You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Donald Kwakkel (JIRA)" <ji...@apache.org> on 2015/01/22 15:43:34 UTC

[jira] [Created] (CXF-6217) JmsPullPoint does not protect against external entities

Donald Kwakkel created CXF-6217:
-----------------------------------

             Summary: JmsPullPoint does not protect against external entities
                 Key: CXF-6217
                 URL: https://issues.apache.org/jira/browse/CXF-6217
             Project: CXF
          Issue Type: Bug
          Components: Core
    Affects Versions: 3.0.1
            Reporter: Donald Kwakkel


I am not sure if this is by design, but the unmarshell below does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.

JmsPullPoint:

 protected synchronized List<NotificationMessageHolderType> getMessages(int max) 
        throws ResourceUnknownFault, UnableToGetMessagesFault {
        try {
            if (max == 0) {
                max = 256;
            }
            initSession();
            List<NotificationMessageHolderType> messages = new ArrayList<NotificationMessageHolderType>();
            for (int i = 0; i < max; i++) {
                Message msg = consumer.receiveNoWait();
                if (msg == null) {
                    break;
                }
                TextMessage txtMsg = (TextMessage) msg;
                StringReader reader = new StringReader(txtMsg.getText());
                Notify notify = (Notify) jaxbContext.createUnmarshaller().unmarshal(reader);
                messages.addAll(notify.getNotificationMessage());
            }
            return messages;
        }



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)