aboutsummaryrefslogtreecommitdiff
path: root/common
diff options
context:
space:
mode:
authorThomas Lenz <tlenz@iaik.tugraz.at>2016-02-04 15:23:08 +0100
committerThomas Lenz <tlenz@iaik.tugraz.at>2016-02-04 15:23:08 +0100
commit1dab39c10271ef55d94b6d73955d89abfd48cd8e (patch)
tree49e8ac4bd00429e96e6f8ec7237c94c5f360ba81 /common
parent1848868d2d5a139696c4a6ae25a5c6b528354b4c (diff)
downloadmoa-id-spss-1dab39c10271ef55d94b6d73955d89abfd48cd8e.tar.gz
moa-id-spss-1dab39c10271ef55d94b6d73955d89abfd48cd8e.tar.bz2
moa-id-spss-1dab39c10271ef55d94b6d73955d89abfd48cd8e.zip
fix XXE DDoS problem in MOA-SPSS
Diffstat (limited to 'common')
-rw-r--r--common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java4
1 files changed, 4 insertions, 0 deletions
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
index 2b816ed4c..0a07fc4a7 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
@@ -246,6 +246,10 @@ public class DOMUtils {
parser.setFeature(CREATE_ENTITY_REF_NODES_FEATURE, false);
parser.setFeature(EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
parser.setFeature(EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
+
+ //fix XXE problem
+ parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+
if (validating) {
if (externalSchemaLocations != null) {