You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Donald Kwakkel (JIRA)" <ji...@apache.org> on 2017/09/05 12:06:00 UTC
[jira] [Created] (AXIS2-5878) ValidateXMLFile.java:55 (XML External
Entity Injection)
Donald Kwakkel created AXIS2-5878:
-------------------------------------
Summary: ValidateXMLFile.java:55 (XML External Entity Injection)
Key: AXIS2-5878
URL: https://issues.apache.org/jira/browse/AXIS2-5878
Project: Axis2
Issue Type: Bug
Components: jaxws
Affects Versions: 1.7.6
Reporter: Donald Kwakkel
Priority: Critical
XML parser configured in ValidateXMLFile.java:55 does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.
Proposed solution: Always disable external entities when creating a DocumentBuilderFactory:
{code:java}
public static DocumentBuilderFactory createDocumentBuilderFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
try {
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
}
catch (ParserConfigurationException e) {
throw new IllegalStateException(e);
}
return factory;
}
{code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org