[BZ 1150624] Add additional code to prevent attempts to load DTD.

(cherry picked from commit 3064b71) Signed-off-by: John Mazzitelli <mazz@redhat.com>
rhq-project · Oct 10, 2014 · 3892942 · 3892942
1 parent c1dbfc7
commit 3892942
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/modules/enterprise/agent/src/main/java/org/rhq/enterprise/agent/AgentMain.java b/modules/enterprise/agent/src/main/java/org/rhq/enterprise/agent/AgentMain.java
@@ -35,6 +35,7 @@
 import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.io.StreamTokenizer;
+import java.io.StringReader;
 import java.io.StringWriter;
 import java.lang.management.ManagementFactory;
 import java.lang.reflect.Field;
@@ -84,6 +85,9 @@
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
 
 import org.jboss.remoting.invocation.NameBasedInvocation;
 import org.jboss.remoting.security.SSLSocketBuilder;
@@ -1397,6 +1401,13 @@ private String addMissingDoctypeDeclaration(String input) {
             documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
 
             DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
+            documentBuilder.setEntityResolver(new EntityResolver() {
+                @Override
+                public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+                    return new InputSource(new StringReader(""));
+                }
+            });
+
             InputStream inputStream = new ByteArrayInputStream(input.getBytes());
             Document document = documentBuilder.parse(inputStream);
             inputStream.close();
@@ -3676,6 +3687,13 @@ private void encodeDefaultRestrictedProperties(String configFileName) {
             documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
 
             DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
+            documentBuilder.setEntityResolver(new EntityResolver() {
+                @Override
+                public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+                    return new InputSource(new StringReader(""));
+                }
+            });
+
             inputStream = new FileInputStream(configFile);
             Document document = documentBuilder.parse(inputStream);
             inputStream.close();