directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject directory-kerby git commit: Securing the DocumentBuilderFactory instance
Date Thu, 08 Mar 2018 10:43:00 GMT
Repository: directory-kerby
Updated Branches:
  refs/heads/trunk 2da23fcb6 -> 7169e93c2


Securing the DocumentBuilderFactory instance


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/7169e93c
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/7169e93c
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/7169e93c

Branch: refs/heads/trunk
Commit: 7169e93c2efd0ce21ddd2bab44adcde36e90f480
Parents: 2da23fc
Author: Colm O hEigeartaigh <coheigea@apache.org>
Authored: Thu Mar 8 10:42:46 2018 +0000
Committer: Colm O hEigeartaigh <coheigea@apache.org>
Committed: Thu Mar 8 10:42:46 2018 +0000

----------------------------------------------------------------------
 .../src/main/java/org/apache/kerby/config/XmlConfigLoader.java  | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/7169e93c/kerby-common/kerby-config/src/main/java/org/apache/kerby/config/XmlConfigLoader.java
----------------------------------------------------------------------
diff --git a/kerby-common/kerby-config/src/main/java/org/apache/kerby/config/XmlConfigLoader.java
b/kerby-common/kerby-config/src/main/java/org/apache/kerby/config/XmlConfigLoader.java
index 2fd2f9c..78ac7a4 100644
--- a/kerby-common/kerby-config/src/main/java/org/apache/kerby/config/XmlConfigLoader.java
+++ b/kerby-common/kerby-config/src/main/java/org/apache/kerby/config/XmlConfigLoader.java
@@ -29,6 +29,7 @@ import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
 import org.w3c.dom.Text;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import java.io.InputStream;
@@ -46,6 +47,8 @@ public class XmlConfigLoader extends ConfigLoader {
 
     private Element loadResourceDocument(Resource resource) throws Exception {
         DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+        docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl",
true);
 
         docBuilderFactory.setIgnoringComments(true);
         docBuilderFactory.setNamespaceAware(true);
@@ -150,4 +153,4 @@ public class XmlConfigLoader extends ConfigLoader {
         }
         return null;
     }
-}
\ No newline at end of file
+}


Mime
View raw message