diff -Nurb resteasy-2.3.5.Final.orig/arquillian/pom.xml resteasy-2.3.5.Final/arquillian/pom.xml
--- resteasy-2.3.5.Final.orig/arquillian/pom.xml 2014-07-25 15:36:38.637079327 -0400
+++ resteasy-2.3.5.Final/arquillian/pom.xml 2014-07-25 15:52:17.575397163 -0400
@@ -15,6 +15,7 @@
RESTEASY-752-jetty
RESTEASY-760-jetty
+ RESTEASY-1073-WF8
arquillian
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/pom.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/pom.xml
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/pom.xml 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/pom.xml 2014-07-25 15:38:04.783298392 -0400
@@ -0,0 +1,189 @@
+
+
+ 4.0.0
+
+
+ org.jboss.resteasy
+ resteasy-jaxrs-all
+ 3.0.8.Final
+ ../../pom.xml
+
+
+ RESTEASY-1073-WF8
+ jar
+ RESTEASY-1073-WF8
+ http://maven.apache.org
+
+
+ UTF-8
+ 8.0.0.Final
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-compiler-plugin
+ 2.3.2
+
+
+ 1.6
+
+
+
+ maven-surefire-plugin
+ 2.12
+
+
+ maven-dependency-plugin
+
+
+ unpack
+ process-test-classes
+
+ unpack
+
+
+
+
+ org.wildfly
+ wildfly-dist
+ ${as-version}
+ zip
+ false
+ target
+
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-antrun-plugin
+ 1.6
+
+
+ unpack resteasy
+ process-test-classes
+
+
+
+
+
+
+ run
+
+
+
+
+
+
+ org.apache.maven.plugins
+ maven-war-plugin
+
+
+
+
+ javax.xml.bind.api
+
+
+
+
+
+
+
+
+
+
+
+
+ org.jboss.arquillian
+ arquillian-bom
+ 1.0.3.Final
+ import
+ pom
+
+
+
+
+
+
+ org.jboss.spec
+ jboss-javaee-6.0
+ 1.0.0.Final
+ pom
+ provided
+
+
+ junit
+ junit
+ 4.8.1
+ test
+
+
+ org.jboss.arquillian.junit
+ arquillian-junit-container
+ test
+
+
+ org.wildfly
+ wildfly-arquillian-container-managed
+ 8.0.0.Alpha1
+ test
+
+
+ org.jboss.arquillian.protocol
+ arquillian-protocol-servlet
+ test
+
+
+ org.jboss.resteasy
+ jaxrs-api
+ ${project.version}
+
+
+ org.jboss.resteasy
+ resteasy-jaxrs
+ ${project.version}
+
+
+ org.jboss.resteasy
+ resteasy-validator-provider-11
+ ${project.version}
+
+
+ javax.validation
+ validation-api
+ 1.1.0.Final
+
+
+ org.hibernate
+ hibernate-validator
+ 5.0.1.Final
+
+
+ javax.el
+ javax.el-api
+ 2.2.4
+
+
+ org.glassfish.web
+ javax.el
+ 2.2.4
+
+
+ org.jboss.spec.javax.xml.bind
+ jboss-jaxb-api_2.2_spec
+ 1.0.4.Final
+
+
+ org.jboss.resteasy
+ resteasy-jaxb-provider
+ ${project.version}
+ test
+
+
+
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestApplication.java 2014-07-25 15:40:28.833658314 -0400
@@ -0,0 +1,16 @@
+package org.jboss.resteasy.resteasy1073;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.ws.rs.core.Application;
+
+public class TestApplication extends Application
+{
+ @Override
+ public Set> getClasses() {
+ HashSet> set = new HashSet>();
+ set.add(TestResource.class);
+ return set;
+ }
+}
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestResource.java 2014-07-25 15:41:14.393770993 -0400
@@ -0,0 +1,26 @@
+package org.jboss.resteasy.resteasy1073;
+
+import javax.ws.rs.Consumes;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.core.MediaType;
+
+/**
+* RESTEASY-1073
+*
+* @author Ron Sigal
+* @version $Revision: 1.1 $
+*
+* Copyright July 19, 2014
+*/
+@Path("")
+public class TestResource
+{
+ @POST
+ @Path("test")
+ @Consumes(MediaType.APPLICATION_XML)
+ public String post(TestWrapper wrapper)
+ {
+ return wrapper.getName();
+ }
+}
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/main/java/org/jboss/resteasy/resteasy1073/TestWrapper.java 2014-07-25 15:41:52.762865571 -0400
@@ -0,0 +1,17 @@
+package org.jboss.resteasy.resteasy1073;
+
+import javax.xml.bind.annotation.XmlRootElement;
+
+@XmlRootElement
+public class TestWrapper
+{
+ private String name;
+ public String getName()
+ {
+ return name;
+ }
+ public void setName(String name)
+ {
+ this.name = name;
+ }
+}
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/java/org/jboss/resteasy/test/resteasy1073/TestExternalParameterEntity.java 2014-07-25 15:43:11.465058832 -0400
@@ -0,0 +1,96 @@
+package org.jboss.resteasy.test.resteasy1073;
+
+import java.io.File;
+
+import javax.ws.rs.core.MediaType;
+
+import junit.framework.Assert;
+
+import org.jboss.arquillian.container.test.api.Deployment;
+import org.jboss.arquillian.junit.Arquillian;
+import org.jboss.resteasy.client.ClientRequest;
+import org.jboss.resteasy.client.ClientResponse;
+import org.jboss.resteasy.resteasy1073.TestApplication;
+import org.jboss.resteasy.resteasy1073.TestResource;
+import org.jboss.resteasy.resteasy1073.TestWrapper;
+import org.jboss.shrinkwrap.api.Archive;
+import org.jboss.shrinkwrap.api.ShrinkWrap;
+import org.jboss.shrinkwrap.api.spec.WebArchive;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+/**
+ * RESTEASY-1073.
+ *
+ * @author Ron Sigal
+ * @version $Revision: 1.1 $
+ *
+ * Created July 19, 2014
+ */
+@RunWith(Arquillian.class)
+public class TestExternalParameterEntity
+{
+ @Deployment(name="war_expand", order=1)
+ public static Archive> createTestArchive1()
+ {
+ WebArchive war = ShrinkWrap.create(WebArchive.class, "RESTEASY-1073-expand.war")
+ .addClasses(TestApplication.class)
+ .addClasses(TestResource.class, TestWrapper.class)
+ .addAsWebInfResource("web_expand.xml", "web.xml")
+ ;
+ System.out.println(war.toString(true));
+ return war;
+ }
+
+ @Deployment(name="war_no_expand", order=2)
+ public static Archive> createTestArchive2()
+ {
+ WebArchive war = ShrinkWrap.create(WebArchive.class, "RESTEASY-1073-no-expand.war")
+ .addClasses(TestApplication.class)
+ .addClasses(TestResource.class, TestWrapper.class)
+ .addAsWebInfResource("web_no_expand.xml", "web.xml")
+ ;
+ System.out.println(war.toString(true));
+ return war;
+ }
+
+ private String passwdFile = new File("src/test/resources/passwd").getAbsolutePath();
+ private String dtdFile = new File("src/test/resources/test.dtd").getAbsolutePath();
+
+ private String text =
+"\r" +
+" \r" +
+" \">\r" +
+" \r" +
+"%dtd;\r" +
+"]>\r" +
+"&xxe;";
+
+ @Test
+ public void testExternalParameterEntityExpand() throws Exception
+ {
+ ClientRequest request = new ClientRequest("http://localhost:8080/RESTEASY-1073-expand/test");
+ System.out.println(text);
+ request.body(MediaType.APPLICATION_XML, text);
+ ClientResponse> response = request.post();
+ Assert.assertEquals(200, response.getStatus());
+ String entity = response.getEntity(String.class);
+ System.out.println("Result: " + entity);
+ Assert.assertEquals("root:x:0:0:root:/root:/bin/bash", entity.trim());
+ }
+
+ @Test
+ public void testExternalParameterEntityNoExpand() throws Exception
+ {
+ ClientRequest request = new ClientRequest("http://localhost:8080/RESTEASY-1073-no-expand/test");
+ System.out.println(text);
+ request.body(MediaType.APPLICATION_XML, text);
+ ClientResponse> response = request.post();
+ Assert.assertEquals(200, response.getStatus());
+ String entity = response.getEntity(String.class);
+ System.out.println("Result: " + entity);
+ Assert.assertEquals("", entity.trim());
+ }
+}
+
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/arquillian.xml 2014-07-25 15:44:43.551284000 -0400
@@ -0,0 +1,23 @@
+
+
+
+
+
+
+ target/deployments
+
+
+
+
+ target/wildfly-8.0.0.Final
+
+ standalone-full.xml
+
+
+
+
+
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/passwd 2014-07-25 15:49:38.648001614 -0400
@@ -0,0 +1 @@
+root:x:0:0:root:/root:/bin/bash
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/test.dtd 2014-07-25 15:50:14.822089344 -0400
@@ -0,0 +1 @@
+
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_expand.xml 2014-07-25 15:50:50.589177751 -0400
@@ -0,0 +1,29 @@
+
+
+ RESTEASY-1073-Expand
+
+
+ resteasy.document.expand.entity.references
+ true
+
+
+
+ Resteasy
+
+
+ org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
+
+
+ javax.ws.rs.Application
+ org.jboss.resteasy.resteasy1073.TestApplication
+
+
+
+
+ Resteasy
+ /*
+
+
+
diff -Nurb resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml
--- resteasy-2.3.5.Final.orig/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml 1969-12-31 19:00:00.000000000 -0500
+++ resteasy-2.3.5.Final/arquillian/RESTEASY-1073-WF8/src/test/resources/web_no_expand.xml 2014-07-25 15:51:27.218270317 -0400
@@ -0,0 +1,29 @@
+
+
+ RESTEASY-1073-NoExpand
+
+
+ resteasy.document.expand.entity.references
+ false
+
+
+
+ Resteasy
+
+
+ org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
+
+
+ javax.ws.rs.Application
+ org.jboss.resteasy.resteasy1073.TestApplication
+
+
+
+
+ Resteasy
+ /*
+
+
+
diff -Nurb resteasy-2.3.5.Final.orig/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java resteasy-2.3.5.Final/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java
--- resteasy-2.3.5.Final.orig/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java 2014-07-25 15:36:38.989080230 -0400
+++ resteasy-2.3.5.Final/providers/jaxb/src/main/java/org/jboss/resteasy/plugins/providers/jaxb/ExternalEntityUnmarshaller.java 2014-07-25 15:54:25.056716412 -0400
@@ -150,6 +150,7 @@
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
xmlReader.setFeature("http://xml.org/sax/features/validation", false);
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
SAXSource saxSource = new SAXSource(xmlReader, source);
return delegate.unmarshal(saxSource);
}
@@ -188,6 +189,7 @@
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
xmlReader.setFeature("http://xml.org/sax/features/validation", false);
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
((SAXSource) source).setXMLReader(xmlReader);
return delegate.unmarshal(source, declaredType);
}