This is an automated email from the ASF dual-hosted git repository.
dhavalshah9131 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new 5ea59e017 RANGER-5477:XML External Entity Injection Security issue in
Ranger (#834)
5ea59e017 is described below
commit 5ea59e017da646f7490b150631195712f964343e
Author: Bhaavesh Amol Amre <[email protected]>
AuthorDate: Wed Feb 4 17:41:10 2026 +0530
RANGER-5477:XML External Entity Injection Security issue in Ranger (#834)
---
.../main/java/org/apache/ranger/utils/install/XmlConfigChanger.java | 3 +++
1 file changed, 3 insertions(+)
diff --git
a/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
b/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
index bbf42bf63..f72dc210f 100644
---
a/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
+++
b/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
@@ -283,6 +283,9 @@ public void run() throws ParserConfigurationException,
SAXException, IOException
TransformerFactory tfactory = TransformerFactory.newInstance();
+
tfactory.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
+
tfactory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
+
tfactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
Transformer transformer = tfactory.newTransformer();
