From bbe653345bbb5dad2ed2356df6f817dd7de26528 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 23 Jun 2017 11:58:29 +0200 Subject: fix another possible XXE, SSRF problem. INFO: DocTypes are disabled by default for all XML content that should be signed with mocca!!! Consequently, XML and XAdES signatures for XML documents that contains a DocType declaration is not possible any more. If DocType declarations are absolutely necessary than this feature can be skipped by set the Java System-Property "-Degiz.mocca.xades.xml.allow.doctype=true" --- .../java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'bkucommon/src/main/java/at/gv/egiz/bku') diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java index c838b24b..c3c2f14c 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/slcommands/impl/xsect/Signature.java @@ -73,6 +73,7 @@ import org.w3c.dom.ls.LSException; import org.w3c.dom.ls.LSInput; import org.w3c.dom.ls.LSOutput; import org.w3c.dom.ls.LSParser; +import org.w3c.dom.ls.LSParserFilter; import org.w3c.dom.ls.LSResourceResolver; import org.w3c.dom.ls.LSSerializer; @@ -104,6 +105,8 @@ import at.gv.egiz.xades.QualifyingPropertiesFactory; public class Signature { public static final String XMLDSIG_PREFIX = "dsig"; + public static final String SYSTEM_PROPERTY_ALLOW_DOCTYPES = "egiz.mocca.xades.xml.allow.doctype"; + /** * Logging facility. */ @@ -899,7 +902,12 @@ public class Signature { LSResourceResolverAdapter resourceResolver = new LSResourceResolverAdapter(supplements); domConfig.setParameter("resource-resolver", resourceResolver); domConfig.setParameter("validate", Boolean.TRUE); - + + //Disallow DocTypes per default + String docTypeFlagString = System.getProperty(SYSTEM_PROPERTY_ALLOW_DOCTYPES, String.valueOf(Boolean.FALSE)); + boolean docTypeFlag = Boolean.parseBoolean(docTypeFlagString.toLowerCase()); + domConfig.setParameter("disallow-doctype", !docTypeFlag); + Document doc; try { doc = parser.parse(input); -- cgit v1.2.3