digi-scrypt opened a new pull request, #1221: URL: https://github.com/apache/axis-axis2-java-core/pull/1221
1. SOAPPartImpl.setContent builds its XMLInputFactory with newInstance() and no other settings, so DTDs and external entities are left on. 2. when the Source is a StreamSource it's handed straight to that reader, so a body with a DOCTYPE + SYSTEM entity gets expanded — file:// reads or outbound URLs from the parser. Set SUPPORT_DTD and IS_SUPPORTING_EXTERNAL_ENTITIES to false on the factory before it parses. What happens if someone calls setContent with a StreamSource over an inbound stream? That's the documented SAAJ way to load a body, so the bytes are attacker reachable and the hardening has to live here rather than in the caller. Lines up with the recent WSDL/XSD XXE work that hardened the DOM path but didn't touch this StAX one. Added a SOAPPartTest case that points an external entity at a temp file and checks the contents never land in the message. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
