cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-6217) JmsPullPoint does not protect against external entities
Date Thu, 22 Jan 2015 14:43:34 GMT
Donald Kwakkel created CXF-6217:
-----------------------------------

             Summary: JmsPullPoint does not protect against external entities
                 Key: CXF-6217
                 URL: https://issues.apache.org/jira/browse/CXF-6217
             Project: CXF
          Issue Type: Bug
          Components: Core
    Affects Versions: 3.0.1
            Reporter: Donald Kwakkel


I am not sure if this is by design, but the unmarshell below does not prevent nor limit external
entities resolution. This can expose the parser to an XML External Entities attack.

JmsPullPoint:

 protected synchronized List<NotificationMessageHolderType> getMessages(int max) 
        throws ResourceUnknownFault, UnableToGetMessagesFault {
        try {
            if (max == 0) {
                max = 256;
            }
            initSession();
            List<NotificationMessageHolderType> messages = new ArrayList<NotificationMessageHolderType>();
            for (int i = 0; i < max; i++) {
                Message msg = consumer.receiveNoWait();
                if (msg == null) {
                    break;
                }
                TextMessage txtMsg = (TextMessage) msg;
                StringReader reader = new StringReader(txtMsg.getText());
                Notify notify = (Notify) jaxbContext.createUnmarshaller().unmarshal(reader);
                messages.addAll(notify.getNotificationMessage());
            }
            return messages;
        }



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message