Securing the DocumentBuilderFactory instance

commit: 7169e93c2efd0ce21ddd2bab44adcde36e90f480 [log] [tgz]
author: Colm O hEigeartaigh <coheigea@apache.org> Thu Mar 08 10:42:46 2018 +0000
committer: Colm O hEigeartaigh <coheigea@apache.org> Thu Mar 08 10:42:46 2018 +0000
tree: 6069ea0afa96797575d915e202941ffaac99de7a
parent: 2da23fcb6f5c15b9d95ebb39074fd329aa466971 [diff]
diff --git a/kerby-common/kerby-config/src/main/java/org/apache/kerby/config/XmlConfigLoader.java b/kerby-common/kerby-config/src/main/java/org/apache/kerby/config/XmlConfigLoader.java
index 2fd2f9c..78ac7a4 100644
--- a/kerby-common/kerby-config/src/main/java/org/apache/kerby/config/XmlConfigLoader.java
+++ b/kerby-common/kerby-config/src/main/java/org/apache/kerby/config/XmlConfigLoader.java

@@ -29,6 +29,7 @@
 import org.w3c.dom.NodeList;
 import org.w3c.dom.Text;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import java.io.InputStream;
@@ -46,6 +47,8 @@
 
     private Element loadResourceDocument(Resource resource) throws Exception {
         DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+        docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
 
         docBuilderFactory.setIgnoringComments(true);
         docBuilderFactory.setNamespaceAware(true);
@@ -150,4 +153,4 @@
         }
         return null;
     }
-}
\ No newline at end of file
+}
commit	7169e93c2efd0ce21ddd2bab44adcde36e90f480	[log] [tgz]
author	Colm O hEigeartaigh <coheigea@apache.org>	Thu Mar 08 10:42:46 2018 +0000
committer	Colm O hEigeartaigh <coheigea@apache.org>	Thu Mar 08 10:42:46 2018 +0000
tree	6069ea0afa96797575d915e202941ffaac99de7a
parent	2da23fcb6f5c15b9d95ebb39074fd329aa466971 [diff]