Does setting FEATURE_SECURE_PROCESSING in transformerFactory update other security features as well?

Question

In jdk1.6, while I am setting

transformerFactory.setFeature(XMLConstants.ACCESS_EXTERNAL_DTD, false)

I am facing the following error:

javax.xml.transform.TransformerConfigurationException: Cannot set the feature 'http://javax.xml.XMLConstants/property/accessExternalDTD' on this TransformerFactory. at org.apache.xalan.processor.TransformerFactoryImpl.setFeature(TransformerFactoryImpl.java:418)

As with what I found in here : How to prevent xalan.jar that has META-INF\services\javax.xml.transform.TransformerFactory from taking over JDK 1.6 built in Xalan implementation? I cant make the changes suggested here as there will other API conflicts as reviewed by my admin.

And as per this link : http://xml.apache.org/xalan-j/features.html#domsource You can use the TransformerFactory.setFeature(String, boolean) method to set the value of a feature. Xalan-Java only supports setting of the XMLConstants.FEATURE_SECURE_PROCESSING feature. For all other features, TransformerFactory exposes their values, but cannot change their states.

So it seems we can set only this feature if xalan implementation of TransormerFactory is used.

transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Finally my Question: if we set feature:

transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Then is the other feature (XMLConstants.ACCESS_EXTERNAL_DTD) automatically set to false.
I got the above feature as "false" from the logs I set. But I want to know for sure if the accessExternalDTD feature will be set to false by default or if the secure-processing feature is set to true.

Answer 1

In Java 8 yes. If we set

TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Then the attributes ACCESS_EXTERNAL_DTD, ACCESS_EXTERNAL_STYLESHEET are setting to "" like the owasp guide recommends.

We can verify it with:

Object hasExternalDtd=factory.getAttribute(XMLConstants.ACCESS_EXTERNAL_DTD);
Object hasExternalStyle=factory.getAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET);

after setting the FEATURE_SECURE_PROCESSING feature.

The default value if we don't set it is all for both properties.

Answer 2

From the source it looks like the other features are not updated when XMLConstants.FEATURE_SECURE_PROCESSING is updated :

  public void setFeature(String name, boolean value)
  throws TransformerConfigurationException {

// feature name cannot be null
if (name == null) {
    throw new NullPointerException(
              XSLMessages.createMessage(
                  XSLTErrorResources.ER_SET_FEATURE_NULL_NAME, null));    
}

// secure processing?
if (name.equals(XMLConstants.FEATURE_SECURE_PROCESSING)) {
    m_isSecureProcessing = value;           
}
// This implementation does not support the setting of a feature other than
// the secure processing feature.
else
{
  throw new TransformerConfigurationException(
      XSLMessages.createMessage(
        XSLTErrorResources.ER_UNSUPPORTED_FEATURE, 
        new Object[] {name}));
}
}

So it looks like I need to find another way to set this feaure XMLConstants.ACCESS_EXTERNAL_DTD :(