This is the first time I'm submitting a patch, so I'm hoping this is the
right way to do it.
In our use of XML-RPC we have discovered a security issue regarding the
use of external entities in XML. By creating a custom XML message and
sending it to the XML-RPC handling service it is possible to get the
contents of files stored on the server's file system as part of the
response. The way we would like to solve this is to set the features
http://xml.org/sax/features/external-general-entities and
http://xml.org/sax/features/external-parameter-entities to false for the
SAX parser. However we have not been able to find a way to set this
since we can't get hold of the parser object. The solution we propose is
to add a way to set features in the org.apache.xmlrpc.util.SAXParsers
class. The features set here will be used for all XMLReaders created
through subsequent calls to SAXParsers.newXMLReader(). This modification
will not affect any existing application since if the setFeature()
method in the SAXParsers class isn't used nothing will happen. The patch
file (created using svn diff) is attached to this post.
Best regards
Johan Hägre
