Install SecurityManager to block entity expansion.

git-svn-id: https://svn.middleware.georgetown.edu/cpp-xmltooling/trunk@447 de75baf8-a10c-0410-a50a-987c0e22f00f

diff --git a/xmltooling/util/ParserPool.cpp b/xmltooling/util/ParserPool.cpp
index 693cef4..b2bc5b8 100644 (file)
--- a/xmltooling/util/ParserPool.cpp
+++ b/xmltooling/util/ParserPool.cpp
@@ -43,7 +43,7 @@ using namespace xmltooling;
 using namespace std;
 
 ParserPool::ParserPool(bool namespaceAware, bool schemaAware)
-    : m_namespaceAware(namespaceAware), m_schemaAware(schemaAware), m_lock(Mutex::create()) {}
+    : m_namespaceAware(namespaceAware), m_schemaAware(schemaAware), m_lock(Mutex::create()), m_security(new SecurityManager()) {}
 
 ParserPool::~ParserPool()
 {
@@ -52,6 +52,7 @@ ParserPool::~ParserPool()
         m_pool.pop();
     }
     delete m_lock;
+    delete m_security;
 }
 
 DOMDocument* ParserPool::newDocument()
@@ -320,6 +321,7 @@ DOMBuilder* ParserPool::createBuilder()
         parser->setProperty(XMLUni::fgXercesSchemaExternalSchemaLocation,const_cast<XMLCh*>(temp.get()));
 #endif
     }
+    parser->setProperty(XMLUni::fgXercesSecurityManager, m_security);
     parser->setFeature(XMLUni::fgXercesUserAdoptsDOMDocument,true);
     parser->setEntityResolver(this);
     parser->setErrorHandler(this);

diff --git a/xmltooling/util/ParserPool.h b/xmltooling/util/ParserPool.h
index ebc7bf1..3dcdde6 100644 (file)
--- a/xmltooling/util/ParserPool.h
+++ b/xmltooling/util/ParserPool.h
@@ -32,6 +32,7 @@
 #include <xercesc/dom/DOM.hpp>
 #include <xercesc/sax/InputSource.hpp>
 #include <xercesc/util/BinInputStream.hpp>
+#include <xercesc/util/SecurityManager.hpp>
 
 #if defined (_MSC_VER)
     #pragma warning( push )
@@ -130,6 +131,7 @@ namespace xmltooling {
         bool m_namespaceAware,m_schemaAware;
         std::stack<xercesc::DOMBuilder*> m_pool;
         Mutex* m_lock;
+        xercesc::SecurityManager* m_security;
     };
 
     /**