[SECURITY-2146]

src/main/java/hudson/scm/CVSChangeLogSet.java

@@ -29,7 +29,9 @@
 import hudson.scm.CVSChangeLogSet.CVSChangeLog;
 import hudson.util.Digester2;
 import hudson.util.IOException2;
+import org.xml.sax.SAXException;
 
+import javax.xml.parsers.ParserConfigurationException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.PrintStream;
@@ -116,9 +118,25 @@ public static CVSChangeLogSet parse(final Run<?, ?> build, RepositoryBrowser<?>
     }
 
 	private static ArrayList<CVSChangeLog> parseFile(final java.io.File f)
-			throws IOException2 {
-		Digester digester = new Digester2();
+			throws IOException2, SAXException {
+
+        Digester digester = new Digester2();
+
+        digester.setXIncludeAware(false);
+
+        if (!Boolean.getBoolean(CVSChangeLogParser.class.getName() + ".UNSAFE")) {
+            try {
+                digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+                digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+                digester.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            }
+            catch (ParserConfigurationException ex) {
+                throw new SAXException("Failed to securely configure CVS changelog parser", ex);
+            }
+        }
         ArrayList<CVSChangeLog> r = new ArrayList<CVSChangeLog>();
+
         digester.push(r);
 
         digester.addObjectCreate("*/entry", CVSChangeLog.class);