summaryrefslogtreecommitdiff
path: root/BKUViewer
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2017-06-22 14:26:15 +0200
committerThomas Lenz <thomas.lenz@egiz.gv.at>2017-06-22 14:26:15 +0200
commit345a8534ff39cc9550cbacabe2b3fffe20293508 (patch)
tree67c2deb3c10d00ecb758a162c4ff88221b7e3741 /BKUViewer
parentf31c5c8e557b611ff4f5e43443975fb08a202863 (diff)
downloadmocca-345a8534ff39cc9550cbacabe2b3fffe20293508.tar.gz
mocca-345a8534ff39cc9550cbacabe2b3fffe20293508.tar.bz2
mocca-345a8534ff39cc9550cbacabe2b3fffe20293508.zip
implement a workaround to fix XXE and SSRF problems in an old XMLStreamParser implementation of a third party library
Diffstat (limited to 'BKUViewer')
-rw-r--r--BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java11
1 files changed, 11 insertions, 0 deletions
diff --git a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java
index fe48eefa..95d2b78c 100644
--- a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java
+++ b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java
@@ -139,6 +139,16 @@ public class SLXHTMLValidator implements at.gv.egiz.bku.viewer.Validator {
spf.setValidating(true);
spf.setXIncludeAware(false);
+ try {
+ spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
+ } catch (Exception e) {
+ log.error("Can NOT set SAX parser security features. -> XML parsing is possible insecure!!!! ", e);
+
+ }
+
SAXParser parser;
try {
parser = spf.newSAXParser();
@@ -150,6 +160,7 @@ public class SLXHTMLValidator implements at.gv.egiz.bku.viewer.Validator {
throw new RuntimeException("Failed to create SLXHTML parser.", e);
}
+
InputSource source;
if (charset != null) {
source = new InputSource(new InputStreamReader(is, charset));