[karaf] branch karaf-4.1.x updated: [KARAF-5911] Restrict XML entities

Thu, 20 Sep 2018 07:14:17 -0700 

This is an automated email from the ASF dual-hosted git repository.

jbonofre pushed a commit to branch karaf-4.1.x
in repository https://gitbox.apache.org/repos/asf/karaf.git


The following commit(s) were added to refs/heads/karaf-4.1.x by this push:
     new 1ffa6d1  [KARAF-5911] Restrict XML entities
1ffa6d1 is described below

commit 1ffa6d1c4555cab9737d76b49142528b57cfdfc4
Author: Jean-Baptiste Onofré <[email protected]>
AuthorDate: Tue Sep 11 21:41:12 2018 +0200

    [KARAF-5911] Restrict XML entities
---
 util/src/main/java/org/apache/karaf/util/XmlUtils.java | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/util/src/main/java/org/apache/karaf/util/XmlUtils.java 
b/util/src/main/java/org/apache/karaf/util/XmlUtils.java
index adfc2e6..19ae42a 100644
--- a/util/src/main/java/org/apache/karaf/util/XmlUtils.java
+++ b/util/src/main/java/org/apache/karaf/util/XmlUtils.java
@@ -20,6 +20,7 @@ import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -105,6 +106,11 @@ public class XmlUtils {
         if (spf == null) {
             spf = SAXParserFactory.newInstance();
             spf.setNamespaceAware(true);
+            
spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
+            
spf.setFeature("http://xml.org/sax/features/external-general-entities";, false);
+            
spf.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
false);
+            
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
 false);
+            spf.setXIncludeAware(false);
             SAX_PARSER_FACTORY.set(spf);
         }
         return spf.newSAXParser().getXMLReader();
@@ -115,6 +121,12 @@ public class XmlUtils {
         if (dbf == null) {
             dbf = DocumentBuilderFactory.newInstance();
             dbf.setNamespaceAware(true);
+            
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true);
+            
dbf.setFeature("http://xml.org/sax/features/external-general-entities";, false);
+            
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
false);
+            
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
 false);
+            dbf.setXIncludeAware(false);
+            dbf.setExpandEntityReferences(false);
             DOCUMENT_BUILDER_FACTORY.set(dbf);
         }
         return dbf.newDocumentBuilder();
@@ -124,6 +136,8 @@ public class XmlUtils {
         TransformerFactory tf = TRANSFORMER_FACTORY.get();
         if (tf == null) {
             tf = TransformerFactory.newInstance();
+            tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
             TRANSFORMER_FACTORY.set(tf);
         }
         return tf.newTransformer();
@@ -133,6 +147,8 @@ public class XmlUtils {
         TransformerFactory tf = TRANSFORMER_FACTORY.get();
         if (tf == null) {
             tf = TransformerFactory.newInstance();
+            tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
             TRANSFORMER_FACTORY.set(tf);
         }
         return tf.newTransformer(xsltSource);

Reply via email to