From 0603c0fbdfe028113431c65590b6e7e28929f6f6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 23 Jun 2017 06:50:14 +0200 Subject: some small refactoring and code documentation --- .../java/at/gv/egiz/mocca/id/DataURLServerServlet.java | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) (limited to 'BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java') diff --git a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java index 37889ae5..d34ead45 100644 --- a/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java +++ b/BKUOnline/src/main/java/at/gv/egiz/mocca/id/DataURLServerServlet.java @@ -65,6 +65,7 @@ import at.gv.egiz.bku.slcommands.impl.SLCommandImpl; import at.gv.egiz.bku.slexceptions.SLCommandException; import at.gv.egiz.bku.utils.DebugInputStream; import at.gv.egiz.bku.utils.StreamUtil; +import at.gv.egiz.dom.DOMUtils; import at.gv.egiz.org.apache.tomcat.util.http.AcceptLanguage; import at.gv.egiz.slbinding.SLUnmarshaller; @@ -152,18 +153,9 @@ public class DataURLServerServlet extends HttpServlet { "(see http://www.w3.org/TR/xmldsig-bestpractices/#be-aware-schema-normalization)", e); } - try { - dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); - dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - - } catch (ParserConfigurationException e) { - log.error("Can NOT set SAX parser security features. -> XML parsing is possible insecure!!!! ", e); - - } - - + //set XML parser flags to prevent XXE, XEE and SSRF attacks + DOMUtils.setXMLParserFlagsAgainstXXEAndSSRFAttacks(dbf); + DocumentBuilder documentBuilder; try { documentBuilder = dbf.newDocumentBuilder(); -- cgit v1.2.3