d***@apache.org
2005-09-16 14:22:02 UTC
Author: dims
Date: Fri Sep 16 07:21:58 2005
New Revision: 289557
URL: http://svn.apache.org/viewcvs?rev=289557&view=rev
Log:
switch off various parser options to prevent XXE attacks.
Modified:
webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java
Modified: webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java
URL: http://svn.apache.org/viewcvs/webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java?rev=289557&r1=289556&r2=289557&view=diff
==============================================================================
--- webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java (original)
+++ webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java Fri Sep 16 07:21:58 2005
@@ -118,7 +118,30 @@
// Optional: set various configuration options
dbf.setNamespaceAware(namespaceAware);
dbf.setValidating(validating);
+
+ // Add various options explicitly to prevent XXE attacks. add try/catch around every
+ // setAttribute just in case a specific parser does not support it.
dbf.setExpandEntityReferences(expandEntityReferences);
+ try {
+ dbf.setAttribute("http://xml.org/sax/features/external-general-entities",
+ Boolean.FALSE);
+ } catch (Throwable t) { }
+ try {
+ dbf.setAttribute("http://xml.org/sax/features/external-parameter-entities",
+ Boolean.FALSE);
+ } catch (Throwable t) { }
+ try {
+ dbf.setAttribute("http://apache.org/xml/features/disallow-doctype-decl",
+ Boolean.TRUE);
+ } catch (Throwable t) { }
+ try {
+ dbf.setAttribute("http://javax.xml.XMLConstants/feature/secure-processing",
+ Boolean.TRUE);
+ } catch (Throwable t) { }
+ try {
+ dbf.setAttribute("http://apache.org/xml/features/nonvalidating/load-external-dtd",
+ Boolean.FALSE);
+ } catch (Throwable t) { }
try {
// Some parsers don't throw an exception here, but throw one when the
Date: Fri Sep 16 07:21:58 2005
New Revision: 289557
URL: http://svn.apache.org/viewcvs?rev=289557&view=rev
Log:
switch off various parser options to prevent XXE attacks.
Modified:
webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java
Modified: webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java
URL: http://svn.apache.org/viewcvs/webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java?rev=289557&r1=289556&r2=289557&view=diff
==============================================================================
--- webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java (original)
+++ webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java Fri Sep 16 07:21:58 2005
@@ -118,7 +118,30 @@
// Optional: set various configuration options
dbf.setNamespaceAware(namespaceAware);
dbf.setValidating(validating);
+
+ // Add various options explicitly to prevent XXE attacks. add try/catch around every
+ // setAttribute just in case a specific parser does not support it.
dbf.setExpandEntityReferences(expandEntityReferences);
+ try {
+ dbf.setAttribute("http://xml.org/sax/features/external-general-entities",
+ Boolean.FALSE);
+ } catch (Throwable t) { }
+ try {
+ dbf.setAttribute("http://xml.org/sax/features/external-parameter-entities",
+ Boolean.FALSE);
+ } catch (Throwable t) { }
+ try {
+ dbf.setAttribute("http://apache.org/xml/features/disallow-doctype-decl",
+ Boolean.TRUE);
+ } catch (Throwable t) { }
+ try {
+ dbf.setAttribute("http://javax.xml.XMLConstants/feature/secure-processing",
+ Boolean.TRUE);
+ } catch (Throwable t) { }
+ try {
+ dbf.setAttribute("http://apache.org/xml/features/nonvalidating/load-external-dtd",
+ Boolean.FALSE);
+ } catch (Throwable t) { }
try {
// Some parsers don't throw an exception here, but throw one when the