首页 发现 帮助
登录
apache
/
zookeeper
镜像自地址 https://gitee.com/apache/zookeeper.git
2
0
派生 0
文件 工单管理 0 Wiki
浏览代码

ZOOKEEPER-3235: Enable secure processing and disallow DTDs in the SAXParserFactory

It's good security practice to set the secure processing feature on SAXParserFactory and to disallow Doctypes if they aren't needed.

Author: Colm O hEigeartaigh <coheigea@apache.org>

Reviewers: andor@apache.org

Closes #716 from coheigea/sax_secureproc
Colm O hEigeartaigh 6 年之前
父节点
c358dce653
当前提交
a5b3114d70
共有 1 个文件被更改,包括 2 次插入0 次删除
分列视图 显示文件统计
  1. 2 0
      zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java

+ 2 - 0
zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
查看文件 

@@ -143,6 +143,8 @@ class XmlInputArchive implements InputArchive {
 
         valList = new ArrayList<Value>();
 
         DefaultHandler handler = new XMLParser(valList);
 
         SAXParserFactory factory = SAXParserFactory.newInstance();
 
+        factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
 
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 
         SAXParser parser = factory.newSAXParser();
 
         parser.parse(in, handler);
 
         vLen = valList.size();