From 612f7e017b627d9b95758199fd1820446ed88f41 Mon Sep 17 00:00:00 2001
From: Martin Polden <mpolden@mpolden.no>
Date: Fri, 1 Jul 2022 09:18:25 +0200
Subject: Disallow xinclude

---
 vespajlib/src/main/java/com/yahoo/text/XML.java | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

(limited to 'vespajlib')

diff --git a/vespajlib/src/main/java/com/yahoo/text/XML.java b/vespajlib/src/main/java/com/yahoo/text/XML.java
index c6f235f486c..bee0ee72281 100644
--- a/vespajlib/src/main/java/com/yahoo/text/XML.java
+++ b/vespajlib/src/main/java/com/yahoo/text/XML.java
@@ -1,17 +1,6 @@
 // Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
 package com.yahoo.text;
 
-import java.io.File;
-import java.io.IOException;
-import java.io.Reader;
-import java.io.StringReader;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
@@ -20,6 +9,16 @@ import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.SAXParseException;
 
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import java.io.File;
+import java.io.IOException;
+import java.io.Reader;
+import java.io.StringReader;
+import java.util.ArrayList;
+import java.util.List;
+
 /**
  * Static XML utility methods
  *
@@ -468,7 +467,9 @@ public class XML {
         try {
             DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(implementation, classLoader);
             factory.setNamespaceAware(true);
-            factory.setXIncludeAware(true);
+            // Disable include directives. If enabled this allows inclusion of any resource, such as file:/// and
+            // http:///, and these are read even if the document eventually fails to parse
+            factory.setXIncludeAware(false);
             // Prevent XXE
             factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             return factory.newDocumentBuilder();
-- 
cgit v1.2.3