From 1dab39c10271ef55d94b6d73955d89abfd48cd8e Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 4 Feb 2016 15:23:08 +0100 Subject: fix XXE DDoS problem in MOA-SPSS --- common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'common/src') diff --git a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java index 2b816ed4c..0a07fc4a7 100644 --- a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java +++ b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java @@ -246,6 +246,10 @@ public class DOMUtils { parser.setFeature(CREATE_ENTITY_REF_NODES_FEATURE, false); parser.setFeature(EXTERNAL_GENERAL_ENTITIES_FEATURE, false); parser.setFeature(EXTERNAL_PARAMETER_ENTITIES_FEATURE, false); + + //fix XXE problem + parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + if (validating) { if (externalSchemaLocations != null) { -- cgit v1.2.3