Skip to content
Permalink
Browse files

patch XXE vulnerability

  • Loading branch information...
brad
brad committed Sep 25, 2015
1 parent b5851c1 commit 5f81b0c48a817d4337d8b0e99ea0b4744ecd720b
@@ -53,14 +53,17 @@ public DefaultPropFindRequestFieldParser() {
@Override
public PropertiesRequest getRequestedFields( InputStream in ) {
final Set<QName> set = new LinkedHashSet<QName>();
try {
try {
ByteArrayOutputStream bout = new ByteArrayOutputStream();
StreamUtils.readTo( in, bout, false, true );
byte[] arr = bout.toByteArray();
if( arr.length > 1 ) {
ByteArrayInputStream bin = new ByteArrayInputStream( arr );
XMLReader reader = XMLReaderFactory.createXMLReader();
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
// https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
PropFindSaxHandler handler = new PropFindSaxHandler();
reader.setContentHandler( handler );
try {
@@ -77,7 +80,7 @@ public PropertiesRequest getRequestedFields( InputStream in ) {
log.warn( "exception parsing request body", e );
// ignore
}
}
}
} catch( Exception ex ) {
// There's a report of an exception being thrown here by IT Hit Webdav client
// Perhaps we can just log the error and return an empty set. Usually this
@@ -69,6 +69,10 @@ private PropPatchParseResult parseContent( byte[] arr ) throws IOException, SAXE
ByteArrayInputStream bin = new ByteArrayInputStream( arr );
XMLReader reader = XMLReaderFactory.createXMLReader();
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
// https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);

PropPatchSaxHandler handler = new PropPatchSaxHandler();
reader.setContentHandler( handler );
reader.parse( new InputSource( bin ) );

0 comments on commit 5f81b0c

Please sign in to comment.
You can’t perform that action at this time.