diff options
author | Colm O hEigeartaigh <coheigea@apache.org> | 2019-01-09 15:09:14 +0100 |
---|---|---|
committer | Andor Molnar <andor@apache.org> | 2019-01-09 15:09:14 +0100 |
commit | a5b3114d70d03f70b068b209fe393388f3c77991 (patch) | |
tree | 6c479c5ea4c8e666db410ffe3ed3b6a829e83419 /zookeeper-jute | |
parent | c358dce653874ae4b97ce26629e3ddba00c8b669 (diff) | |
download | zookeeper-a5b3114d70d03f70b068b209fe393388f3c77991.tar.gz |
ZOOKEEPER-3235: Enable secure processing and disallow DTDs in the SAXParserFactory
It's good security practice to set the secure processing feature on SAXParserFactory and to disallow Doctypes if they aren't needed.
Author: Colm O hEigeartaigh <coheigea@apache.org>
Reviewers: andor@apache.org
Closes #716 from coheigea/sax_secureproc
Diffstat (limited to 'zookeeper-jute')
-rw-r--r-- | zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java b/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java index 99e11d10e..a4ae9381c 100644 --- a/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java +++ b/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java @@ -143,6 +143,8 @@ class XmlInputArchive implements InputArchive { valList = new ArrayList<Value>(); DefaultHandler handler = new XMLParser(valList); SAXParserFactory factory = SAXParserFactory.newInstance(); + factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); SAXParser parser = factory.newSAXParser(); parser.parse(in, handler); vLen = valList.size(); |