Opened 14 years ago
Closed 14 years ago
#387 closed defect (fixed)
GN vulnerable to other application's TransformerFactory
| Reported by: | heikki | Owned by: | heikki |
|---|---|---|---|
| Priority: | minor | Milestone: | v2.6.2 |
| Component: | General | Version: | v2.6.1 |
| Keywords: | Cc: |
Description
GeoNetwork uses a file on its classpath that holds the name of the implementation of TransformerFactory to use.
However if there is another application running in the same JVM that sets the System Property for this to something incompatible (e.g. XALAN), GeoNetwork uses that implementation instead and no longer functions.
By reading the Geonetwork-defined implementation name in a static string in Jeeves and using that throughout where TransformerFactories are instantiated, this no longer happens.
Attachments (3)
Change History (6)
by , 14 years ago
| Attachment: | transformerfactory.diff added |
|---|
comment:1 by , 14 years ago
Attached a patch for trunk.
Tested using a modified Jetty command line that sets XALAN as the transformer in System properties; nonetheless GeoNetwork keeps using its own defined transformerfactory and still works.
Jetty command line:
java -Xms48m -Xmx512m -Xss2M -XX:MaxPermSize=128m -XX:CompileCommandFile=hotspot_compiler -Djavax.xml.transform.TransformerFactory=org.apache.xalan.processor.TransformerFactoryImpl -Dmime-mappings=..\web\geonetwork\WEB-INF\mime-types.properties -DSTOP.PORT=8079 -Djava.awt.headless=true -DSTOP.KEY=geonetwork -jar start.jar ..\bin\jetty.xml
comment:2 by , 14 years ago
| Status: | new → assigned |
|---|
comment:3 by , 14 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Integrated in 26x and trunk.
Patch for trunk 23-11-2010 15:20 CET