BZ1158017: fix XXE vulnerability when importing a BP from a bpmn2 (XM…

…L) file.
kiegroup · Jan 5, 2015 · 5641588 · 5641588
1 parent b4645ac
commit 5641588
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/...esigner-backend/src/main/java/org/jbpm/designer/bpmn2/resource/JBPMBpmn2ResourceImpl.java b/...esigner-backend/src/main/java/org/jbpm/designer/bpmn2/resource/JBPMBpmn2ResourceImpl.java
@@ -28,6 +28,11 @@ public JBPMBpmn2ResourceImpl(URI uri) {
         this.getDefaultLoadOptions().put(XMLResource.OPTION_DISABLE_NOTIFY, true);
         this.getDefaultLoadOptions().put(XMLResource.OPTION_USE_XML_NAME_TO_FEATURE_MAP, xmlNameToFeatureMap);
 
+        // Switch off DTD external entity processing
+        Map parserFeatures = new HashMap();
+        parserFeatures.put("http://xml.org/sax/features/external-general-entities", false);
+        this.getDefaultLoadOptions().put(XMLResource.OPTION_PARSER_FEATURES, parserFeatures);
+
         this.getDefaultSaveOptions().put(XMLResource.OPTION_ENCODING, "UTF-8");
         this.getDefaultSaveOptions().put(XMLResource.OPTION_PROCESS_DANGLING_HREF, XMLResource.OPTION_PROCESS_DANGLING_HREF_DISCARD);
 	}