svn commit: r906432 - in /webservices/xmlrpc/trunk: common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java pom.xml src/changes/changes.xml

[jochen]

Author: jochen
Date: Thu Feb  4 10:10:07 2010
New Revision: 906432

URL: http://svn.apache.org/viewvc?rev=906432&view=rev
Log:
Fixed a potential security issue: The client has been able to include server 
side resources into the request by using external entities.
Submitted-by: Johan Hägre <johan.ha...@home.se>

Modified:
    
webservices/xmlrpc/trunk/common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java
    webservices/xmlrpc/trunk/pom.xml
    webservices/xmlrpc/trunk/src/changes/changes.xml

Modified: 
webservices/xmlrpc/trunk/common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java
URL: 
http://svn.apache.org/viewvc/webservices/xmlrpc/trunk/common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java?rev=906432&r1=906431&r2=906432&view=diff
==============================================================================
--- 
webservices/xmlrpc/trunk/common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java
 (original)
+++ 
webservices/xmlrpc/trunk/common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java
 Thu Feb  4 10:10:07 2010
@@ -34,6 +34,20 @@
                spf = SAXParserFactory.newInstance();
                spf.setNamespaceAware(true);
                spf.setValidating(false);
+               try {
+                   
spf.setFeature("http://xml.org/sax/features/external-general-entities";, false);
+               } catch (javax.xml.parsers.ParserConfigurationException e) {
+                   // Ignore it
+        } catch (org.xml.sax.SAXException e) {
+            // Ignore it
+               }
+               try {
+                   
spf.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
false);
+        } catch (javax.xml.parsers.ParserConfigurationException e) {
+            // Ignore it
+        } catch (org.xml.sax.SAXException e) {
+            // Ignore it
+               }
        }
 
        /** Creates a new instance of {...@link XMLReader}.

Modified: webservices/xmlrpc/trunk/pom.xml
URL: 
http://svn.apache.org/viewvc/webservices/xmlrpc/trunk/pom.xml?rev=906432&r1=906431&r2=906432&view=diff
==============================================================================
--- webservices/xmlrpc/trunk/pom.xml (original)
+++ webservices/xmlrpc/trunk/pom.xml Thu Feb  4 10:10:07 2010
@@ -187,6 +187,10 @@
       <email>ma...@nortel.com</email>
     </contributor>
     <contributor>
+      <name>Johan H&#244;gre</name>
+      <email>johan.ha...@home.se</email>
+    </contributor>
+    <contributor>
       <name>Catalin Hritcu</name>
       <email>catalin.hri...@gmail.com</email>
     </contributor>

Modified: webservices/xmlrpc/trunk/src/changes/changes.xml
URL: 
http://svn.apache.org/viewvc/webservices/xmlrpc/trunk/src/changes/changes.xml?rev=906432&r1=906431&r2=906432&view=diff
==============================================================================
--- webservices/xmlrpc/trunk/src/changes/changes.xml (original)
+++ webservices/xmlrpc/trunk/src/changes/changes.xml Thu Feb  4 10:10:07 2010
@@ -37,6 +37,10 @@
       <action dev="jochen" type="add" due-to="Gam" 
due-to-email="gamal...@fastmail.fm">
         Added support for configured timeouts to the XmlRpcSun15HttpTransport 
class.
       </action>
+      <action dev="jochen" type="fix" due-to="Johan H&#244;gre" 
due-to-email="johan.ha...@home.se">
+        Fixed a potential security hole: The client has been able to include 
server side resources
+        into the request by using external entities.
+      </action>
     </release>
 
     <release version="3.1.2" date="2009-Apr-19">