diff options
| author | Bianca Schnalzer <bianca.schnalzer@egiz.gv.at> | 2017-06-23 10:05:35 +0200 |
|---|---|---|
| committer | Bianca Schnalzer <bianca.schnalzer@egiz.gv.at> | 2017-06-23 10:05:35 +0200 |
| commit | 2b395988ade78c58e6feaf55bd6ec129cf5f8e6f (patch) | |
| tree | ca64698b31b478abe7fb5cde97398646f4105699 /BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java | |
| parent | f31c5c8e557b611ff4f5e43443975fb08a202863 (diff) | |
| parent | 0603c0fbdfe028113431c65590b6e7e28929f6f6 (diff) | |
| download | mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.gz mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.tar.bz2 mocca-2b395988ade78c58e6feaf55bd6ec129cf5f8e6f.zip | |
Merge branch 'manuell_XXE_and_SSRF_validation' into 'master'
Manuell xxe and ssrf validation
Diffstat (limited to 'BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java')
| -rw-r--r-- | BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java index fe48eefa..6fea75cb 100644 --- a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java +++ b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java @@ -139,6 +139,19 @@ public class SLXHTMLValidator implements at.gv.egiz.bku.viewer.Validator { spf.setValidating(true); spf.setXIncludeAware(false); + /* + * Set parser features to disallow external entities and external dtd load operations + */ + try { + spf.setFeature("http://xml.org/sax/features/external-general-entities", false); + spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + + } catch (Exception e) { + log.error("Can NOT set SAX parser security features. -> XML parsing is possible insecure!!!! ", e); + + } + SAXParser parser; try { parser = spf.newSAXParser(); @@ -150,6 +163,7 @@ public class SLXHTMLValidator implements at.gv.egiz.bku.viewer.Validator { throw new RuntimeException("Failed to create SLXHTML parser.", e); } + InputSource source; if (charset != null) { source = new InputSource(new InputStreamReader(is, charset)); |