You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Donald Kwakkel (JIRA)" <ji...@apache.org> on 2015/01/22 15:43:34 UTC
[jira] [Created] (CXF-6217) JmsPullPoint does not protect against
external entities
Donald Kwakkel created CXF-6217:
-----------------------------------
Summary: JmsPullPoint does not protect against external entities
Key: CXF-6217
URL: https://issues.apache.org/jira/browse/CXF-6217
Project: CXF
Issue Type: Bug
Components: Core
Affects Versions: 3.0.1
Reporter: Donald Kwakkel
I am not sure if this is by design, but the unmarshell below does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.
JmsPullPoint:
protected synchronized List<NotificationMessageHolderType> getMessages(int max)
throws ResourceUnknownFault, UnableToGetMessagesFault {
try {
if (max == 0) {
max = 256;
}
initSession();
List<NotificationMessageHolderType> messages = new ArrayList<NotificationMessageHolderType>();
for (int i = 0; i < max; i++) {
Message msg = consumer.receiveNoWait();
if (msg == null) {
break;
}
TextMessage txtMsg = (TextMessage) msg;
StringReader reader = new StringReader(txtMsg.getText());
Notify notify = (Notify) jaxbContext.createUnmarshaller().unmarshal(reader);
messages.addAll(notify.getNotificationMessage());
}
return messages;
}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)