From 64bbeb4c3326ca9f99840f2a9f0c5cb59a87ad92 Mon Sep 17 00:00:00 2001
From: tlenz <thomas.lenz@egiz.gv.at>
Date: Tue, 27 Jun 2017 10:40:58 +0200
Subject: add Xerces SecurityManager

---
 .../java/at/gv/egovernment/moaspss/util/DOMUtils.java  | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/DOMUtils.java b/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/DOMUtils.java
index c5550ad..2a907e7 100644
--- a/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/DOMUtils.java
+++ b/moaSig/common/src/main/java/at/gv/egovernment/moaspss/util/DOMUtils.java
@@ -48,9 +48,11 @@ import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 
+import org.apache.xerces.impl.Constants;
 import org.apache.xerces.parsers.DOMParser;
 import org.apache.xerces.parsers.SAXParser;
 import org.apache.xerces.parsers.XMLGrammarPreparser;
+import org.apache.xerces.util.SecurityManager;
 import org.apache.xerces.util.SymbolTable;
 import org.apache.xerces.util.XMLGrammarPoolImpl;
 import org.apache.xerces.xni.grammars.XMLGrammarDescription;
@@ -118,6 +120,9 @@ public class DOMUtils {
   private static final String DISALLOW_DOCTYPE_FEATURE =
 		  "http://apache.org/xml/features/disallow-doctype-decl";
   
+  //Security Manager feature for XERCES XML parser
+  private static final String SECURITY_MANAGER =
+	        Constants.XERCES_PROPERTY_PREFIX + Constants.SECURITY_MANAGER_PROPERTY;
   
   
   /** Property URI for the Xerces grammar pool. */
@@ -236,6 +241,8 @@ public class DOMUtils {
       parser = new DOMParser();
     }
     
+    
+    
     // set parser features and properties
     try {
 	    parser.setFeature(NAMESPACES_FEATURE, true);
@@ -247,6 +254,9 @@ public class DOMUtils {
 	    parser.setFeature(EXTERNAL_GENERAL_ENTITIES_FEATURE, false);
 	    parser.setFeature(EXTERNAL_PARAMETER_ENTITIES_FEATURE, false);
 	    
+	    SecurityManager xmlParserSecManager = new org.apache.xerces.util.SecurityManager();
+	    parser.setProperty(SECURITY_MANAGER, xmlParserSecManager);
+	    
 	    //fix XXE problem
 	    //parser.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 	    
@@ -324,7 +334,10 @@ public class DOMUtils {
     parser.setFeature(NORMALIZED_VALUE_FEATURE, false);
     parser.setFeature(INCLUDE_IGNORABLE_WHITESPACE_FEATURE, true);
     parser.setFeature(CREATE_ENTITY_REF_NODES_FEATURE, false);
-		
+	
+    SecurityManager xmlParserSecManager = new org.apache.xerces.util.SecurityManager();
+    parser.setProperty(SECURITY_MANAGER, xmlParserSecManager);
+    
     parser.parse(new InputSource(inputStream));
     
     return parser.getDocument();
@@ -591,6 +604,9 @@ public class DOMUtils {
     parser.setFeature(VALIDATION_FEATURE, true);
     parser.setFeature(SCHEMA_VALIDATION_FEATURE, true);
     
+    SecurityManager xmlParserSecManager = new org.apache.xerces.util.SecurityManager();
+    parser.setProperty(SECURITY_MANAGER, xmlParserSecManager);
+    
     if (externalSchemaLocations != null) {
       parser.setProperty(
         EXTERNAL_SCHEMA_LOCATION_PROPERTY,
-- 
cgit v1.2.3