Skip to content
This repository has been archived by the owner on Jun 3, 2020. It is now read-only.
Permalink
Browse files Browse the repository at this point in the history
1791164 - disable external entity parsing
  • Loading branch information
MichaelMraka committed Feb 11, 2020
1 parent 60950bc commit 74e28ec
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 0 deletions.
2 changes: 2 additions & 0 deletions spec-tree/redstone-xmlrpc/redstone-xmlrpc.spec
Expand Up @@ -9,6 +9,7 @@ Patch0: build-classpath.patch
Patch1: fault_serialization.patch
Patch2: escaping_string_serialization.path
Patch3: xxe.patch
Patch4: xxe2.patch
%if 0%{?fedora} || 0%{?rhel} >=7
BuildRequires: javapackages-tools
BuildRequires: jboss-servlet-2.5-api
Expand All @@ -34,6 +35,7 @@ a simple xmlrpc library for java
%patch1 -p0
%patch2 -p0
%patch3 -p0
%patch4 -p0
rm lib/javax.servlet.jar
build-jar-repository -p lib/ %third_party_jars

Expand Down
11 changes: 11 additions & 0 deletions spec-tree/redstone-xmlrpc/xxe2.patch
@@ -0,0 +1,11 @@
diff '--exclude=CVS' '--exclude=.svn' -ur ../xmlrpc-orig/source/redstone/xmlrpc/XmlRpcParser.java ../xmlrpc/source/redstone/xmlrpc/XmlRpcParser.java
--- source/redstone/xmlrpc/XmlRpcParser.java 2020-01-16 14:18:28.294284905 +0100
+++ source/redstone/xmlrpc/XmlRpcParser.java 2020-01-16 14:21:57.985203925 +0100
@@ -135,6 +135,7 @@
{
reader = XMLReaderFactory.createXMLReader();
reader.setEntityResolver(new DummyEntityResolver());
+ reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
}
catch ( SAXException e )
{

0 comments on commit 74e28ec

Please sign in to comment.