You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Donald Kwakkel (JIRA)" <ji...@apache.org> on 2015/06/30 09:19:04 UTC
[jira] [Commented] (CXF-6217) JmsPullPoint does not protect against
external entities
[ https://issues.apache.org/jira/browse/CXF-6217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14607679#comment-14607679 ]
Donald Kwakkel commented on CXF-6217:
-------------------------------------
Can you answer my previous comment?
Also found some more occurences (CXF 3.1.1):
1. org.apache.cxf.jaxrs.ext.xml.XmlSource: XPath xpath = XPathFactory.newInstance().newXPath();
2. org.apache.cxf.jaxrs.provider.XSLTJaxbProvider: factory = (SAXTransformerFactory)TransformerFactory.newInstance();
3. org.apache.cxf.tools.validator.internal.ValidatorUtil : DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
4. org.apache.cxf.tools.common.toolspec.ToolSpec : Transformer trans = TransformerFactory.newInstance().newTransformer(new StreamSource(stylesheet));
5. org.apache.cxf.management.web.browser.bootstrapping.SimpleXMLSettingsStorage: entries = (Entries) unmarshaller.unmarshal(file);
6. org.apache.cxf.tools.validator.internal.SchemaValidator: SAXSource saxSource = new SAXSource(saxParser.getXMLReader(), wsdlsource);
7. org.apache.cxf.tools.wsdlto.core.PluginLoader: return (Plugin) ((JAXBElement<?>)unmarshaller.unmarshal(is)).getValue();
8. org.apache.cxf.transport.http.netty.server.blueprint.NettyHttpServerEngineFactoryHolder: Element element = docFactory.newDocumentBuilder().parse(new ByteArrayInputStream(parsedElement.getBytes())).getDocumentElement();
9. org.apache.cxf.transport.http_jetty.blueprint.JettyHTTPServerEngineFactoryHolder: Element element = docFactory.newDocumentBuilder().parse(new ByteArrayInputStream(parsedElement.getBytes())).getDocumentElement();
10. org.apache.cxf.tools.wsdlto.databinding.jaxb.NamespaceContextImpl: document = docFact.newDocumentBuilder().parse(file);
Do you want a new ticket for this?
> JmsPullPoint does not protect against external entities
> -------------------------------------------------------
>
> Key: CXF-6217
> URL: https://issues.apache.org/jira/browse/CXF-6217
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.0.1
> Reporter: Donald Kwakkel
> Assignee: Daniel Kulp
> Fix For: 3.0.4, 2.7.15
>
>
> I am not sure if this is by design, but the unmarshell below does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.
> JmsPullPoint:
> {code:java}
> protected synchronized List<NotificationMessageHolderType> getMessages(int max)
> throws ResourceUnknownFault, UnableToGetMessagesFault {
> try {
> if (max == 0) {
> max = 256;
> }
> initSession();
> List<NotificationMessageHolderType> messages = new ArrayList<NotificationMessageHolderType>();
> for (int i = 0; i < max; i++) {
> Message msg = consumer.receiveNoWait();
> if (msg == null) {
> break;
> }
> TextMessage txtMsg = (TextMessage) msg;
> StringReader reader = new StringReader(txtMsg.getText());
> Notify notify = (Notify) jaxbContext.createUnmarshaller().unmarshal(reader);
> messages.addAll(notify.getNotificationMessage());
> }
> return messages;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)