diff -Nurb resteasy-2.3.5.Final.orig/arquillian/pom.xml resteasy-2.3.5.Final/arquillian/pom.xml --- resteasy-2.3.5.Final.orig/arquillian/pom.xml 2014-07-25 15:36:38.637079327 -0400 +++ resteasy-2.3.5.Final/arquillian/pom.xml 2014-07-25 15:52:17.575397163 -0400 @@ -15,6 +15,7 @@ RESTEASY-752-jetty RESTEASY-760-jetty + RESTEASY-1073-WF8 arquillian diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/pom.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/pom.xml --- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/pom.xml 1969-12-31 19:00:00.000000000 -0500 +++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/pom.xml 2014-07-25 15:38:04.783298392 -0400 @@ -0,0 +1,189 @@ + + + 4.0.0 + + + org.jboss.resteasy + resteasy-jaxrs-all + 3.0.8.Final + ../../pom.xml + + + RESTEASY-1073-WF8 + jar + RESTEASY-1073-WF8 + http://maven.apache.org + + + UTF-8 + 8.0.0.Final + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 2.3.2 + + 1.6 + 1.6 + + + + maven-surefire-plugin + 2.12 + + + maven-dependency-plugin + + + unpack + process-test-classes + + unpack + + + + + org.wildfly + wildfly-dist + ${as-version} + zip + false + target + + + + + + + + org.apache.maven.plugins + maven-antrun-plugin + 1.6 + + + unpack resteasy + process-test-classes + + + + + + + run + + + + + + + org.apache.maven.plugins + maven-war-plugin + + + + + javax.xml.bind.api + + + + + + + + + + + + + org.jboss.arquillian + arquillian-bom + 1.0.3.Final + import + pom + + + + + + + org.jboss.spec + jboss-javaee-6.0 + 1.0.0.Final + pom + provided + + + junit + junit + 4.8.1 + test + + + org.jboss.arquillian.junit + arquillian-junit-container + test + + + org.wildfly + wildfly-arquillian-container-managed + 8.0.0.Alpha1 + test + + + org.jboss.arquillian.protocol + arquillian-protocol-servlet + test + + + org.jboss.resteasy + jaxrs-api + ${project.version} + + + org.jboss.resteasy + resteasy-jaxrs + ${project.version} + + + org.jboss.resteasy + resteasy-validator-provider-11 + ${project.version} + + + javax.validation + validation-api + 1.1.0.Final + + + org.hibernate + hibernate-validator + 5.0.1.Final + + + javax.el + javax.el-api + 2.2.4 + + + org.glassfish.web + javax.el + 2.2.4 + + + org.jboss.spec.javax.xml.bind + jboss-jaxb-api_2.2_spec + 1.0.4.Final + + + org.jboss.resteasy + resteasy-jaxb-provider + ${project.version} + test + + + diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java --- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java 1969-12-31 19:00:00.000000000 -0500 +++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java 2014-07-25 15:40:28.833658314 -0400 @@ -0,0 +1,16 @@ +package org.jboss.resteasy.resteasy1073; + +import java.util.HashSet; +import java.util.Set; + +import javax.ws.rs.core.Application; + +public class TestApplication extends Application +{ + @Override + public Set> getClasses() { + HashSet> set = new HashSet>(); + set.add(TestResource.class); + return set; + } +} diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java --- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java 1969-12-31 19:00:00.000000000 -0500 +++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java 2014-07-25 15:41:14.393770993 -0400 @@ -0,0 +1,26 @@ +package org.jboss.resteasy.resteasy1073; + +import javax.ws.rs.Consumes; +import javax.ws.rs.POST; +import javax.ws.rs.Path; +import javax.ws.rs.core.MediaType; + +/** +* RESTEASY-1073 +* +* @author Ron Sigal +* @version $Revision: 1.1 $ +* +* Copyright July 19, 2014 +*/ +@Path("") +public class TestResource +{ + @POST + @Path("test") + @Consumes(MediaType.APPLICATION_XML) + public String post(TestWrapper wrapper) + { + return wrapper.getName(); + } +} diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java --- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java 1969-12-31 19:00:00.000000000 -0500 +++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java 2014-07-25 15:41:52.762865571 -0400 @@ -0,0 +1,17 @@ +package org.jboss.resteasy.resteasy1073; + +import javax.xml.bind.annotation.XmlRootElement; + +@XmlRootElement +public class TestWrapper +{ + private String name; + public String getName() + { + return name; + } + public void setName(String name) + { + this.name = name; + } +} diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java --- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java 1969-12-31 19:00:00.000000000 -0500 +++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java 2014-07-25 15:43:11.465058832 -0400 @@ -0,0 +1,96 @@ +package org.jboss.resteasy.test.resteasy1073; + +import java.io.File; + +import javax.ws.rs.core.MediaType; + +import junit.framework.Assert; + +import org.jboss.arquillian.container.test.api.Deployment; +import org.jboss.arquillian.junit.Arquillian; +import org.jboss.resteasy.client.ClientRequest; +import org.jboss.resteasy.client.ClientResponse; +import org.jboss.resteasy.resteasy1073.TestApplication; +import org.jboss.resteasy.resteasy1073.TestResource; +import org.jboss.resteasy.resteasy1073.TestWrapper; +import org.jboss.shrinkwrap.api.Archive; +import org.jboss.shrinkwrap.api.ShrinkWrap; +import org.jboss.shrinkwrap.api.spec.WebArchive; +import org.junit.Test; +import org.junit.runner.RunWith; + +/** + * RESTEASY-1073. + * + * @author Ron Sigal + * @version $Revision: 1.1 $ + * + * Created July 19, 2014 + */ +@RunWith(Arquillian.class) +public class TestExternalParameterEntity +{ + @Deployment(name="war_expand", order=1) + public static Archive createTestArchive1() + { + WebArchive war = ShrinkWrap.create(WebArchive.class, "RESTEASY-1073-expand.war") + .addClasses(TestApplication.class) + .addClasses(TestResource.class, TestWrapper.class) + .addAsWebInfResource("web_expand.xml", "web.xml") + ; + System.out.println(war.toString(true)); + return war; + } + + @Deployment(name="war_no_expand", order=2) + public static Archive createTestArchive2() + { + WebArchive war = ShrinkWrap.create(WebArchive.class, "RESTEASY-1073-no-expand.war") + .addClasses(TestApplication.class) + .addClasses(TestResource.class, TestWrapper.class) + .addAsWebInfResource("web_no_expand.xml", "web.xml") + ; + System.out.println(war.toString(true)); + return war; + } + + private String passwdFile = new File("src/test/resources/passwd").getAbsolutePath(); + private String dtdFile = new File("src/test/resources/test.dtd").getAbsolutePath(); + + private String text = +"\r" + +" \r" + +" \">\r" + +" \r" + +"%dtd;\r" + +"]>\r" + +"&xxe;"; + + @Test + public void testExternalParameterEntityExpand() throws Exception + { + ClientRequest request = new ClientRequest("http://localhost:8080/RESTEASY-1073-expand/test"); + System.out.println(text); + request.body(MediaType.APPLICATION_XML, text); + ClientResponse response = request.post(); + Assert.assertEquals(200, response.getStatus()); + String entity = response.getEntity(String.class); + System.out.println("Result: " + entity); + Assert.assertEquals("root:x:0:0:root:/root:/bin/bash", entity.trim()); + } + + @Test + public void testExternalParameterEntityNoExpand() throws Exception + { + ClientRequest request = new ClientRequest("http://localhost:8080/RESTEASY-1073-no-expand/test"); + System.out.println(text); + request.body(MediaType.APPLICATION_XML, text); + ClientResponse response = request.post(); + Assert.assertEquals(200, response.getStatus()); + String entity = response.getEntity(String.class); + System.out.println("Result: " + entity); + Assert.assertEquals("", entity.trim()); + } +} + diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml --- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml 1969-12-31 19:00:00.000000000 -0500 +++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml 2014-07-25 15:44:43.551284000 -0400 @@ -0,0 +1,23 @@ + + + + + + + target/deployments + + + + + target/wildfly-8.0.0.Final + + standalone-full.xml + + + + + diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd --- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd 1969-12-31 19:00:00.000000000 -0500 +++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd 2014-07-25 15:49:38.648001614 -0400 @@ -0,0 +1 @@ +root:x:0:0:root:/root:/bin/bash diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd --- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd 1969-12-31 19:00:00.000000000 -0500 +++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd 2014-07-25 15:50:14.822089344 -0400 @@ -0,0 +1 @@ + diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml --- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml 1969-12-31 19:00:00.000000000 -0500 +++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml 2014-07-25 15:50:50.589177751 -0400 @@ -0,0 +1,29 @@ + + + RESTEASY-1073-Expand + + + resteasy.document.expand.entity.references + true + + + + Resteasy + + + org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher + + + javax.ws.rs.Application + org.jboss.resteasy.resteasy1073.TestApplication + + + + + Resteasy + /* + + + diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml --- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml 1969-12-31 19:00:00.000000000 -0500 +++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml 2014-07-25 15:51:27.218270317 -0400 @@ -0,0 +1,29 @@ + + + RESTEASY-1073-NoExpand + + + resteasy.document.expand.entity.references + false + + + + Resteasy + + + org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher + + + javax.ws.rs.Application + org.jboss.resteasy.resteasy1073.TestApplication + + + + + Resteasy + /* + + + diff -Nurb resteasy-2.3.5.Final.orig/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java resteasy-2.3.5.Final/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java --- resteasy-2.3.5.Final.orig/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java 2014-07-25 15:36:38.989080230 -0400 +++ resteasy-2.3.5.Final/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java 2014-07-25 15:54:25.056716412 -0400 @@ -150,6 +150,7 @@ XMLReader xmlReader = XMLReaderFactory.createXMLReader(); xmlReader.setFeature("http://xml.org/sax/features/validation", false); xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false); + xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); SAXSource saxSource = new SAXSource(xmlReader, source); return delegate.unmarshal(saxSource); } @@ -188,6 +189,7 @@ XMLReader xmlReader = XMLReaderFactory.createXMLReader(); xmlReader.setFeature("http://xml.org/sax/features/validation", false); xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false); + xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); ((SAXSource) source).setXMLReader(xmlReader); return delegate.unmarshal(source, declaredType); }