You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Donald Kwakkel (JIRA)" <ji...@apache.org> on 2015/01/22 16:35:36 UTC
[jira] [Commented] (CXF-6217) JmsPullPoint does not protect against
external entities
[ https://issues.apache.org/jira/browse/CXF-6217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14287615#comment-14287615 ]
Donald Kwakkel commented on CXF-6217:
-------------------------------------
Found more unmarshall occurences which seems not to be protected against external entity injection. e.g. in JmsSubscription and AtomPojoProvider.
> JmsPullPoint does not protect against external entities
> -------------------------------------------------------
>
> Key: CXF-6217
> URL: https://issues.apache.org/jira/browse/CXF-6217
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.0.1
> Reporter: Donald Kwakkel
>
> I am not sure if this is by design, but the unmarshell below does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.
> JmsPullPoint:
> protected synchronized List<NotificationMessageHolderType> getMessages(int max)
> throws ResourceUnknownFault, UnableToGetMessagesFault {
> try {
> if (max == 0) {
> max = 256;
> }
> initSession();
> List<NotificationMessageHolderType> messages = new ArrayList<NotificationMessageHolderType>();
> for (int i = 0; i < max; i++) {
> Message msg = consumer.receiveNoWait();
> if (msg == null) {
> break;
> }
> TextMessage txtMsg = (TextMessage) msg;
> StringReader reader = new StringReader(txtMsg.getText());
> Notify notify = (Notify) jaxbContext.createUnmarshaller().unmarshal(reader);
> messages.addAll(notify.getNotificationMessage());
> }
> return messages;
> }
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)