Does the FEATURE_SECURE_PROCESSING setting in the transformerFactory include other security features?
In jdk1.6 when I install
transformerFactory.setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, false)
I ran into the following error:
javax.xml.transform.TransformerConfigurationException: Unable to set function http: //javax.xml.XMLConstants/property/accessExternalDTD 'in this TransformerFactory. at org.apache.xalan.processor.TransformerFactoryImpl.setFeature (TransformerFactoryImpl.java:418)
As with what I found here: How to prevent xalan.jar that has META-INF \ services \ javax.xml.transform.TransformerFactory from capturing the JDK 1.6 built into Xalan implementation? I cannot make the changes suggested here as there will be other API conflicts addressed by my admin.
And from this link: http://xml.apache.org/xalan-j/features.html#domsource
You can use the method TransformerFactory.setFeature(String, boolean)
to set the function value. Xalan-Java only supports function XMLConstants.FEATURE_SECURE_PROCESSING
. For all other functions, the TransformerFactory provides its own values, but cannot change their state.
Thus, we can only set this feature if the Xalan TransormerFactory implementation is used.
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Finally my question is, if we set a function:
transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Then another function ( XMLConstants.ACCESS_EXTERNAL_DTD
) will automatically set to false.
I got the above function as "fake" from the logs I installed. But I want to know for sure if the function will be accessExternalDTD
set to false by default or if the protected processing function is set to true.
source to share
From the source it looks like other functions are not updated when XMLConstants.FEATURE_SECURE_PROCESSING is updated :
public void setFeature(String name, boolean value)
throws TransformerConfigurationException {
// feature name cannot be null
if (name == null) {
throw new NullPointerException(
XSLMessages.createMessage(
XSLTErrorResources.ER_SET_FEATURE_NULL_NAME, null));
}
// secure processing?
if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
m_isSecureProcessing = value;
}
// This implementation does not support the setting of a feature other than
// the secure processing feature.
else
{
throw new TransformerConfigurationException(
XSLMessages.createMessage(
XSLTErrorResources.ER_UNSUPPORTED_FEATURE,
new Object[] {name}));
}
}
So, it looks like I need to find another way to fix this feaure XMLConstants.ACCESS_EXTERNAL_DTD : (
source to share
I faced the same problem and got the answer here: fooobar.com/questions/15647973 / ...
Hope this is helpful to you.
source to share
In Java 8, yes. If we install
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
The attributes are ACCESS_EXTERNAL_DTD
then ACCESS_EXTERNAL_STYLESHEET
set to ""
as recommended by the owasp guide .
We can check this with:
Object hasExternalDtd=factory.getAttribute(XMLConstants.ACCESS_EXTERNAL_DTD);
Object hasExternalStyle=factory.getAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET);
after setting the function FEATURE_SECURE_PROCESSING
.
The default value, if we haven't set it, is all
for both properties.
source to share