From b9dbd4eed6cb0615a883de2e871e849fb32f1258 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <tlenz@iaik.tugraz.at>
Date: Tue, 1 Apr 2014 13:34:52 +0200
Subject: update Axis to axis-1.0_IAIK_1.1.jar   - solve problems with possible
 XML External Entity (XXE) attacks   - DocType Declarations are not allowed in
 axis-1.0_IAIK_1.1.jar

---
 .../java/at/gv/egovernment/moa/util/DOMUtils.java     |   5 +++++
 pom.xml                                               |   2 +-
 .../axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.jar      | Bin 0 -> 1095327 bytes
 .../axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.pom      |   7 +++++++
 4 files changed, 13 insertions(+), 1 deletion(-)
 create mode 100644 repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.jar
 create mode 100644 repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.pom

diff --git a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
index 102d3a31f..2b816ed4c 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
@@ -115,6 +115,8 @@ public class DOMUtils {
   private static final String EXTERNAL_PARAMETER_ENTITIES_FEATURE =
 	  "http://xml.org/sax/features/external-parameter-entities";
   
+  private static final String DISALLOW_DOCTYPE_FEATURE =
+		  "http://apache.org/xml/features/disallow-doctype-decl";
   
   
   
@@ -514,6 +516,9 @@ public class DOMUtils {
     parser.setFeature(NAMESPACES_FEATURE, true);
     parser.setFeature(VALIDATION_FEATURE, true);
     parser.setFeature(SCHEMA_VALIDATION_FEATURE, true);
+    parser.setFeature(EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
+    parser.setFeature(DISALLOW_DOCTYPE_FEATURE, true);
+    
     
     if (externalSchemaLocations != null) {
       parser.setProperty(
diff --git a/pom.xml b/pom.xml
index b8e1bc1df..90284c712 100644
--- a/pom.xml
+++ b/pom.xml
@@ -112,7 +112,7 @@
             <dependency>
                 <groupId>axis</groupId>
                 <artifactId>axis</artifactId>
-                <version>1.0_IAIK</version>                
+                <version>1.0_IAIK_1.1</version>                
                 <scope>compile</scope>
             </dependency>
             <dependency>
diff --git a/repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.jar b/repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.jar
new file mode 100644
index 000000000..7aefe85c1
Binary files /dev/null and b/repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.jar differ
diff --git a/repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.pom b/repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.pom
new file mode 100644
index 000000000..5aa7bc508
--- /dev/null
+++ b/repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.pom
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?><project>
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>axis</groupId>
+  <artifactId>axis</artifactId>
+  <version>1.0_IAIK_1.1</version>
+  <description>AXIS 1.0 patched(1.1) (XXE attacks)</description>
+</project>
-- 
cgit v1.2.3