You are viewing a plain text version of this content. The canonical link for it is here.
Posted to xmlrpc-auto@ws.apache.org by jo...@apache.org on 2010/02/04 11:10:08 UTC
svn commit: r906432 - in /webservices/xmlrpc/trunk:
common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java pom.xml
src/changes/changes.xml
Author: jochen
Date: Thu Feb 4 10:10:07 2010
New Revision: 906432
URL: http://svn.apache.org/viewvc?rev=906432&view=rev
Log:
Fixed a potential security issue: The client has been able to include server side resources into the request by using external entities.
Submitted-by: Johan Hägre <jo...@home.se>
Modified:
webservices/xmlrpc/trunk/common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java
webservices/xmlrpc/trunk/pom.xml
webservices/xmlrpc/trunk/src/changes/changes.xml
Modified: webservices/xmlrpc/trunk/common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java
URL: http://svn.apache.org/viewvc/webservices/xmlrpc/trunk/common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java?rev=906432&r1=906431&r2=906432&view=diff
==============================================================================
--- webservices/xmlrpc/trunk/common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java (original)
+++ webservices/xmlrpc/trunk/common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java Thu Feb 4 10:10:07 2010
@@ -34,6 +34,20 @@
spf = SAXParserFactory.newInstance();
spf.setNamespaceAware(true);
spf.setValidating(false);
+ try {
+ spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ } catch (javax.xml.parsers.ParserConfigurationException e) {
+ // Ignore it
+ } catch (org.xml.sax.SAXException e) {
+ // Ignore it
+ }
+ try {
+ spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ } catch (javax.xml.parsers.ParserConfigurationException e) {
+ // Ignore it
+ } catch (org.xml.sax.SAXException e) {
+ // Ignore it
+ }
}
/** Creates a new instance of {@link XMLReader}.
Modified: webservices/xmlrpc/trunk/pom.xml
URL: http://svn.apache.org/viewvc/webservices/xmlrpc/trunk/pom.xml?rev=906432&r1=906431&r2=906432&view=diff
==============================================================================
--- webservices/xmlrpc/trunk/pom.xml (original)
+++ webservices/xmlrpc/trunk/pom.xml Thu Feb 4 10:10:07 2010
@@ -187,6 +187,10 @@
<email>markg@nortel.com</email>
</contributor>
<contributor>
+ <name>Johan Hôgre</name>
+ <email>johan.hagre@home.se</email>
+ </contributor>
+ <contributor>
<name>Catalin Hritcu</name>
<email>Catalin.Hritcu@gmail.com</email>
</contributor>
Modified: webservices/xmlrpc/trunk/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/webservices/xmlrpc/trunk/src/changes/changes.xml?rev=906432&r1=906431&r2=906432&view=diff
==============================================================================
--- webservices/xmlrpc/trunk/src/changes/changes.xml (original)
+++ webservices/xmlrpc/trunk/src/changes/changes.xml Thu Feb 4 10:10:07 2010
@@ -37,6 +37,10 @@
<action dev="jochen" type="add" due-to="Gam" due-to-email="gamaliel@fastmail.fm">
Added support for configured timeouts to the XmlRpcSun15HttpTransport class.
</action>
+ <action dev="jochen" type="fix" due-to="Johan Hôgre" due-to-email="johan.hagre@home.se">
+ Fixed a potential security hole: The client has been able to include server side resources
+ into the request by using external entities.
+ </action>
</release>
<release version="3.1.2" date="2009-Apr-19">