sling-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From romb...@apache.org
Subject [sling-org-apache-sling-xss] 02/04: SLING-5954 - Disable non-essential features in XML parser
Date Tue, 07 Nov 2017 10:25:23 GMT
This is an automated email from the ASF dual-hosted git repository.

rombert pushed a commit to annotated tag org.apache.sling.xss-1.0.12
in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-xss.git

commit ff79a088b04bee828ee264dce7c05c171e4ddf5a
Author: Bertrand Delacretaz <bdelacretaz@apache.org>
AuthorDate: Wed Aug 10 09:57:15 2016 +0000

    SLING-5954 - Disable non-essential features in XML parser
    
    git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/xss@1755704
13f79535-47bb-0310-9956-ffa450edef68
---
 src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java     | 10 ++++++++++
 src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java |  4 ++++
 2 files changed, 14 insertions(+)

diff --git a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
index e0fc15f..b38fde6 100644
--- a/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
+++ b/src/main/java/org/apache/sling/xss/impl/XSSAPIImpl.java
@@ -21,6 +21,7 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 import javax.annotation.Nonnull;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
 
@@ -43,6 +44,8 @@ import org.owasp.esapi.Validator;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.InputSource;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.XMLReader;
 
 @Component
@@ -65,6 +68,13 @@ public class XSSAPIImpl implements XSSAPI {
         factory = SAXParserFactory.newInstance();
         factory.setValidating(false);
         factory.setNamespaceAware(true);
+        try {
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",
false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities",
false);
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        } catch (Exception e) {
+            LOGGER.error("SAX parser configuration error: " + e.getMessage(), e);
+        }
     }
 
     @Deactivate
diff --git a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
index e6f3c87..263514e 100644
--- a/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
+++ b/src/test/java/org/apache/sling/xss/impl/XSSAPIImplTest.java
@@ -673,6 +673,10 @@ public class XSSAPIImplTest {
                 {
                         "<t><w>xyz</t></w>",
                         RUBBISH_XML
+                },
+                {
+                        "<?xml version=\"1.0\"?><!DOCTYPE test SYSTEM \"http://nonExistentHost:1234/\"><test/>",
+                        "<?xml version=\"1.0\"?><!DOCTYPE test SYSTEM \"http://nonExistentHost:1234/\"><test/>"
                 }
         };
         for (String[] aTestData : testData) {

-- 
To stop receiving notification emails like this one, please contact
"commits@sling.apache.org" <commits@sling.apache.org>.

Mime
View raw message