Home Explore Help
Sign In
apache
/
zookeeper
mirror of https://gitee.com/apache/zookeeper.git
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

ZOOKEEPER-3235: Enable secure processing and disallow DTDs in the SAXParserFactory

It's good security practice to set the secure processing feature on SAXParserFactory and to disallow Doctypes if they aren't needed.

Author: Colm O hEigeartaigh <coheigea@apache.org>

Reviewers: andor@apache.org

Closes #716 from coheigea/sax_secureproc
Colm O hEigeartaigh 6 years ago
parent
c358dce653
commit
a5b3114d70
1 changed files with 2 additions and 0 deletions
Split View Show Diff Stats
  1. 2 0
      zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java

+ 2 - 0
zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
View File 

@@ -143,6 +143,8 @@ class XmlInputArchive implements InputArchive {
 
         valList = new ArrayList<Value>();
 
         DefaultHandler handler = new XMLParser(valList);
 
         SAXParserFactory factory = SAXParserFactory.newInstance();
 
+        factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
 
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 
         SAXParser parser = factory.newSAXParser();
 
         parser.parse(in, handler);
 
         vLen = valList.size();