[CXF-6217] JmsPullPoint does not protect against external entities - ASF JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.0.1
Fix Version/s: 3.0.4, 2.7.15
Component/s: Core
Labels:
None

Estimated Complexity:
Unknown

Description

I am not sure if this is by design, but the unmarshell below does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.

JmsPullPoint:

 protected synchronized List<NotificationMessageHolderType> getMessages(int max) 
        throws ResourceUnknownFault, UnableToGetMessagesFault {
        try {
            if (max == 0) {
                max = 256;
            }
            initSession();
            List<NotificationMessageHolderType> messages = new ArrayList<NotificationMessageHolderType>();
            for (int i = 0; i < max; i++) {
                Message msg = consumer.receiveNoWait();
                if (msg == null) {
                    break;
                }
                TextMessage txtMsg = (TextMessage) msg;
                StringReader reader = new StringReader(txtMsg.getText());
                Notify notify = (Notify) jaxbContext.createUnmarshaller().unmarshal(reader);
                messages.addAll(notify.getNotificationMessage());
            }
            return messages;
        }

Attachments

Activity

People

Assignee:

Daniel Kulp

Reporter:

Donald Kwakkel

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

22/Jan/15 14:42

Updated:

31/Mar/17 19:38

Resolved:

23/Mar/17 17:01