Skip to content
Permalink
Browse files Browse the repository at this point in the history
patch XXE vulnerability
  • Loading branch information
brad committed Sep 25, 2015
1 parent b5851c1 commit 5f81b0c
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 2 deletions.
Expand Up @@ -53,14 +53,17 @@ public DefaultPropFindRequestFieldParser() {
@Override
public PropertiesRequest getRequestedFields( InputStream in ) {
final Set<QName> set = new LinkedHashSet<QName>();
try {
try {
ByteArrayOutputStream bout = new ByteArrayOutputStream();
StreamUtils.readTo( in, bout, false, true );
byte[] arr = bout.toByteArray();
if( arr.length > 1 ) {
ByteArrayInputStream bin = new ByteArrayInputStream( arr );
XMLReader reader = XMLReaderFactory.createXMLReader();
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
// https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
PropFindSaxHandler handler = new PropFindSaxHandler();
reader.setContentHandler( handler );
try {
Expand All @@ -77,7 +80,7 @@ public PropertiesRequest getRequestedFields( InputStream in ) {
log.warn( "exception parsing request body", e );
// ignore
}
}
}
} catch( Exception ex ) {
// There's a report of an exception being thrown here by IT Hit Webdav client
// Perhaps we can just log the error and return an empty set. Usually this
Expand Down
Expand Up @@ -69,6 +69,10 @@ private PropPatchParseResult parseContent( byte[] arr ) throws IOException, SAXE
ByteArrayInputStream bin = new ByteArrayInputStream( arr );
XMLReader reader = XMLReaderFactory.createXMLReader();
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
// https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);

PropPatchSaxHandler handler = new PropPatchSaxHandler();
reader.setContentHandler( handler );
reader.parse( new InputSource( bin ) );
Expand Down

0 comments on commit 5f81b0c

Please sign in to comment.