Donald Kwakkel created AXIS2-5877:
-------------------------------------
Summary: ConvertUtils.java:225 (XML External Entity Injection)
Key: AXIS2-5877
URL: https://issues.apache.org/jira/browse/AXIS2-5877
Project: Axis2
Issue Type: Bug
Components: jaxws
Affects Versions: 1.7.6
Reporter: Donald Kwakkel
Priority: Critical
XML parser configured in ConvertUtils.java:225 does not prevent nor limit
external entities resolution. This can expose the parser to an XML External
Entities attack.
Proposed fix: Enable where TransformerFactory is used always the secure
processing feature:
{code:java}
public static TransformerFactory createTransformerFactory() {
TransformerFactory factory = TransformerFactory.newInstance();
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
}
catch (TransformerConfigurationException e) {
throw new IllegalStateException(e);
}
return factory;
}
{code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
