You are viewing a plain text version of this content. The canonical link for it is here.
Posted to soap-dev@ws.apache.org by di...@apache.org on 2005/09/16 16:22:02 UTC
svn commit: r289557 -
/webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java
Author: dims
Date: Fri Sep 16 07:21:58 2005
New Revision: 289557
URL: http://svn.apache.org/viewcvs?rev=289557&view=rev
Log:
switch off various parser options to prevent XXE attacks.
Modified:
webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java
Modified: webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java
URL: http://svn.apache.org/viewcvs/webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java?rev=289557&r1=289556&r2=289557&view=diff
==============================================================================
--- webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java (original)
+++ webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java Fri Sep 16 07:21:58 2005
@@ -118,7 +118,30 @@
// Optional: set various configuration options
dbf.setNamespaceAware(namespaceAware);
dbf.setValidating(validating);
+
+ // Add various options explicitly to prevent XXE attacks. add try/catch around every
+ // setAttribute just in case a specific parser does not support it.
dbf.setExpandEntityReferences(expandEntityReferences);
+ try {
+ dbf.setAttribute("http://xml.org/sax/features/external-general-entities",
+ Boolean.FALSE);
+ } catch (Throwable t) { }
+ try {
+ dbf.setAttribute("http://xml.org/sax/features/external-parameter-entities",
+ Boolean.FALSE);
+ } catch (Throwable t) { }
+ try {
+ dbf.setAttribute("http://apache.org/xml/features/disallow-doctype-decl",
+ Boolean.TRUE);
+ } catch (Throwable t) { }
+ try {
+ dbf.setAttribute("http://javax.xml.XMLConstants/feature/secure-processing",
+ Boolean.TRUE);
+ } catch (Throwable t) { }
+ try {
+ dbf.setAttribute("http://apache.org/xml/features/nonvalidating/load-external-dtd",
+ Boolean.FALSE);
+ } catch (Throwable t) { }
try {
// Some parsers don't throw an exception here, but throw one when the
Re: svn commit: r289557 -
/webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java
Posted by Sanjiva Weerawarana <sa...@opensource.lk>.
Hi Dims,
On Fri, 2005-09-16 at 14:22 +0000, dims@apache.org wrote:
> Author: dims
> Date: Fri Sep 16 07:21:58 2005
> New Revision: 289557
>
> URL: http://svn.apache.org/viewcvs?rev=289557&view=rev
> Log:
> switch off various parser options to prevent XXE attacks.
XXE?
You seem to be turning off many SAX options .. Apache SOAP as you know
only uses DOM. ??
Sanjiva.