diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-03-10 16:02:16 +0100 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-03-10 16:02:16 +0100 |
commit | 3979e8addd354e59d5601d1ad89b4fad228da2d5 (patch) | |
tree | 9cce3ace4dccb55b32f1c32b6263571dc0d1a8b0 | |
parent | 387d68e06f2af5e5a180319438a6824d70846c5c (diff) | |
download | moa-id-spss-3979e8addd354e59d5601d1ad89b4fad228da2d5.tar.gz moa-id-spss-3979e8addd354e59d5601d1ad89b4fad228da2d5.tar.bz2 moa-id-spss-3979e8addd354e59d5601d1ad89b4fad228da2d5.zip |
fix possible DoS Bug
-rw-r--r-- | id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java index fed968443..62a168ac8 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java @@ -28,6 +28,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; +import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; @@ -542,6 +543,7 @@ public class DOMUtils { /** * A convenience method to parse an XML document non validating. + * This method disallow DocType declarations * * @param inputStream The <code>InputStream</code> containing the XML * document. @@ -552,10 +554,16 @@ public class DOMUtils { * parser. */ public static Element parseXmlNonValidating(InputStream inputStream) - throws ParserConfigurationException, SAXException, IOException { + throws ParserConfigurationException, SAXException, IOException { return DOMUtils - .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, null) - .getDocumentElement(); + .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, + Collections.unmodifiableMap(new HashMap<String, Object>() { + private static final long serialVersionUID = 1L; + { + put(DOMUtils.DISALLOW_DOCTYPE_FEATURE, true); + + } + })).getDocumentElement(); } /** |