Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 99D73200BE8 for ; Fri, 9 Dec 2016 06:28:49 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 985BF160B27; Fri, 9 Dec 2016 05:28:49 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 144B0160B1F for ; Fri, 9 Dec 2016 06:28:48 +0100 (CET) Received: (qmail 18011 invoked by uid 500); 9 Dec 2016 05:28:48 -0000 Mailing-List: contact dev-help@accumulo.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@accumulo.apache.org Delivered-To: mailing list dev@accumulo.apache.org Received: (qmail 17996 invoked by uid 99); 9 Dec 2016 05:28:47 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Dec 2016 05:28:47 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id C77D8E040F; Fri, 9 Dec 2016 05:28:47 +0000 (UTC) From: ctubbsii To: dev@accumulo.apache.org Reply-To: dev@accumulo.apache.org References: In-Reply-To: Subject: [GitHub] accumulo pull request #192: ACCUMULO-4534 Disable external entities in SAX p... Content-Type: text/plain Message-Id: <20161209052847.C77D8E040F@git1-us-west.apache.org> Date: Fri, 9 Dec 2016 05:28:47 +0000 (UTC) archived-at: Fri, 09 Dec 2016 05:28:49 -0000 Github user ctubbsii commented on a diff in the pull request: https://github.com/apache/accumulo/pull/192#discussion_r91660989 --- Diff: server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java --- @@ -118,6 +118,9 @@ public static void main(String[] args) throws Exception { } SAXParserFactory factory = SAXParserFactory.newInstance(); + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); --- End diff -- These features are very specific to a particular parser. The only parser that we can reasonably expect any users to be using is xerces-j 2.7.1, which was integrated into `rt.jar` since JDK6. So, I would just do the following instead of anything more complicated or speculative with respect to a particular parser: `factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);` If the user is really convoluting their environment to use a different parser, then I think they're sort of on their own anyway. But, this tool is typically run in the same security context as the user... and not by a remote service, so there really isn't a vulnerability out-of-the-box anyway. --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastructure@apache.org or file a JIRA ticket with INFRA. ---