diff -Nurb resteasy-2.3.5.Final.orig/arquillian/pom.xml resteasy-2.3.5.Final/arquillian/pom.xml
--- resteasy-2.3.5.Final.orig/arquillian/pom.xml 2014-07-25 15:36:38.637079327 -0400
+++ resteasy-2.3.5.Final/arquillian/pom.xml 2014-07-25 15:52:17.575397163 -0400
@@ -15,6 +15,7 @@
<!--module>RESTEASY-736-as71</module-->
<module>RESTEASY-752-jetty</module>
<module>RESTEASY-760-jetty</module>
+ <module>RESTEASY-1073-WF8</module>
</modules>
<artifactId>arquillian</artifactId>
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/pom.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/pom.xml
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/pom.xml 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/pom.xml 2014-07-25 15:38:04.783298392 -0400
@@ -0,0 +1,189 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <parent>
+ <groupId>org.jboss.resteasy</groupId>
+ <artifactId>resteasy-jaxrs-all</artifactId>
+ <version>3.0.8.Final</version>
+ <relativePath>../../pom.xml</relativePath>
+ </parent>
+
+ <artifactId>RESTEASY-1073-WF8</artifactId>
+ <packaging>jar</packaging>
+ <name>RESTEASY-1073-WF8</name>
+ <url>http://maven.apache.org</url>
+
+ <properties>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+ <as-version>8.0.0.Final</as-version>
+ </properties>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <version>2.3.2</version>
+ <configuration>
+ <source>1.6</source>
+ <target>1.6</target>
+ </configuration>
+ </plugin>
+ <plugin>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <version>2.12</version>
+ </plugin>
+ <plugin>
+ <artifactId>maven-dependency-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>unpack</id>
+ <phase>process-test-classes</phase>
+ <goals>
+ <goal>unpack</goal>
+ </goals>
+ <configuration>
+ <artifactItems>
+ <artifactItem>
+ <groupId>org.wildfly</groupId>
+ <artifactId>wildfly-dist</artifactId>
+ <version>${as-version}</version>
+ <type>zip</type>
+ <overWrite>false</overWrite>
+ <outputDirectory>target</outputDirectory>
+ </artifactItem>
+ </artifactItems>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-antrun-plugin</artifactId>
+ <version>1.6</version>
+ <executions>
+ <execution>
+ <id>unpack resteasy</id>
+ <phase>process-test-classes</phase>
+ <configuration>
+ <target>
+ <unzip src="../../jboss-modules/target/resteasy-jboss-modules-wf8-${project.version}.zip"
+ dest="${project.build.directory}/wildfly-${as-version}/modules/system/layers/base"
+ overwrite="true" />
+ </target>
+ </configuration>
+ <goals>
+ <goal>run</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-war-plugin</artifactId>
+ <configuration>
+ <archive>
+ <manifestEntries>
+ <Dependencies>
+ javax.xml.bind.api
+ </Dependencies>
+ </manifestEntries>
+ </archive>
+ </configuration>
+ </plugin>
+
+ </plugins>
+ </build>
+
+<dependencyManagement>
+ <dependencies>
+ <dependency>
+ <groupId>org.jboss.arquillian</groupId>
+ <artifactId>arquillian-bom</artifactId>
+ <version>1.0.3.Final</version>
+ <scope>import</scope>
+ <type>pom</type>
+ </dependency>
+ </dependencies>
+</dependencyManagement>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.jboss.spec</groupId>
+ <artifactId>jboss-javaee-6.0</artifactId>
+ <version>1.0.0.Final</version>
+ <type>pom</type>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>4.8.1</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.arquillian.junit</groupId>
+ <artifactId>arquillian-junit-container</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.wildfly</groupId>
+ <artifactId>wildfly-arquillian-container-managed</artifactId>
+ <version>8.0.0.Alpha1</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.arquillian.protocol</groupId>
+ <artifactId>arquillian-protocol-servlet</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.resteasy</groupId>
+ <artifactId>jaxrs-api</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.resteasy</groupId>
+ <artifactId>resteasy-jaxrs</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.jboss.resteasy</groupId>
+ <artifactId>resteasy-validator-provider-11</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>javax.validation</groupId>
+ <artifactId>validation-api</artifactId>
+ <version>1.1.0.Final</version>
+ </dependency>
+ <dependency>
+ <groupId>org.hibernate</groupId>
+ <artifactId>hibernate-validator</artifactId>
+ <version>5.0.1.Final</version>
+ </dependency>
+ <dependency>
+ <groupId>javax.el</groupId>
+ <artifactId>javax.el-api</artifactId>
+ <version>2.2.4</version>
+ </dependency>
+ <dependency>
+ <groupId>org.glassfish.web</groupId>
+ <artifactId>javax.el</artifactId>
+ <version>2.2.4</version>
+ </dependency>
+<dependency>
+ <groupId>org.jboss.spec.javax.xml.bind</groupId>
+ <artifactId>jboss-jaxb-api_2.2_spec</artifactId>
+ <version>1.0.4.Final</version>
+</dependency>
+ <dependency>
+ <groupId>org.jboss.resteasy</groupId>
+ <artifactId>resteasy-jaxb-provider</artifactId>
+ <version>${project.version}</version>
+ <scope>test</scope>
+ </dependency>
+ </dependencies>
+</project>
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java 2014-07-25 15:40:28.833658314 -0400
@@ -0,0 +1,16 @@
+package org.jboss.resteasy.resteasy1073;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.ws.rs.core.Application;
+
+public class TestApplication extends Application
+{
+ @Override
+ public Set<Class<?>> getClasses() {
+ HashSet<Class<?>> set = new HashSet<Class<?>>();
+ set.add(TestResource.class);
+ return set;
+ }
+}
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java 2014-07-25 15:41:14.393770993 -0400
@@ -0,0 +1,26 @@
+package org.jboss.resteasy.resteasy1073;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.core.MediaType;
+
+/**
+* RESTEASY-1073
+*
+* @author <a href="ron.sigal@jboss.com">Ron Sigal</a>
+* @version $Revision: 1.1 $
+*
+* Copyright July 19, 2014
+*/
+@Path("")
+public class TestResource
+{
+ @POST
+ @Path("test")
+ @Consumes(MediaType.APPLICATION_XML)
+ public String post(TestWrapper wrapper)
+ {
+ return wrapper.getName();
+ }
+}
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java 2014-07-25 15:41:52.762865571 -0400
@@ -0,0 +1,17 @@
+package org.jboss.resteasy.resteasy1073;
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement
+public class TestWrapper
+{
+ private String name;
+ public String getName()
+ {
+ return name;
+ }
+ public void setName(String name)
+ {
+ this.name = name;
+ }
+}
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java 2014-07-25 15:43:11.465058832 -0400
@@ -0,0 +1,96 @@
+package org.jboss.resteasy.test.resteasy1073;
+
+import java.io.File;
+
+import javax.ws.rs.core.MediaType;
+
+import junit.framework.Assert;
+
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.resteasy.client.ClientRequest;
+import org.jboss.resteasy.client.ClientResponse;
+import org.jboss.resteasy.resteasy1073.TestApplication;
+import org.jboss.resteasy.resteasy1073.TestResource;
+import org.jboss.resteasy.resteasy1073.TestWrapper;
+import org.jboss.shrinkwrap.api.Archive;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+/**
+ * RESTEASY-1073.
+ *
+ * @author <a href="ron.sigal@jboss.com">Ron Sigal</a>
+ * @version $Revision: 1.1 $
+ *
+ * Created July 19, 2014
+ */
+@RunWith(Arquillian.class)
+public class TestExternalParameterEntity
+{
+ @Deployment(name="war_expand", order=1)
+ public static Archive<?> createTestArchive1()
+ {
+ WebArchive war = ShrinkWrap.create(WebArchive.class, "RESTEASY-1073-expand.war")
+ .addClasses(TestApplication.class)
+ .addClasses(TestResource.class, TestWrapper.class)
+ .addAsWebInfResource("web_expand.xml", "web.xml")
+ ;
+ System.out.println(war.toString(true));
+ return war;
+ }
+
+ @Deployment(name="war_no_expand", order=2)
+ public static Archive<?> createTestArchive2()
+ {
+ WebArchive war = ShrinkWrap.create(WebArchive.class, "RESTEASY-1073-no-expand.war")
+ .addClasses(TestApplication.class)
+ .addClasses(TestResource.class, TestWrapper.class)
+ .addAsWebInfResource("web_no_expand.xml", "web.xml")
+ ;
+ System.out.println(war.toString(true));
+ return war;
+ }
+
+ private String passwdFile = new File("src/test/resources/passwd").getAbsolutePath();
+ private String dtdFile = new File("src/test/resources/test.dtd").getAbsolutePath();
+
+ private String text =
+"<!DOCTYPE foo [\r" +
+" <!ENTITY % file SYSTEM \"" + passwdFile + "\">\r" +
+" <!ENTITY % start \"<![CDATA[\">\r" +
+" <!ENTITY % end \"]]>\">\r" +
+" <!ENTITY % dtd SYSTEM \"" + dtdFile + "\">\r" +
+"%dtd;\r" +
+"]>\r" +
+"<testWrapper><name>&xxe;</name></testWrapper>";
+
+ @Test
+ public void testExternalParameterEntityExpand() throws Exception
+ {
+ ClientRequest request = new ClientRequest("http://localhost:8080/RESTEASY-1073-expand/test");
+ System.out.println(text);
+ request.body(MediaType.APPLICATION_XML, text);
+ ClientResponse<?> response = request.post();
+ Assert.assertEquals(200, response.getStatus());
+ String entity = response.getEntity(String.class);
+ System.out.println("Result: " + entity);
+ Assert.assertEquals("root:x:0:0:root:/root:/bin/bash", entity.trim());
+ }
+
+ @Test
+ public void testExternalParameterEntityNoExpand() throws Exception
+ {
+ ClientRequest request = new ClientRequest("http://localhost:8080/RESTEASY-1073-no-expand/test");
+ System.out.println(text);
+ request.body(MediaType.APPLICATION_XML, text);
+ ClientResponse<?> response = request.post();
+ Assert.assertEquals(200, response.getStatus());
+ String entity = response.getEntity(String.class);
+ System.out.println("Result: " + entity);
+ Assert.assertEquals("", entity.trim());
+ }
+}
+
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml 2014-07-25 15:44:43.551284000 -0400
@@ -0,0 +1,23 @@
+<arquillian xmlns="http://jboss.org/schema/arquillian"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="
+http://jboss.org/schema/arquillian
+http://jboss.org/schema/arquillian/arquillian_1_0.xsd">
+
+ <!-- Force the use of the Servlet 3.0 protocol with all containers, as it is the most mature -->
+ <defaultProtocol type="Servlet 3.0" />
+
+ <engine>
+ <property name="deploymentExportPath">target/deployments</property>
+ </engine>
+
+ <container qualifier="jbossas-managed" default="true">
+ <configuration>
+ <property name="jbossHome">target/wildfly-8.0.0.Final</property>
+ <!--property name="javaHome">/opt/local/java/jdk1.7.0_21</property-->
+ <property name="serverConfig">standalone-full.xml</property>
+ <!-- Uncomment next line to run server in debug mode. -->
+ <!--property name="javaVmArguments">-Xmx512m -XX:MaxPermSize=128m -Xrunjdwp:transport=dt_socket,address=8787,server=y,suspend=y</property-->
+ </configuration>
+ </container>
+</arquillian>
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd 2014-07-25 15:49:38.648001614 -0400
@@ -0,0 +1 @@
+root:x:0:0:root:/root:/bin/bash
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd 2014-07-25 15:50:14.822089344 -0400
@@ -0,0 +1 @@
+<!ENTITY xxe "%start; %file; %end;">
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml 2014-07-25 15:50:50.589177751 -0400
@@ -0,0 +1,29 @@
+<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
+
+ <display-name>RESTEASY-1073-Expand</display-name>
+
+ <context-param>
+ <param-name>resteasy.document.expand.entity.references</param-name>
+ <param-value>true</param-value>
+ </context-param>
+
+ <servlet>
+ <servlet-name>Resteasy</servlet-name>
+
+ <servlet-class>
+ org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
+ </servlet-class>
+ <init-param>
+ <param-name>javax.ws.rs.Application</param-name>
+ <param-value>org.jboss.resteasy.resteasy1073.TestApplication</param-value>
+ </init-param>
+ </servlet>
+
+ <servlet-mapping>
+ <servlet-name>Resteasy</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+</web-app>
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml 2014-07-25 15:51:27.218270317 -0400
@@ -0,0 +1,29 @@
+<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
+
+ <display-name>RESTEASY-1073-NoExpand</display-name>
+
+ <context-param>
+ <param-name>resteasy.document.expand.entity.references</param-name>
+ <param-value>false</param-value>
+ </context-param>
+
+ <servlet>
+ <servlet-name>Resteasy</servlet-name>
+
+ <servlet-class>
+ org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
+ </servlet-class>
+ <init-param>
+ <param-name>javax.ws.rs.Application</param-name>
+ <param-value>org.jboss.resteasy.resteasy1073.TestApplication</param-value>
+ </init-param>
+ </servlet>
+
+ <servlet-mapping>
+ <servlet-name>Resteasy</servlet-name>
+ <url-pattern>/*</url-pattern>
+ </servlet-mapping>
+
+</web-app>
diff -Nurb resteasy-2.3.5.Final.orig/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java resteasy-2.3.5.Final/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java
--- resteasy-2.3.5.Final.orig/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java 2014-07-25 15:36:38.989080230 -0400
+++ resteasy-2.3.5.Final/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java 2014-07-25 15:54:25.056716412 -0400
@@ -150,6 +150,7 @@
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
xmlReader.setFeature("http://xml.org/sax/features/validation", false);
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
SAXSource saxSource = new SAXSource(xmlReader, source);
return delegate.unmarshal(saxSource);
}
@@ -188,6 +189,7 @@
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
xmlReader.setFeature("http://xml.org/sax/features/validation", false);
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
((SAXSource) source).setXMLReader(xmlReader);
return delegate.unmarshal(source, declaredType);
}