[ https://issues.apache.org/jira/browse/AXIS2-5879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andreas Veithen updated AXIS2-5879: ----------------------------------- Component/s: (was: jaxws) kernel > WSDL20ToAxisServiceBuilder.java:1235 & 1255 (XML External Entity Injection) > --------------------------------------------------------------------------- > > Key: AXIS2-5879 > URL: https://issues.apache.org/jira/browse/AXIS2-5879 > Project: Axis2 > Issue Type: Bug > Components: kernel > Affects Versions: 1.7.6 > Reporter: Donald Kwakkel > Priority: Critical > Labels: security > > XML parser configured in WSDL20ToAxisServiceBuilder.java:1235 and 1255 does > not prevent nor limit external entities resolution. This can expose the > parser to an XML External Entities attack. > Proposed solution: Always disable external entities: > {code:java} > public static DocumentBuilderFactory createDocumentBuilderFactory() { > DocumentBuilderFactory factory = > DocumentBuilderFactory.newInstance(); > factory.setNamespaceAware(true); > try { > > factory.setFeature("http://xml.org/sax/features/external-general-entities", > false); > > factory.setFeature("http://xml.org/sax/features/external-parameter-entities", > false); > } > catch (ParserConfigurationException e) { > throw new IllegalStateException(e); > } > return factory; > } > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org