BZ-1169553 - (CVE-2014-8125) EMBARGOED CVE-2014-8125 jBPM: BPMN2 file…

… processing XXE in Process Execution
apache · Dec 22, 2014 · c48464c · c48464c
1 parent 29769b4
commit c48464c
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/drools-core/src/main/java/org/drools/core/xml/ExtensibleXmlParser.java b/drools-core/src/main/java/org/drools/core/xml/ExtensibleXmlParser.java
@@ -223,7 +223,15 @@ public Object read(final InputSource in) throws SAXException,
                 throw new RuntimeException( "Unable to create new DOM Document",
                                             e );
             }
-
+            // XXE protection start
+            try {
+                f.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                f.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+
+            } catch (ParserConfigurationException e) {
+                logger.warn("Unable to set parser features due to {}", e.getMessage());
+            }
+            // XXE protection end
             try {
                 this.document = f.newDocumentBuilder().newDocument();
             } catch ( Exception e ) {
@@ -254,6 +262,15 @@ public Object read(final InputSource in) throws SAXException,
             }
 
             factory.setNamespaceAware( true );
+            // XXE protection start
+            try {
+                factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+
+            } catch (ParserConfigurationException e) {
+                logger.warn("Unable to set parser features due to {}", e.getMessage());
+            }
+            // XXE protection end
 
             final String isValidatingString = System.getProperty( "drools.schema.validating" );
             if ( System.getProperty( "drools.schema.validating" ) != null ) {