diff options
author | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-03-10 16:02:16 +0100 |
---|---|---|
committer | Thomas Lenz <tlenz@iaik.tugraz.at> | 2017-03-13 08:59:39 +0100 |
commit | 27933ddff7201ea229e1f9572c88eecba47304c7 (patch) | |
tree | 524c43ef3649e8c98370753f05e649c61a79ed60 /id | |
parent | 4fbdacfa2e2029ac2c81048e59377b7dffcc3f45 (diff) | |
download | moa-id-spss-27933ddff7201ea229e1f9572c88eecba47304c7.tar.gz moa-id-spss-27933ddff7201ea229e1f9572c88eecba47304c7.tar.bz2 moa-id-spss-27933ddff7201ea229e1f9572c88eecba47304c7.zip |
fix possible DoS Bug
Diffstat (limited to 'id')
-rw-r--r-- | id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java index fed968443..62a168ac8 100644 --- a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java +++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java @@ -28,6 +28,7 @@ import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; +import java.util.Collections; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; @@ -542,6 +543,7 @@ public class DOMUtils { /** * A convenience method to parse an XML document non validating. + * This method disallow DocType declarations * * @param inputStream The <code>InputStream</code> containing the XML * document. @@ -552,10 +554,16 @@ public class DOMUtils { * parser. */ public static Element parseXmlNonValidating(InputStream inputStream) - throws ParserConfigurationException, SAXException, IOException { + throws ParserConfigurationException, SAXException, IOException { return DOMUtils - .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, null) - .getDocumentElement(); + .parseDocument(inputStream, false, Constants.ALL_SCHEMA_LOCATIONS, null, + Collections.unmodifiableMap(new HashMap<String, Object>() { + private static final long serialVersionUID = 1L; + { + put(DOMUtils.DISALLOW_DOCTYPE_FEATURE, true); + + } + })).getDocumentElement(); } /** |