fix LOGBACK-1465

Signed-off-by: Ceki Gulcu <ceki@qos.ch>

logback-core/src/main/java/ch/qos/logback/core/joran/event/SaxEventRecorder.java

@@ -85,6 +85,9 @@ private SAXParser buildSaxParser() throws JoranException {
         try {
             SAXParserFactory spf = SAXParserFactory.newInstance();
             spf.setValidating(false);
+            //spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
             spf.setNamespaceAware(true);
             return spf.newSAXParser();
         } catch (Exception pce) {

logback-core/src/test/java/ch/qos/logback/core/joran/action/IncludeActionTest.java

@@ -206,7 +206,9 @@ String copyToTemp(String in) throws IOException {
 
     @Test
     public void malformedURL() throws JoranException {
-        System.setProperty(INCLUDE_KEY, "htp://logback.qos.ch");
+    	String MALFORMED = "htp://logback.qos.ch";
+
+        System.setProperty(INCLUDE_KEY, MALFORMED);
         tc.doConfigure(TOP_BY_URL);
         assertEquals(Status.ERROR, statusChecker.getHighestLevel(0));
         assertTrue(statusChecker.containsException(MalformedURLException.class));
@@ -239,10 +241,15 @@ public void multiInclude() throws JoranException {
         verifyConfig(new String[] { "IA", "IB", "SECOND" });
     }
 
+
+    // See LOGBACK-1465 - xxe vulnerability
     @Test
     public void includeAsEntity() throws JoranException {
         tc.doConfigure(TOP_BY_ENTITY);
-        verifyConfig(new String[] { "EA", "EB" });  
+        StatusPrinter.print(context);
+        //verifyConfig(new String[] { "EA", "EB" });
+        // entity inclusion disabled
+        verifyConfig(new String[] { });
     }
 
     void verifyConfig(String[] expected) {