You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ws.apache.org by co...@apache.org on 2019/10/24 09:41:48 UTC
svn commit: r1868861 -
/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java
Author: coheigea
Date: Thu Oct 24 09:41:48 2019
New Revision: 1868861
URL: http://svn.apache.org/viewvc?rev=1868861&view=rev
Log:
Disallow external DTDs
Modified:
webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java
Modified: webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java?rev=1868861&r1=1868860&r2=1868861&view=diff
==============================================================================
--- webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java (original)
+++ webservices/wss4j/trunk/ws-security-common/src/main/java/org/apache/wss4j/common/util/XMLUtils.java Thu Oct 24 09:41:48 2019
@@ -138,8 +138,16 @@ public final class XMLUtils {
throws TransformerException {
DOMSource source = new DOMSource(element);
StreamResult result = new StreamResult(out);
+
TransformerFactory transFactory = TransformerFactory.newInstance();
transFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ try {
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ } catch (IllegalArgumentException ex) { //NOPMD
+ // ignore
+ }
+
Transformer transformer = transFactory.newTransformer();
transformer.transform(source, result);
}