Merge branch 'manuell_XXE_and_SSRF_validation' into 'master'

Manuell xxe and ssrf validation

1 files changed, 4 insertions, 1 deletions

diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java
index 7dd2cd22..d34ead45 100644
--- a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java
+++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java
@@ -65,6 +65,7 @@ import at.gv.egiz.bku.slcommands.impl.SLCommandImpl;
 import at.gv.egiz.bku.slexceptions.SLCommandException;
 import at.gv.egiz.bku.utils.DebugInputStream;
 import at.gv.egiz.bku.utils.StreamUtil;
+import at.gv.egiz.dom.DOMUtils;
 import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage;
 import at.gv.egiz.slbinding.SLUnmarshaller;
 
@@ -135,7 +136,6 @@ public class DataURLServerServlet extends HttpServlet {
         }
         
         SLUnmarshaller slUnmarshaller = new SLUnmarshaller();
-        
         DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
         dbf.setNamespaceAware(true);
         dbf.setSchema(slUnmarshaller.getSlSchema());
@@ -153,6 +153,9 @@ public class DataURLServerServlet extends HttpServlet {
                 "(see http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization)", e);
         }
         
+        //set XML parser flags to prevent XXE, XEE and SSRF attacks
+        DOMUtils.setXMLParserFlagsAgainstXXEAndSSRFAttacks(dbf);
+                
         DocumentBuilder documentBuilder;
         try {
           documentBuilder = dbf.newDocumentBuilder();