axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andreas Veithen (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (AXIS2-5878) ValidateXMLFile.java:55 (XML External Entity Injection)
Date Fri, 08 Sep 2017 23:09:00 GMT

     [ https://issues.apache.org/jira/browse/AXIS2-5878?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Andreas Veithen updated AXIS2-5878:
-----------------------------------
    Component/s:     (was: jaxws)
                 ide plugins

> ValidateXMLFile.java:55 (XML External Entity Injection)
> -------------------------------------------------------
>
>                 Key: AXIS2-5878
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5878
>             Project: Axis2
>          Issue Type: Bug
>          Components: ide plugins
>    Affects Versions: 1.7.6
>            Reporter: Donald Kwakkel
>            Priority: Critical
>              Labels: security
>
> XML parser configured in ValidateXMLFile.java:55 does not prevent nor limit external
entities resolution. This can expose the parser to an XML External Entities attack.
> Proposed solution: Always disable external entities when creating a DocumentBuilderFactory:
> {code:java}
> 	public static DocumentBuilderFactory createDocumentBuilderFactory() {
> 		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
> 		factory.setNamespaceAware(true);
> 			try {
> 				factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
> 				factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
> 			}
> 			catch (ParserConfigurationException e) {
> 				throw new IllegalStateException(e);
> 			}
> 		return factory;
> 	}
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message