summaryrefslogtreecommitdiff
path: root/bkucommon/src/main/java
diff options
context:
space:
mode:
authorThomas Lenz <thomas.lenz@egiz.gv.at>2017-06-23 11:58:29 +0200
committerThomas Lenz <thomas.lenz@egiz.gv.at>2017-06-23 11:58:29 +0200
commitbbe653345bbb5dad2ed2356df6f817dd7de26528 (patch)
tree1dfb88505f1871e2816513676a03b58db2e00046 /bkucommon/src/main/java
parent0603c0fbdfe028113431c65590b6e7e28929f6f6 (diff)
downloadmocca-bbe653345bbb5dad2ed2356df6f817dd7de26528.tar.gz
mocca-bbe653345bbb5dad2ed2356df6f817dd7de26528.tar.bz2
mocca-bbe653345bbb5dad2ed2356df6f817dd7de26528.zip
fix another possible XXE, SSRF problem.
INFO: DocTypes are disabled by default for all XML content that should be signed with mocca!!! Consequently, XML and XAdES signatures for XML documents that contains a DocType declaration is not possible any more. If DocType declarations are absolutely necessary than this feature can be skipped by set the Java System-Property "-Degiz.mocca.xades.xml.allow.doctype=true"
Diffstat (limited to 'bkucommon/src/main/java')
-rw-r--r--bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java10
1 files changed, 9 insertions, 1 deletions
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java
index c838b24b..c3c2f14c 100644
--- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java
+++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java
@@ -73,6 +73,7 @@ import org.w3c.dom.ls.LSException;
import org.w3c.dom.ls.LSInput;
import org.w3c.dom.ls.LSOutput;
import org.w3c.dom.ls.LSParser;
+import org.w3c.dom.ls.LSParserFilter;
import org.w3c.dom.ls.LSResourceResolver;
import org.w3c.dom.ls.LSSerializer;
@@ -104,6 +105,8 @@ import at.gv.egiz.xades.QualifyingPropertiesFactory;
public class Signature {
public static final String XMLDSIG_PREFIX = "dsig";
+ public static final String SYSTEM_PROPERTY_ALLOW_DOCTYPES = "egiz.mocca.xades.xml.allow.doctype";
+
/**
* Logging facility.
*/
@@ -899,7 +902,12 @@ public class Signature {
LSResourceResolverAdapter resourceResolver = new LSResourceResolverAdapter(supplements);
domConfig.setParameter("resource-resolver", resourceResolver);
domConfig.setParameter("validate", Boolean.TRUE);
-
+
+ //Disallow DocTypes per default
+ String docTypeFlagString = System.getProperty(SYSTEM_PROPERTY_ALLOW_DOCTYPES, String.valueOf(Boolean.FALSE));
+ boolean docTypeFlag = Boolean.parseBoolean(docTypeFlagString.toLowerCase());
+ domConfig.setParameter("disallow-doctype", !docTypeFlag);
+
Document doc;
try {
doc = parser.parse(input);