You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by co...@apache.org on 2019/10/11 12:07:03 UTC
[syncope] branch 2_1_X updated: Disallow Doctypes for
SAXParserFactory
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 2_1_X
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/2_1_X by this push:
new 410eeb3 Disallow Doctypes for SAXParserFactory
410eeb3 is described below
commit 410eeb3607f16cb2aa79ede7e44bb1bb662beea2
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Oct 11 11:35:34 2019 +0100
Disallow Doctypes for SAXParserFactory
---
.../apache/syncope/core/persistence/jpa/content/XMLContentLoader.java | 1 +
1 file changed, 1 insertion(+)
diff --git a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java
index a209a36..48aaf90 100644
--- a/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java
+++ b/core/persistence-jpa/src/main/java/org/apache/syncope/core/persistence/jpa/content/XMLContentLoader.java
@@ -108,6 +108,7 @@ public class XMLContentLoader extends AbstractContentDealer implements ContentLo
SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
try (InputStream in = contentXML.getResource().getInputStream()) {
SAXParser parser = factory.newSAXParser();
parser.parse(in, new ContentLoaderHandler(dataSource, ROOT_ELEMENT, true, env));