[
https://issues.apache.org/jira/browse/CXF-6217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14607679#comment-14607679
]
Daniel Kulp edited comment on CXF-6217 at 7/1/15 12:34 PM:
-----------------------------------------------------------
Can you answer my previous comment?
Also found some more occurences (CXF 3.1.1):
{code}
1. org.apache.cxf.jaxrs.ext.xml.XmlSource: XPath xpath =
XPathFactory.newInstance().newXPath();
2. org.apache.cxf.jaxrs.provider.XSLTJaxbProvider: factory =
(SAXTransformerFactory)TransformerFactory.newInstance();
3. org.apache.cxf.tools.validator.internal.ValidatorUtil :
DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
4. org.apache.cxf.tools.common.toolspec.ToolSpec : Transformer trans =
TransformerFactory.newInstance().newTransformer(new StreamSource(stylesheet));
5.
org.apache.cxf.management.web.browser.bootstrapping.SimpleXMLSettingsStorage:
entries = (Entries) unmarshaller.unmarshal(file);
6. org.apache.cxf.tools.validator.internal.SchemaValidator: SAXSource
saxSource = new SAXSource(saxParser.getXMLReader(), wsdlsource);
7. org.apache.cxf.tools.wsdlto.core.PluginLoader: return (Plugin)
((JAXBElement<?>)unmarshaller.unmarshal(is)).getValue();
8.
org.apache.cxf.transport.http.netty.server.blueprint.NettyHttpServerEngineFactoryHolder:
Element element = docFactory.newDocumentBuilder().parse(new
ByteArrayInputStream(parsedElement.getBytes())).getDocumentElement();
9.
org.apache.cxf.transport.http_jetty.blueprint.JettyHTTPServerEngineFactoryHolder:
Element element = docFactory.newDocumentBuilder().parse(new
ByteArrayInputStream(parsedElement.getBytes())).getDocumentElement();
10. org.apache.cxf.tools.wsdlto.databinding.jaxb.NamespaceContextImpl: document
= docFact.newDocumentBuilder().parse(file);
{code}
Do you want a new ticket for this?
was (Author: dkwakkel):
Can you answer my previous comment?
Also found some more occurences (CXF 3.1.1):
1. org.apache.cxf.jaxrs.ext.xml.XmlSource: XPath xpath =
XPathFactory.newInstance().newXPath();
2. org.apache.cxf.jaxrs.provider.XSLTJaxbProvider: factory =
(SAXTransformerFactory)TransformerFactory.newInstance();
3. org.apache.cxf.tools.validator.internal.ValidatorUtil :
DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
4. org.apache.cxf.tools.common.toolspec.ToolSpec : Transformer trans =
TransformerFactory.newInstance().newTransformer(new StreamSource(stylesheet));
5.
org.apache.cxf.management.web.browser.bootstrapping.SimpleXMLSettingsStorage:
entries = (Entries) unmarshaller.unmarshal(file);
6. org.apache.cxf.tools.validator.internal.SchemaValidator: SAXSource
saxSource = new SAXSource(saxParser.getXMLReader(), wsdlsource);
7. org.apache.cxf.tools.wsdlto.core.PluginLoader: return (Plugin)
((JAXBElement<?>)unmarshaller.unmarshal(is)).getValue();
8.
org.apache.cxf.transport.http.netty.server.blueprint.NettyHttpServerEngineFactoryHolder:
Element element = docFactory.newDocumentBuilder().parse(new
ByteArrayInputStream(parsedElement.getBytes())).getDocumentElement();
9.
org.apache.cxf.transport.http_jetty.blueprint.JettyHTTPServerEngineFactoryHolder:
Element element = docFactory.newDocumentBuilder().parse(new
ByteArrayInputStream(parsedElement.getBytes())).getDocumentElement();
10. org.apache.cxf.tools.wsdlto.databinding.jaxb.NamespaceContextImpl: document
= docFact.newDocumentBuilder().parse(file);
Do you want a new ticket for this?
> JmsPullPoint does not protect against external entities
> -------------------------------------------------------
>
> Key: CXF-6217
> URL: https://issues.apache.org/jira/browse/CXF-6217
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.0.1
> Reporter: Donald Kwakkel
> Assignee: Daniel Kulp
> Fix For: 3.0.4, 2.7.15
>
>
> I am not sure if this is by design, but the unmarshell below does not prevent
> nor limit external entities resolution. This can expose the parser to an XML
> External Entities attack.
> JmsPullPoint:
> {code:java}
> protected synchronized List<NotificationMessageHolderType> getMessages(int
> max)
> throws ResourceUnknownFault, UnableToGetMessagesFault {
> try {
> if (max == 0) {
> max = 256;
> }
> initSession();
> List<NotificationMessageHolderType> messages = new
> ArrayList<NotificationMessageHolderType>();
> for (int i = 0; i < max; i++) {
> Message msg = consumer.receiveNoWait();
> if (msg == null) {
> break;
> }
> TextMessage txtMsg = (TextMessage) msg;
> StringReader reader = new StringReader(txtMsg.getText());
> Notify notify = (Notify)
> jaxbContext.createUnmarshaller().unmarshal(reader);
> messages.addAll(notify.getNotificationMessage());
> }
> return messages;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
