zookeeper-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From an...@apache.org
Subject [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3235: Enable secure processing and disallow DTDs in the SAXParserFactory
Date Wed, 09 Jan 2019 14:09:55 GMT
This is an automated email from the ASF dual-hosted git repository.

andor pushed a commit to branch branch-3.5
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/branch-3.5 by this push:
     new fdcf0ec  ZOOKEEPER-3235: Enable secure processing and disallow DTDs in the SAXParserFactory
fdcf0ec is described below

commit fdcf0ecd1916083239c3b7c0bdeef63898dc2907
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Wed Jan 9 15:09:14 2019 +0100

    ZOOKEEPER-3235: Enable secure processing and disallow DTDs in the SAXParserFactory
    
    It's good security practice to set the secure processing feature on SAXParserFactory and
to disallow Doctypes if they aren't needed.
    
    Author: Colm O hEigeartaigh <coheigea@apache.org>
    
    Reviewers: andor@apache.org
    
    Closes #716 from coheigea/sax_secureproc
    
    (cherry picked from commit a5b3114d70d03f70b068b209fe393388f3c77991)
    Signed-off-by: Andor Molnar <andor@apache.org>
---
 zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java b/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
index 99e11d1..a4ae938 100644
--- a/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
+++ b/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
@@ -143,6 +143,8 @@ class XmlInputArchive implements InputArchive {
         valList = new ArrayList<Value>();
         DefaultHandler handler = new XMLParser(valList);
         SAXParserFactory factory = SAXParserFactory.newInstance();
+        factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         SAXParser parser = factory.newSAXParser();
         parser.parse(in, handler);
         vLen = valList.size();


Mime
View raw message