Uploaded image for project: 'Axis2'
  1. Axis2
  2. AXIS2-5878

ValidateXMLFile.java:55 (XML External Entity Injection)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Critical
    • Resolution: Invalid
    • 1.7.6
    • None
    • ide plugins
    • Important

    Description

      XML parser configured in ValidateXMLFile.java:55 does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.

      Proposed solution: Always disable external entities when creating a DocumentBuilderFactory:

      	public static DocumentBuilderFactory createDocumentBuilderFactory() {
      		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
      		factory.setNamespaceAware(true);
      			try {
      				factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
      				factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
      			}
      			catch (ParserConfigurationException e) {
      				throw new IllegalStateException(e);
      			}
      		return factory;
      	}
      

      Attachments

        Activity

          People

            Unassigned Unassigned
            dkwakkel Donald Kwakkel
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: