Securing the DocumentBuilderFactory instance
diff --git a/kerby-common/kerby-config/src/main/java/org/apache/kerby/config/XmlConfigLoader.java b/kerby-common/kerby-config/src/main/java/org/apache/kerby/config/XmlConfigLoader.java
index 2fd2f9c..78ac7a4 100644
--- a/kerby-common/kerby-config/src/main/java/org/apache/kerby/config/XmlConfigLoader.java
+++ b/kerby-common/kerby-config/src/main/java/org/apache/kerby/config/XmlConfigLoader.java
@@ -29,6 +29,7 @@
import org.w3c.dom.NodeList;
import org.w3c.dom.Text;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import java.io.InputStream;
@@ -46,6 +47,8 @@
private Element loadResourceDocument(Resource resource) throws Exception {
DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
docBuilderFactory.setIgnoringComments(true);
docBuilderFactory.setNamespaceAware(true);
@@ -150,4 +153,4 @@
}
return null;
}
-}
\ No newline at end of file
+}