[zookeeper] branch branch-3.5 updated: ZOOKEEPER-3235: Enable secure processing and disallow DTDs in the SAXParserFactory

Wed, 09 Jan 2019 06:10:08 -0800 

This is an automated email from the ASF dual-hosted git repository.

andor pushed a commit to branch branch-3.5
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/branch-3.5 by this push:
     new fdcf0ec  ZOOKEEPER-3235: Enable secure processing and disallow DTDs in 
the SAXParserFactory
fdcf0ec is described below

commit fdcf0ecd1916083239c3b7c0bdeef63898dc2907
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Wed Jan 9 15:09:14 2019 +0100

    ZOOKEEPER-3235: Enable secure processing and disallow DTDs in the 
SAXParserFactory
    
    It's good security practice to set the secure processing feature on 
SAXParserFactory and to disallow Doctypes if they aren't needed.
    
    Author: Colm O hEigeartaigh <[email protected]>
    
    Reviewers: [email protected]
    
    Closes #716 from coheigea/sax_secureproc
    
    (cherry picked from commit a5b3114d70d03f70b068b209fe393388f3c77991)
    Signed-off-by: Andor Molnar <[email protected]>
---
 zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java 
b/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
index 99e11d1..a4ae938 100644
--- a/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
+++ b/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
@@ -143,6 +143,8 @@ class XmlInputArchive implements InputArchive {
         valList = new ArrayList<Value>();
         DefaultHandler handler = new XMLParser(valList);
         SAXParserFactory factory = SAXParserFactory.newInstance();
+        factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, 
Boolean.TRUE);
+        
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
         SAXParser parser = factory.newSAXParser();
         parser.parse(in, handler);
         vLen = valList.size();

Reply via email to