Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.0
-
None
Description
We want the ability to configure whether or not jelly files can be declared such that the doctype definition at the beginning of the XML can call out to external entities under the parsing by SAX in the xerces project.
The suggested fix is to add
if (!allowDtdToCallExternalEntities) { reader.setFeature("http://xml.org/sax/features/external-general-entities", false); reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); }
immediately following this line: https://github.com/apache/commons-jelly/blob/commons-jelly-1.0/src/java/org/apache/commons/jelly/parser/XMLParser.java#L496
Code is in SVN under the following commit:
svn commit -m "JELLY-293: accommodating toggling off DTD external entities" Sending . Sending build.xml Adding pom.xml Sending src/java/org/apache/commons/jelly/JellyContext.java Sending src/java/org/apache/commons/jelly/parser/XMLParser.java Adding src/test/org/apache/commons/jelly/TestDoctypeDefinitionXXE.java Adding src/test/org/apache/commons/jelly/doctypeDefinitionXXE.jelly Sending xdocs/changes.xml Transmitting file data .......done Committing transaction... Committed revision 1806026.