You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2020/12/02 08:30:07 UTC
[karaf] branch master updated: [KARAF-6923] Avoid XML entity
injection in several locations
This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/karaf.git
The following commit(s) were added to refs/heads/master by this push:
new b2d5a99 [KARAF-6923] Avoid XML entity injection in several locations
new 29d02c2 Merge pull request #1257 from jbonofre/KARAF-6923
b2d5a99 is described below
commit b2d5a9993f71bbaeafa980dfb86bf431910715f4
Author: jbonofre <jb...@apache.org>
AuthorDate: Wed Nov 25 14:04:39 2020 +0100
[KARAF-6923] Avoid XML entity injection in several locations
---
.../org/apache/karaf/bundle/core/internal/MavenConfigService.java | 5 ++++-
.../apache/karaf/deployer/features/FeatureDeploymentListener.java | 2 ++
.../org/apache/karaf/deployer/spring/SpringDeploymentListener.java | 2 ++
.../features/internal/service/FeaturesProcessingSerializer.java | 5 ++++-
.../src/main/java/org/apache/karaf/tooling/AssemblyMojo.java | 2 ++
5 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java b/bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
index 3227385..fce7070 100644
--- a/bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
+++ b/bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
@@ -86,7 +86,10 @@ public class MavenConfigService {
private static String getLocalRepositoryFromSettings(File file) {
XMLStreamReader reader = null;
try (InputStream fin = new FileInputStream(file)) {
- reader = XMLInputFactory.newFactory().createXMLStreamReader(fin);
+ XMLInputFactory factory = XMLInputFactory.newFactory();
+ factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+ factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+ reader = factory.createXMLStreamReader(fin);
int event;
String elementName = null;
while ((event = reader.next()) != XMLStreamConstants.END_DOCUMENT) {
diff --git a/deployer/features/src/main/java/org/apache/karaf/deployer/features/FeatureDeploymentListener.java b/deployer/features/src/main/java/org/apache/karaf/deployer/features/FeatureDeploymentListener.java
index 5c4c7ee..7f78493 100644
--- a/deployer/features/src/main/java/org/apache/karaf/deployer/features/FeatureDeploymentListener.java
+++ b/deployer/features/src/main/java/org/apache/karaf/deployer/features/FeatureDeploymentListener.java
@@ -265,6 +265,8 @@ public class FeatureDeploymentListener implements ArtifactUrlTransformer, Bundle
private QName getRootElementName(File artifact) throws Exception {
if (xif == null) {
xif = XMLInputFactory.newFactory();
+ xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+ xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xif.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, true);
}
try (InputStream is = new FileInputStream(artifact)) {
diff --git a/deployer/spring/src/main/java/org/apache/karaf/deployer/spring/SpringDeploymentListener.java b/deployer/spring/src/main/java/org/apache/karaf/deployer/spring/SpringDeploymentListener.java
index d49ba74..0953f66 100644
--- a/deployer/spring/src/main/java/org/apache/karaf/deployer/spring/SpringDeploymentListener.java
+++ b/deployer/spring/src/main/java/org/apache/karaf/deployer/spring/SpringDeploymentListener.java
@@ -71,6 +71,8 @@ public class SpringDeploymentListener implements ArtifactUrlTransformer {
try {
if (factory == null) {
factory = XMLInputFactory.newInstance();
+ factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+ factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
}
in = new FileInputStream(artifact);
parser = factory.createXMLEventReader(in);
diff --git a/features/core/src/main/java/org/apache/karaf/features/internal/service/FeaturesProcessingSerializer.java b/features/core/src/main/java/org/apache/karaf/features/internal/service/FeaturesProcessingSerializer.java
index 2182382..a92e825 100644
--- a/features/core/src/main/java/org/apache/karaf/features/internal/service/FeaturesProcessingSerializer.java
+++ b/features/core/src/main/java/org/apache/karaf/features/internal/service/FeaturesProcessingSerializer.java
@@ -162,7 +162,10 @@ public class FeaturesProcessingSerializer {
Properties props = new Properties();
props.load(getClass().getResourceAsStream("feature-processing-comments.properties"));
- XMLEventReader xmlEventReader = XMLInputFactory.newFactory().createXMLEventReader(new ByteArrayInputStream(baos.toByteArray()));
+ XMLInputFactory factory = XMLInputFactory.newFactory();
+ factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+ factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+ XMLEventReader xmlEventReader = factory.createXMLEventReader(new ByteArrayInputStream(baos.toByteArray()));
XMLEventWriter xmlEventWriter = new IndentingXMLEventWriter(XMLOutputFactory.newFactory().createXMLEventWriter(writer), " ");
XMLEventFactory evFactory = XMLEventFactory.newFactory();
int depth = 0;
diff --git a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/AssemblyMojo.java b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/AssemblyMojo.java
index 7a80f85..62f2592 100644
--- a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/AssemblyMojo.java
+++ b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/AssemblyMojo.java
@@ -832,6 +832,8 @@ public class AssemblyMojo extends MojoSupport {
try (InputStream is = new FileInputStream(artifact.getFile())) {
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, true);
+ xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+ xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
XMLStreamReader r = xif.createXMLStreamReader(is);
r.nextTag();
QName name = r.getName();