svn commit: r289557 - /webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java

Fri, 16 Sep 2005 07:22:04 -0700 

Author: dims
Date: Fri Sep 16 07:21:58 2005
New Revision: 289557

URL: http://svn.apache.org/viewcvs?rev=289557&view=rev
Log:
switch off various parser options to prevent XXE attacks.

Modified:
    webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java

Modified: 
webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java
URL: 
http://svn.apache.org/viewcvs/webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java?rev=289557&r1=289556&r2=289557&view=diff
==============================================================================
--- 
webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java 
(original)
+++ 
webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java 
Fri Sep 16 07:21:58 2005
@@ -118,7 +118,30 @@
     // Optional: set various configuration options
     dbf.setNamespaceAware(namespaceAware);
     dbf.setValidating(validating);
+
+    // Add various options explicitly to prevent XXE attacks. add try/catch 
around every
+    // setAttribute just in case a specific parser does not support it.
     dbf.setExpandEntityReferences(expandEntityReferences);
+    try {
+        
dbf.setAttribute("http://xml.org/sax/features/external-general-entities";,
+                Boolean.FALSE);
+    } catch (Throwable t) { }
+    try {
+        
dbf.setAttribute("http://xml.org/sax/features/external-parameter-entities";,
+                Boolean.FALSE);
+    } catch (Throwable t) { }
+    try {
+        
dbf.setAttribute("http://apache.org/xml/features/disallow-doctype-decl";,
+                Boolean.TRUE);
+    } catch (Throwable t) { }
+    try {
+        
dbf.setAttribute("http://javax.xml.XMLConstants/feature/secure-processing";,
+                Boolean.TRUE);
+    } catch (Throwable t) { }
+    try {
+        
dbf.setAttribute("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
+                Boolean.FALSE);
+    } catch (Throwable t) { }
 
     try {
       // Some parsers don't throw an exception here, but throw one when the

Reply via email to