[AXIS2-5879] WSDL20ToAxisServiceBuilder.java:1235 & 1255 (XML External Entity Injection) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Invalid
Affects Version/s: 1.7.6
Fix Version/s: None
Component/s: kernel
Labels:
- security

Flags:

Important

Description

XML parser configured in WSDL20ToAxisServiceBuilder.java:1235 and 1255 does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.

Proposed solution: Always disable external entities:

	public static DocumentBuilderFactory createDocumentBuilderFactory() {
		DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
		factory.setNamespaceAware(true);
			try {
				factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
				factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
			}
			catch (ParserConfigurationException e) {
				throw new IllegalStateException(e);
			}
		return factory;
	}

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Donald Kwakkel

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 05/Sep/17 12:07

Updated:: 11/Sep/17 19:37

Resolved:: 08/Sep/17 23:19