You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@accumulo.apache.org by el...@apache.org on 2016/12/11 21:56:19 UTC

[2/6] accumulo git commit: ACCUMULO-4534 Disable external entities in SAX parser

ACCUMULO-4534 Disable external entities in SAX parser

Closes apache/accumulo#192


Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo
Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/3bd701b8
Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/3bd701b8
Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/3bd701b8

Branch: refs/heads/1.8
Commit: 3bd701b883492f06766631af30e7b08f14d3454c
Parents: 47b57f7
Author: Josh Elser <el...@apache.org>
Authored: Thu Dec 8 22:44:09 2016 -0500
Committer: Josh Elser <el...@apache.org>
Committed: Sun Dec 11 16:15:39 2016 -0500

----------------------------------------------------------------------
 .../java/org/apache/accumulo/server/util/RestoreZookeeper.java    | 3 +++
 1 file changed, 3 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/accumulo/blob/3bd701b8/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java
----------------------------------------------------------------------
diff --git a/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java b/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java
index 8da1ce9..b30ccfb 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java
@@ -118,6 +118,9 @@ public class RestoreZookeeper {
     }
 
     SAXParserFactory factory = SAXParserFactory.newInstance();
+    // Prevent external entities by failing on any doctypes. We don't expect any doctypes, so this
+    // is a simple switch to remove any chance of external entities causing problems.
+    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     SAXParser parser = factory.newSAXParser();
     parser.parse(in, new Restore(ZooReaderWriter.getInstance(), opts.overwrite));
     in.close();