cayenne git commit: Disable external entities in XML document builder

Mon, 09 Jul 2018 01:43:40 -0700 

Repository: cayenne
Updated Branches:
  refs/heads/master 6fc896b65 -> df5d38f7a


Disable external entities in XML document builder


Project: http://git-wip-us.apache.org/repos/asf/cayenne/repo
Commit: http://git-wip-us.apache.org/repos/asf/cayenne/commit/df5d38f7
Tree: http://git-wip-us.apache.org/repos/asf/cayenne/tree/df5d38f7
Diff: http://git-wip-us.apache.org/repos/asf/cayenne/diff/df5d38f7

Branch: refs/heads/master
Commit: df5d38f7a0a321b7f407601b666387eec61321ed
Parents: 6fc896b
Author: Nikita Timofeev <[email protected]>
Authored: Mon Jul 9 11:36:07 2018 +0300
Committer: Nikita Timofeev <[email protected]>
Committed: Mon Jul 9 11:36:07 2018 +0300

----------------------------------------------------------------------
 .../src/main/java/org/apache/cayenne/util/Util.java     | 12 ++++++++++++
 1 file changed, 12 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cayenne/blob/df5d38f7/cayenne-server/src/main/java/org/apache/cayenne/util/Util.java
----------------------------------------------------------------------
diff --git a/cayenne-server/src/main/java/org/apache/cayenne/util/Util.java 
b/cayenne-server/src/main/java/org/apache/cayenne/util/Util.java
index 429a833..08941b8 100644
--- a/cayenne-server/src/main/java/org/apache/cayenne/util/Util.java
+++ b/cayenne-server/src/main/java/org/apache/cayenne/util/Util.java
@@ -366,6 +366,18 @@ public class Util {
        public static Document readDocument(URL url) {
                DocumentBuilderFactory documentBuilderFactory = 
DocumentBuilderFactory.newInstance();
                documentBuilderFactory.setNamespaceAware(false);
+               documentBuilderFactory.setXIncludeAware(false);
+               documentBuilderFactory.setExpandEntityReferences(false);
+
+               try {
+                       
documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
 true);
+                       
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities";,
 false);
+                       
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
 false);
+                       
documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
 false);
+               } catch (ParserConfigurationException ex) {
+                       throw new ConfigurationException("Unable to configure 
DocumentBuilderFactory", ex);
+               }
+
                try {
                        DocumentBuilder domBuilder = 
documentBuilderFactory.newDocumentBuilder();
                        try (InputStream inputStream = url.openStream()) {

Reply via email to