zookeeper-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From an...@apache.org
Subject [zookeeper] branch master updated: ZOOKEEPER-3235: Enable secure processing and disallow DTDs in the SAXParserFactory
Date Wed, 09 Jan 2019 14:09:33 GMT
This is an automated email from the ASF dual-hosted git repository.

andor pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/master by this push:
     new a5b3114  ZOOKEEPER-3235: Enable secure processing and disallow DTDs in the SAXParserFactory
a5b3114 is described below

commit a5b3114d70d03f70b068b209fe393388f3c77991
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Wed Jan 9 15:09:14 2019 +0100

    ZOOKEEPER-3235: Enable secure processing and disallow DTDs in the SAXParserFactory
    
    It's good security practice to set the secure processing feature on SAXParserFactory and
to disallow Doctypes if they aren't needed.
    
    Author: Colm O hEigeartaigh <coheigea@apache.org>
    
    Reviewers: andor@apache.org
    
    Closes #716 from coheigea/sax_secureproc
---
 zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java b/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
index 99e11d1..a4ae938 100644
--- a/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
+++ b/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
@@ -143,6 +143,8 @@ class XmlInputArchive implements InputArchive {
         valList = new ArrayList<Value>();
         DefaultHandler handler = new XMLParser(valList);
         SAXParserFactory factory = SAXParserFactory.newInstance();
+        factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         SAXParser parser = factory.newSAXParser();
         parser.parse(in, handler);
         vLen = valList.size();


Mime
View raw message