[ https://issues.apache.org/jira/browse/AXIS2-5878?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andreas Veithen updated AXIS2-5878: ----------------------------------- Component/s: (was: jaxws) ide plugins > ValidateXMLFile.java:55 (XML External Entity Injection) > ------------------------------------------------------- > > Key: AXIS2-5878 > URL: https://issues.apache.org/jira/browse/AXIS2-5878 > Project: Axis2 > Issue Type: Bug > Components: ide plugins > Affects Versions: 1.7.6 > Reporter: Donald Kwakkel > Priority: Critical > Labels: security > > XML parser configured in ValidateXMLFile.java:55 does not prevent nor limit > external entities resolution. This can expose the parser to an XML External > Entities attack. > Proposed solution: Always disable external entities when creating a > DocumentBuilderFactory: > {code:java} > public static DocumentBuilderFactory createDocumentBuilderFactory() { > DocumentBuilderFactory factory = > DocumentBuilderFactory.newInstance(); > factory.setNamespaceAware(true); > try { > > factory.setFeature("http://xml.org/sax/features/external-general-entities", > false); > > factory.setFeature("http://xml.org/sax/features/external-parameter-entities", > false); > } > catch (ParserConfigurationException e) { > throw new IllegalStateException(e); > } > return factory; > } > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org