Repository: roller Updated Branches: refs/heads/roller-5.2.x [created] 26764874b
[ROL-2124] disable DOCTYPE handling in SAX Parser. Project: http://git-wip-us.apache.org/repos/asf/roller/repo Commit: http://git-wip-us.apache.org/repos/asf/roller/commit/26764874 Tree: http://git-wip-us.apache.org/repos/asf/roller/tree/26764874 Diff: http://git-wip-us.apache.org/repos/asf/roller/diff/26764874 Branch: refs/heads/roller-5.2.x Commit: 26764874bd1c33f3967baf74818422b6d5d8f227 Parents: 0a8b286 Author: Dave Johnson <[email protected]> Authored: Sun Dec 9 14:48:35 2018 -0500 Committer: Dave Johnson <[email protected]> Committed: Sun Dec 9 14:48:35 2018 -0500 ---------------------------------------------------------------------- .../weblogger/business/WebloggerImpl.java | 55 ++++++++++++++------ 1 file changed, 39 insertions(+), 16 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/roller/blob/26764874/app/src/main/java/org/apache/roller/weblogger/business/WebloggerImpl.java ---------------------------------------------------------------------- diff --git a/app/src/main/java/org/apache/roller/weblogger/business/WebloggerImpl.java b/app/src/main/java/org/apache/roller/weblogger/business/WebloggerImpl.java index 1cf6359..476ad89 100644 --- a/app/src/main/java/org/apache/roller/weblogger/business/WebloggerImpl.java +++ b/app/src/main/java/org/apache/roller/weblogger/business/WebloggerImpl.java @@ -33,6 +33,15 @@ import org.apache.roller.weblogger.business.search.IndexManager; import org.apache.roller.weblogger.business.runnable.ThreadManager; import org.apache.roller.weblogger.business.themes.ThemeManager; import org.apache.roller.weblogger.config.PingConfig; +import org.apache.roller.weblogger.config.WebloggerConfig; +import org.apache.roller.weblogger.config.WebloggerRuntimeConfig; +import org.apache.xmlrpc.util.SAXParsers; +import org.springframework.security.access.method.P; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; + +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.parsers.SAXParserFactory; /** @@ -134,7 +143,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getThreadManager() + * @see org.apache.roller.weblogger.business.Weblogger#getThreadManager() */ public ThreadManager getThreadManager() { return threadManager; @@ -144,7 +153,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.model.Weblogger#getIndexManager() + * @see org.apache.roller.weblogger.business.Weblogger#getIndexManager() */ public IndexManager getIndexManager() { return indexManager; @@ -154,7 +163,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getThemeManager() + * @see org.apache.roller.weblogger.business.Weblogger#getThemeManager() */ public ThemeManager getThemeManager() { return themeManager; @@ -164,7 +173,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getUserManager() + * @see org.apache.roller.weblogger.business.Weblogger#getUserManager() */ public UserManager getUserManager() { return userManager; @@ -174,7 +183,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getBookmarkManager() + * @see org.apache.roller.weblogger.business.Weblogger#getBookmarkManager() */ public BookmarkManager getBookmarkManager() { return bookmarkManager; @@ -184,7 +193,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getMediaFileManager() + * @see org.apache.roller.weblogger.business.Weblogger#getMediaFileManager() */ public MediaFileManager getMediaFileManager() { return mediaFileManager; @@ -193,7 +202,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getFileContentManager() + * @see org.apache.roller.weblogger.business.Weblogger#getFileContentManager() */ public FileContentManager getFileContentManager() { return fileContentManager; @@ -203,7 +212,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getWeblogEntryManager() + * @see org.apache.roller.weblogger.business.Weblogger#getWeblogEntryManager() */ public WeblogEntryManager getWeblogEntryManager() { return weblogEntryManager; @@ -213,7 +222,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getWeblogManager() + * @see org.apache.roller.weblogger.business.Weblogger#getWeblogManager() */ public WeblogManager getWeblogManager() { return weblogManager; @@ -223,7 +232,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getPropertiesManager() + * @see org.apache.roller.weblogger.business.Weblogger#getPropertiesManager() */ public PropertiesManager getPropertiesManager() { return propertiesManager; @@ -233,7 +242,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getPingTargetManager() + * @see org.apache.roller.weblogger.business.Weblogger#getPingTargetManager() */ public PingQueueManager getPingQueueManager() { return pingQueueManager; @@ -243,7 +252,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getPingTargetManager() + * @see org.apache.roller.weblogger.business.Weblogger#getPingTargetManager() */ public AutoPingManager getAutopingManager() { return autoPingManager; @@ -253,7 +262,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getPingTargetManager() + * @see org.apache.roller.weblogger.business.Weblogger#getPingTargetManager() */ public PingTargetManager getPingTargetManager() { return pingTargetManager; @@ -263,7 +272,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getPluginManager() + * @see org.apache.roller.weblogger.business.Weblogger#getPluginManager() */ public PluginManager getPluginManager() { return pluginManager; @@ -273,7 +282,7 @@ public abstract class WebloggerImpl implements Weblogger { /** * * - * @see org.apache.roller.weblogger.modelWebloggerr#getOauthManager() + * @see org.apache.roller.weblogger.business.Weblogger#getOAuthManager() */ public OAuthManager getOAuthManager() { return oauthManager; @@ -334,7 +343,21 @@ public abstract class WebloggerImpl implements Weblogger { getThreadManager().initialize(); getIndexManager().initialize(); getMediaFileManager().initialize(); - + + // Turn off External DTD support in SAXParser to protect Roller from vulnerability. + SAXParserFactory spf = SAXParsers.getSAXParserFactory(); + try { + spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); + spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";, false); + } catch (ParserConfigurationException | SAXNotRecognizedException | SAXNotSupportedException e) { + String message = "Unable to turn off External DTD support in SAXParser. XML-RLC is vulnerable"; + if ( log.isDebugEnabled() ) { + log.error(message, e); + } else { + log.error(message); + } + } + try { // Initialize ping systems // TODO: this should probably be moving inside ping manager initialize() methods?
