This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/2_0_X by this push:
new a19c19e Disallow Doctypes for SAXParserFactory
a19c19e is described below
commit a19c19e19948cd9e9457d709144ae6d1c2bcc239
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Fri Oct 11 11:35:34 2019 +0100
Disallow Doctypes for SAXParserFactory
---
.../apache/syncope/core/persistence/jpa/content/XMLContentLoader.java | 1 +
1 file changed, 1 insertion(+)
diff --git
a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java
b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java
index cdc01d0..3b117fe 100644
---
a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java
+++
b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java
@@ -107,6 +107,7 @@ public class XMLContentLoader extends AbstractContentDealer
implements ContentLo
SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
try (InputStream in = contentXML.getResource().getInputStream()) {
SAXParser parser = factory.newSAXParser();
parser.parse(in, new ContentLoaderHandler(dataSource,
ROOT_ELEMENT, true, env));
