSLTRenderingEngine
for (TransformerException te : errors) for (TransformerException te : errors)
{ {
msg.append(te.getMessageAndLocation()).append("\n"); msg.append(te.getMessageAndLocation()).append("\n");
String cause = ExceptionUtils.getRootCauseMessage(te);
if (cause != null)
{
msg.append(" caused by: " + cause);
}
} }
throw new RenderingEngine.RenderingException(msg.toString()); throw new RenderingEngine.RenderingException(msg.toString());
} }