From b9dbd4eed6cb0615a883de2e871e849fb32f1258 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 1 Apr 2014 13:34:52 +0200 Subject: update Axis to axis-1.0_IAIK_1.1.jar - solve problems with possible XML External Entity (XXE) attacks - DocType Declarations are not allowed in axis-1.0_IAIK_1.1.jar --- .../java/at/gv/egovernment/moa/util/DOMUtils.java | 5 +++++ pom.xml | 2 +- .../axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.jar | Bin 0 -> 1095327 bytes .../axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.pom | 7 +++++++ 4 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.jar create mode 100644 repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.pom diff --git a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java index 102d3a31f..2b816ed4c 100644 --- a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java +++ b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java @@ -115,6 +115,8 @@ public class DOMUtils { private static final String EXTERNAL_PARAMETER_ENTITIES_FEATURE = "http://xml.org/sax/features/external-parameter-entities"; + private static final String DISALLOW_DOCTYPE_FEATURE = + "http://apache.org/xml/features/disallow-doctype-decl"; @@ -514,6 +516,9 @@ public class DOMUtils { parser.setFeature(NAMESPACES_FEATURE, true); parser.setFeature(VALIDATION_FEATURE, true); parser.setFeature(SCHEMA_VALIDATION_FEATURE, true); + parser.setFeature(EXTERNAL_GENERAL_ENTITIES_FEATURE, false); + parser.setFeature(DISALLOW_DOCTYPE_FEATURE, true); + if (externalSchemaLocations != null) { parser.setProperty( diff --git a/pom.xml b/pom.xml index b8e1bc1df..90284c712 100644 --- a/pom.xml +++ b/pom.xml @@ -112,7 +112,7 @@ axis axis - 1.0_IAIK + 1.0_IAIK_1.1 compile diff --git a/repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.jar b/repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.jar new file mode 100644 index 000000000..7aefe85c1 Binary files /dev/null and b/repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.jar differ diff --git a/repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.pom b/repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.pom new file mode 100644 index 000000000..5aa7bc508 --- /dev/null +++ b/repository/axis/axis/1.0_IAIK_1.1/axis-1.0_IAIK_1.1.pom @@ -0,0 +1,7 @@ + + 4.0.0 + axis + axis + 1.0_IAIK_1.1 + AXIS 1.0 patched(1.1) (XXE attacks) + -- cgit v1.2.3