From 06623086e231ef094ec80b65a18b0fe8c8457bb7 Mon Sep 17 00:00:00 2001
From: Andreas Fitzek <andreas.fitzek@iaik.tugraz.at>
Date: Thu, 19 Nov 2015 08:45:02 +0100
Subject: XML-Entity Injection in DataUrl Servlet gefixt

---
 .../src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java   | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java')

diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java
index 5b3fe82a..13c37171 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java
@@ -80,6 +80,10 @@ public class DataURLServlet extends HttpServlet {
 	protected void process(HttpServletRequest request,
 			HttpServletResponse response) throws ServletException, IOException {
 		try {
+			if(!PdfAsHelper.checkDataUrlAccess(request)) {
+				throw new Exception("No valid dataURL access");
+			}
+			
 			PdfAsHelper.setFromDataUrl(request);
 			String xmlResponse = request.getParameter("XMLResponse");
 			
-- 
cgit v1.2.3