[
https://issues.apache.org/jira/browse/AXIS2-5879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andreas Veithen resolved AXIS2-5879.
------------------------------------
Resolution: Invalid
This code is used by the code generator to read the WSDL supplied by the user.
If the user wishes to process a WSDL with external entities, then we should
just do that. There is no security risk here.
> WSDL20ToAxisServiceBuilder.java:1235 & 1255 (XML External Entity Injection)
> ---------------------------------------------------------------------------
>
> Key: AXIS2-5879
> URL: https://issues.apache.org/jira/browse/AXIS2-5879
> Project: Axis2
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.7.6
> Reporter: Donald Kwakkel
> Priority: Critical
> Labels: security
>
> XML parser configured in WSDL20ToAxisServiceBuilder.java:1235 and 1255 does
> not prevent nor limit external entities resolution. This can expose the
> parser to an XML External Entities attack.
> Proposed solution: Always disable external entities:
> {code:java}
> public static DocumentBuilderFactory createDocumentBuilderFactory() {
> DocumentBuilderFactory factory =
> DocumentBuilderFactory.newInstance();
> factory.setNamespaceAware(true);
> try {
>
> factory.setFeature("http://xml.org/sax/features/external-general-entities";,
> false);
>
> factory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
> false);
> }
> catch (ParserConfigurationException e) {
> throw new IllegalStateException(e);
> }
> return factory;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
