cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Kulp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-6217) JmsPullPoint does not protect against external entities
Date Wed, 01 Jul 2015 13:04:04 GMT

    [ https://issues.apache.org/jira/browse/CXF-6217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14610078#comment-14610078
] 

Daniel Kulp commented on CXF-6217:
----------------------------------

#1 has a workaround (enable buffering), but does need to be fixed.

Is #2 an actual problem? (have a testcase?)  We never pass in an InputStream or similar. 
It's always a StaxSource which goes through StaxUtils for the parsing.

#5 is only hit at application startup time and would require shell access to the file system
to change the file and ability to restart the app.

3/4/6/7/10 are only for the command line tools. Low priority, but probably should be fixed.

8/9 aren't problems.   The byte[] (parsedElement.getBytes()) that is passed in is created
from already parsed XML DOM.   

> JmsPullPoint does not protect against external entities
> -------------------------------------------------------
>
>                 Key: CXF-6217
>                 URL: https://issues.apache.org/jira/browse/CXF-6217
>             Project: CXF
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 3.0.1
>            Reporter: Donald Kwakkel
>            Assignee: Daniel Kulp
>             Fix For: 3.0.4, 2.7.15
>
>
> I am not sure if this is by design, but the unmarshell below does not prevent nor limit
external entities resolution. This can expose the parser to an XML External Entities attack.
> JmsPullPoint:
> {code:java}
>  protected synchronized List<NotificationMessageHolderType> getMessages(int max)

>         throws ResourceUnknownFault, UnableToGetMessagesFault {
>         try {
>             if (max == 0) {
>                 max = 256;
>             }
>             initSession();
>             List<NotificationMessageHolderType> messages = new ArrayList<NotificationMessageHolderType>();
>             for (int i = 0; i < max; i++) {
>                 Message msg = consumer.receiveNoWait();
>                 if (msg == null) {
>                     break;
>                 }
>                 TextMessage txtMsg = (TextMessage) msg;
>                 StringReader reader = new StringReader(txtMsg.getText());
>                 Notify notify = (Notify) jaxbContext.createUnmarshaller().unmarshal(reader);
>                 messages.addAll(notify.getNotificationMessage());
>             }
>             return messages;
>         }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message