axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <>
Subject [jira] [Created] (AXIS2-5877) (XML External Entity Injection)
Date Tue, 05 Sep 2017 12:04:00 GMT
Donald Kwakkel created AXIS2-5877:

             Summary: (XML External Entity Injection)
                 Key: AXIS2-5877
             Project: Axis2
          Issue Type: Bug
          Components: jaxws
    Affects Versions: 1.7.6
            Reporter: Donald Kwakkel
            Priority: Critical

XML parser configured in does not prevent nor limit external entities
resolution. This can expose the parser to an XML External Entities attack.

Proposed fix: Enable where TransformerFactory is used always the secure processing feature:

	public static TransformerFactory createTransformerFactory() {
		TransformerFactory factory = TransformerFactory.newInstance();
		try {
			factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
		catch (TransformerConfigurationException e) {
			throw new IllegalStateException(e);
		return factory;

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message