From b9dbd4eed6cb0615a883de2e871e849fb32f1258 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Tue, 1 Apr 2014 13:34:52 +0200 Subject: update Axis to axis-1.0_IAIK_1.1.jar - solve problems with possible XML External Entity (XXE) attacks - DocType Declarations are not allowed in axis-1.0_IAIK_1.1.jar --- common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'common/src/main/java/at/gv/egovernment/moa') diff --git a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java index 102d3a31f..2b816ed4c 100644 --- a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java +++ b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java @@ -115,6 +115,8 @@ public class DOMUtils { private static final String EXTERNAL_PARAMETER_ENTITIES_FEATURE = "http://xml.org/sax/features/external-parameter-entities"; + private static final String DISALLOW_DOCTYPE_FEATURE = + "http://apache.org/xml/features/disallow-doctype-decl"; @@ -514,6 +516,9 @@ public class DOMUtils { parser.setFeature(NAMESPACES_FEATURE, true); parser.setFeature(VALIDATION_FEATURE, true); parser.setFeature(SCHEMA_VALIDATION_FEATURE, true); + parser.setFeature(EXTERNAL_GENERAL_ENTITIES_FEATURE, false); + parser.setFeature(DISALLOW_DOCTYPE_FEATURE, true); + if (externalSchemaLocations != null) { parser.setProperty( -- cgit v1.2.3