From e9ff0249b9cba8d660f6b348a24184dfc34601e8 Mon Sep 17 00:00:00 2001
From: Josh Elser <elserj@apache.org>
Date: Thu, 8 Dec 2016 22:44:09 -0500
Subject: [PATCH] ACCUMULO-4534 Disable external entities in SAX parser

Closes apache/accumulo#192
---
 .../java/org/apache/accumulo/server/util/RestoreZookeeper.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java b/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java
index 8da1ce988a0..b30ccfb9b69 100644
--- a/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java
+++ b/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java
@@ -118,6 +118,9 @@ public static void main(String[] args) throws Exception {
     }
 
     SAXParserFactory factory = SAXParserFactory.newInstance();
+    // Prevent external entities by failing on any doctypes. We don't expect any doctypes, so this
+    // is a simple switch to remove any chance of external entities causing problems.
+    factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
     SAXParser parser = factory.newSAXParser();
     parser.parse(in, new Restore(ZooReaderWriter.getInstance(), opts.overwrite));
     in.close();