fix possible DoS Bug

1 files changed, 11 insertions, 3 deletions

diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
index fed968443..62a168ac8 100644
--- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
@@ -28,6 +28,7 @@ import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -542,6 +543,7 @@ public class DOMUtils {
   
   /**
    * A convenience method to parse an XML document non validating.
+   * This method disallow DocType declarations 
    * 
    * @param inputStream The <code>InputStream</code> containing the XML
    * document.
@@ -552,10 +554,16 @@ public class DOMUtils {
    * parser.
    */
   public static Element parseXmlNonValidating(InputStream inputStream)
-    throws ParserConfigurationException, SAXException, IOException {
+    throws ParserConfigurationException, SAXException, IOException {	  
     return DOMUtils
-      .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, null)
-      .getDocumentElement();
+      .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, 
+    		  Collections.unmodifiableMap(new HashMap<String, Object>() {
+    			  private static final long serialVersionUID = 1L;
+    			  {	
+    				  put(DOMUtils.DISALLOW_DOCTYPE_FEATURE, true);
+				
+    			  }
+    		  })).getDocumentElement();
   }
 
   /**