[AXIS2-5877] XML External Entity Injections - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Incomplete
Affects Version/s: 1.7.6
Fix Version/s: None
Component/s: jaxws
Labels:
- security

Flags:

Important

Description

XML parser configured in ConvertUtils.java:225 does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.

Proposed fix: Enable where TransformerFactory is used always the secure processing feature:

	public static TransformerFactory createTransformerFactory() {
		TransformerFactory factory = TransformerFactory.newInstance();
		try {
			factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
		}
		catch (TransformerConfigurationException e) {
			throw new IllegalStateException(e);
		}
		return factory;
	}

Also in XSLTTemplateProcessor.java:147 (XSLT Injection) and other locations where this and DocumentBuilderFactory is handled wrong. See attached screenshots.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

xxe2.png
05/Sep/17 13:05
32 kB
Donald Kwakkel
xxe1.png
05/Sep/17 13:05
74 kB
Donald Kwakkel

Activity

People

Assignee:: Unassigned

Reporter:: Donald Kwakkel

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 05/Sep/17 12:03

Updated:: 09/Mar/21 20:41

Resolved:: 09/Mar/21 20:41