diff options
| author | Martin Polden <mpolden@mpolden.no> | 2022-07-01 09:18:25 +0200 |
|---|---|---|
| committer | Martin Polden <mpolden@mpolden.no> | 2022-07-01 09:21:33 +0200 |
| commit | 612f7e017b627d9b95758199fd1820446ed88f41 (patch) | |
| tree | 9a8acc4250c52ad93b648ded41ca3a8c05c55cc6 /vespajlib | |
| parent | 63d415951811b71dc94dec840673160f76e1a0a0 (diff) | |
Disallow xinclude
Diffstat (limited to 'vespajlib')
| -rw-r--r-- | vespajlib/src/main/java/com/yahoo/text/XML.java | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/vespajlib/src/main/java/com/yahoo/text/XML.java b/vespajlib/src/main/java/com/yahoo/text/XML.java index c6f235f486c..bee0ee72281 100644 --- a/vespajlib/src/main/java/com/yahoo/text/XML.java +++ b/vespajlib/src/main/java/com/yahoo/text/XML.java @@ -1,17 +1,6 @@ // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root. package com.yahoo.text; -import java.io.File; -import java.io.IOException; -import java.io.Reader; -import java.io.StringReader; -import java.util.ArrayList; -import java.util.List; - -import javax.xml.parsers.DocumentBuilder; -import javax.xml.parsers.DocumentBuilderFactory; -import javax.xml.parsers.ParserConfigurationException; - import org.w3c.dom.Document; import org.w3c.dom.Element; import org.w3c.dom.Node; @@ -20,6 +9,16 @@ import org.xml.sax.InputSource; import org.xml.sax.SAXException; import org.xml.sax.SAXParseException; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; +import java.io.File; +import java.io.IOException; +import java.io.Reader; +import java.io.StringReader; +import java.util.ArrayList; +import java.util.List; + /** * Static XML utility methods * @@ -468,7 +467,9 @@ public class XML { try { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(implementation, classLoader); factory.setNamespaceAware(true); - factory.setXIncludeAware(true); + // Disable include directives. If enabled this allows inclusion of any resource, such as file:/// and + // http:///, and these are read even if the document eventually fails to parse + factory.setXIncludeAware(false); // Prevent XXE factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); return factory.newDocumentBuilder(); |