Fix saml-core issues without changing Java version
This commit is contained in:
parent
8b262e3094
commit
b04236f7de
4 changed files with 23 additions and 6 deletions
|
@ -31,8 +31,8 @@
|
|||
<description/>
|
||||
|
||||
<properties>
|
||||
<maven.compiler.target>1.8</maven.compiler.target>
|
||||
<maven.compiler.source>1.8</maven.compiler.source>
|
||||
<maven.compiler.target>1.7</maven.compiler.target>
|
||||
<maven.compiler.source>1.7</maven.compiler.source>
|
||||
|
||||
<timestamp>${maven.build.timestamp}</timestamp>
|
||||
<skip.security-manager.tests>true</skip.security-manager.tests>
|
||||
|
|
|
@ -23,6 +23,7 @@ import org.keycloak.saml.common.constants.GeneralConstants;
|
|||
import org.keycloak.saml.common.exceptions.ConfigurationException;
|
||||
import org.keycloak.saml.common.exceptions.ParsingException;
|
||||
import org.keycloak.saml.common.exceptions.ProcessingException;
|
||||
import org.keycloak.saml.processing.core.util.FixXMLConstants;
|
||||
import org.w3c.dom.Document;
|
||||
import org.w3c.dom.Element;
|
||||
import org.w3c.dom.Node;
|
||||
|
@ -116,9 +117,9 @@ public class TransformerUtil {
|
|||
logger.warn("XML External Entity switches are not supported. You may get XML injection vulnerabilities.");
|
||||
}
|
||||
try {
|
||||
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
transformerFactory.setAttribute(FixXMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
|
||||
transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
transformerFactory.setAttribute(FixXMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
} catch (Exception ignored) {
|
||||
// some platforms don't support this. For example our testsuite pulls Selenium which requires Xalan 2.7.1
|
||||
logger.warn("XML External Entity switches are not supported. You may get XML injection vulnerabilities.");
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
package org.keycloak.saml.processing.core.util;
|
||||
|
||||
/**
|
||||
* Constants copied from XMLConstants to work around issues with IntelliJ
|
||||
*
|
||||
* See https://issues.redhat.com/browse/KEYCLOAK-19403
|
||||
*/
|
||||
public class FixXMLConstants {
|
||||
|
||||
public static final String ACCESS_EXTERNAL_DTD = "http://javax.xml.XMLConstants/property/accessExternalDTD";
|
||||
|
||||
public static final String ACCESS_EXTERNAL_SCHEMA = "http://javax.xml.XMLConstants/property/accessExternalSchema";
|
||||
|
||||
public static final String ACCESS_EXTERNAL_STYLESHEET = "http://javax.xml.XMLConstants/property/accessExternalStylesheet";
|
||||
|
||||
}
|
|
@ -98,8 +98,8 @@ public class JAXPValidationUtil {
|
|||
// Do not optimize the following into setProperty(...) && setProperty(...).
|
||||
// This way if it fails in the first setProperty, it will try the subsequent setProperty anyway
|
||||
// which it would not due to short-circuiting in case of an && expression.
|
||||
boolean successful1 = setProperty(validator, XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
successful1 &= setProperty(validator, XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
|
||||
boolean successful1 = setProperty(validator, FixXMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
successful1 &= setProperty(validator, FixXMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
|
||||
boolean successful2 = setFeature(validator, feature_disallow_doctype_decl, true);
|
||||
successful2 &= setFeature(validator, feature_external_general_entities, false);
|
||||
successful2 &= setFeature(validator, feature_external_parameter_entities, false);
|
||||
|
|
Loading…
Reference in a new issue