[incubator-tamaya-sandbox] branch master updated: TAMAYA-277: Fix XXE possibility

Sat, 11 May 2019 16:04:06 -0700 

This is an automated email from the ASF dual-hosted git repository.

pottlinger pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-tamaya-sandbox.git


The following commit(s) were added to refs/heads/master by this push:
     new 2238b70  TAMAYA-277: Fix XXE possibility
2238b70 is described below

commit 2238b70c64951a85923f4cd960194e9275551971
Author: Hugo Hirsch <git...@hugo-hirsch.de>
AuthorDate: Sun May 12 01:03:43 2019 +0200

    TAMAYA-277: Fix XXE possibility
---
 .../java/org/apache/tamaya/metamodel/MetaConfiguration.java    | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git 
a/metamodel/src/main/java/org/apache/tamaya/metamodel/MetaConfiguration.java 
b/metamodel/src/main/java/org/apache/tamaya/metamodel/MetaConfiguration.java
index 5b54812..f4c7525 100644
--- a/metamodel/src/main/java/org/apache/tamaya/metamodel/MetaConfiguration.java
+++ b/metamodel/src/main/java/org/apache/tamaya/metamodel/MetaConfiguration.java
@@ -26,6 +26,7 @@ import java.util.Objects;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 
@@ -111,12 +112,13 @@ public final class MetaConfiguration {
         LOG.info("TAMAYA: Loading tamaya-config.xml...");
         Document document = null;
         try {
-            document = DocumentBuilderFactory.newInstance()
-                    .newDocumentBuilder().parse(configFile.openStream());
+            final DocumentBuilderFactory factory = 
DocumentBuilderFactory.newInstance();
+            factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, 
Boolean.TRUE);
+
+            document = 
factory.newDocumentBuilder().parse(configFile.openStream());
             ConfigurationBuilder builder = 
Configuration.createConfigurationBuilder();
             for(MetaConfigurationReader reader: 
ServiceContextManager.getServiceContext().getServices(
-                    MetaConfigurationReader.class
-            )){
+                    MetaConfigurationReader.class)){
                 LOG.fine("TAMAYA: Executing MetaConfig-Reader: " + 
reader.getClass().getName() + "...");
                 reader.read(document, builder);
             }

Reply via email to