[
https://issues.apache.org/jira/browse/AXIS2-5877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski closed AXIS2-5877.
----------------------------------
Resolution: Incomplete
> XML External Entity Injections
> ------------------------------
>
> Key: AXIS2-5877
> URL: https://issues.apache.org/jira/browse/AXIS2-5877
> Project: Axis2
> Issue Type: Bug
> Components: jaxws
> Affects Versions: 1.7.6
> Reporter: Donald Kwakkel
> Priority: Critical
> Labels: security
> Attachments: xxe1.png, xxe2.png
>
>
> XML parser configured in ConvertUtils.java:225 does not prevent nor limit
> external entities resolution. This can expose the parser to an XML External
> Entities attack.
> Proposed fix: Enable where TransformerFactory is used always the secure
> processing feature:
> {code:java}
> public static TransformerFactory createTransformerFactory() {
> TransformerFactory factory = TransformerFactory.newInstance();
> try {
>
> factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
> }
> catch (TransformerConfigurationException e) {
> throw new IllegalStateException(e);
> }
> return factory;
> }
> {code}
> Also in XSLTTemplateProcessor.java:147 (XSLT Injection) and other locations
> where this and DocumentBuilderFactory is handled wrong. See attached
> screenshots.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
