Skip to content
Permalink
Browse files

BZ1158017: fix XXE vulnerability when importing a BP from a bpmn2 (XM…

…L) file.
  • Loading branch information...
Jeremy Lindop
Jeremy Lindop committed Oct 28, 2014
1 parent b4645ac commit 5641588c730cc75dc3b76c34b76271fbd407fb84
@@ -28,6 +28,11 @@ public JBPMBpmn2ResourceImpl(URI uri) {
this.getDefaultLoadOptions().put(XMLResource.OPTION_DISABLE_NOTIFY, true);
this.getDefaultLoadOptions().put(XMLResource.OPTION_USE_XML_NAME_TO_FEATURE_MAP, xmlNameToFeatureMap);

// Switch off DTD external entity processing
Map parserFeatures = new HashMap();
parserFeatures.put("http://xml.org/sax/features/external-general-entities", false);
this.getDefaultLoadOptions().put(XMLResource.OPTION_PARSER_FEATURES, parserFeatures);

this.getDefaultSaveOptions().put(XMLResource.OPTION_ENCODING, "UTF-8");
this.getDefaultSaveOptions().put(XMLResource.OPTION_PROCESS_DANGLING_HREF, XMLResource.OPTION_PROCESS_DANGLING_HREF_DISCARD);
}

0 comments on commit 5641588

Please sign in to comment.
You can’t perform that action at this time.