You are viewing a plain text version of this content. The canonical link for it is here.

Posted to soap-dev@ws.apache.org by di...@apache.org on 2005/09/16 16:22:02 UTC

svn commit: r289557 - /webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java

Author: dims
Date: Fri Sep 16 07:21:58 2005
New Revision: 289557

URL: http://svn.apache.org/viewcvs?rev=289557&view=rev
Log:
switch off various parser options to prevent XXE attacks.

Modified:
    webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java

Modified: webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java
URL: http://svn.apache.org/viewcvs/webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java?rev=289557&r1=289556&r2=289557&view=diff
==============================================================================
--- webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java (original)
+++ webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java Fri Sep 16 07:21:58 2005
@@ -118,7 +118,30 @@
     // Optional: set various configuration options
     dbf.setNamespaceAware(namespaceAware);
     dbf.setValidating(validating);
+
+    // Add various options explicitly to prevent XXE attacks. add try/catch around every
+    // setAttribute just in case a specific parser does not support it.
     dbf.setExpandEntityReferences(expandEntityReferences);
+    try {
+        dbf.setAttribute("http://xml.org/sax/features/external-general-entities",
+                Boolean.FALSE);
+    } catch (Throwable t) { }
+    try {
+        dbf.setAttribute("http://xml.org/sax/features/external-parameter-entities",
+                Boolean.FALSE);
+    } catch (Throwable t) { }
+    try {
+        dbf.setAttribute("http://apache.org/xml/features/disallow-doctype-decl",
+                Boolean.TRUE);
+    } catch (Throwable t) { }
+    try {
+        dbf.setAttribute("http://javax.xml.XMLConstants/feature/secure-processing",
+                Boolean.TRUE);
+    } catch (Throwable t) { }
+    try {
+        dbf.setAttribute("http://apache.org/xml/features/nonvalidating/load-external-dtd",
+                Boolean.FALSE);
+    } catch (Throwable t) { }
 
     try {
       // Some parsers don't throw an exception here, but throw one when the

Re: svn commit: r289557 - /webservices/soap/trunk/java/src/org/apache/soap/util/xml/XMLParserUtils.java

Posted by Sanjiva Weerawarana <sa...@opensource.lk>.

Hi Dims,

On Fri, 2005-09-16 at 14:22 +0000, dims@apache.org wrote:
> Author: dims
> Date: Fri Sep 16 07:21:58 2005
> New Revision: 289557
> 
> URL: http://svn.apache.org/viewcvs?rev=289557&view=rev
> Log:
> switch off various parser options to prevent XXE attacks.

XXE?

You seem to be turning off many SAX options .. Apache SOAP as you know
only uses DOM. ??

Sanjiva.