ZOOKEEPER-3235: Enable secure processing and disallow DTDs in the SAXParserFactory

It's good security practice to set the secure processing feature on SAXParserFactory and to disallow Doctypes if they aren't needed. Author: Colm O hEigeartaigh <coheigea@apache.org> Reviewers: andor@apache.org Closes #716 from coheigea/sax_secureproc
author: Colm O hEigeartaigh <coheigea@apache.org> 2019-01-09 15:09:14 +0100
committer: Andor Molnar <andor@apache.org> 2019-01-09 15:09:14 +0100
commit: a5b3114d70d03f70b068b209fe393388f3c77991 (patch)
tree: 6c479c5ea4c8e666db410ffe3ed3b6a829e83419 /zookeeper-jute
parent: c358dce653874ae4b97ce26629e3ddba00c8b669 (diff)
download: zookeeper-a5b3114d70d03f70b068b209fe393388f3c77991.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java b/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
index 99e11d10e..a4ae9381c 100644
--- a/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
+++ b/zookeeper-jute/src/main/java/org/apache/jute/XmlInputArchive.java
@@ -143,6 +143,8 @@ class XmlInputArchive implements InputArchive {
         valList = new ArrayList<Value>();
         DefaultHandler handler = new XMLParser(valList);
         SAXParserFactory factory = SAXParserFactory.newInstance();
+        factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         SAXParser parser = factory.newSAXParser();
         parser.parse(in, handler);
         vLen = valList.size();
author	Colm O hEigeartaigh <coheigea@apache.org>	2019-01-09 15:09:14 +0100
committer	Andor Molnar <andor@apache.org>	2019-01-09 15:09:14 +0100
commit	a5b3114d70d03f70b068b209fe393388f3c77991 (patch)
tree	6c479c5ea4c8e666db410ffe3ed3b6a829e83419 /zookeeper-jute
parent	c358dce653874ae4b97ce26629e3ddba00c8b669 (diff)
download	zookeeper-a5b3114d70d03f70b068b209fe393388f3c77991.tar.gz