Added a config option to turn xml doctype declarations on in AMF Xml payload. It is called: "allow-xml-doctype-declaration"
diff --git a/modules/common/pom.xml b/modules/common/pom.xml
index a518579..42e4d42 100755
--- a/modules/common/pom.xml
+++ b/modules/common/pom.xml
@@ -22,7 +22,7 @@
<parent>
<groupId>org.apache.flex.blazeds</groupId>
<artifactId>blazeds</artifactId>
- <version>4.8.0-SNAPSHOT</version>
+ <version>4.7.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
diff --git a/modules/core/pom.xml b/modules/core/pom.xml
index 1309282..8d6c8fb 100755
--- a/modules/core/pom.xml
+++ b/modules/core/pom.xml
@@ -22,7 +22,7 @@
<parent>
<groupId>org.apache.flex.blazeds</groupId>
<artifactId>blazeds</artifactId>
- <version>4.8.0-SNAPSHOT</version>
+ <version>4.7.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
diff --git a/modules/core/src/flex/messaging/endpoints/AbstractEndpoint.java b/modules/core/src/flex/messaging/endpoints/AbstractEndpoint.java
index ffa1d0f..c265ea9 100644
--- a/modules/core/src/flex/messaging/endpoints/AbstractEndpoint.java
+++ b/modules/core/src/flex/messaging/endpoints/AbstractEndpoint.java
@@ -109,6 +109,7 @@
private static final String LEGACY_THROWABLE = "legacy-throwable";
private static final String LEGACY_BIG_NUMBERS = "legacy-big-numbers";
private static final String LEGACY_EXTERNALIZABLE = "legacy-externalizable";
+ private static final String ALLOW_XML_DOCTYPE_DECLARATION = "allow-xml-doctype-declaration";
private static final String ALLOW_XML_EXTERNAL_ENTITY_EXPANSION = "allow-xml-external-entity-expansion";
private static final String LOG_PROPERTY_ERRORS = "log-property-errors";
@@ -278,6 +279,7 @@
serializationContext.legacyThrowable = serialization.getPropertyAsBoolean(LEGACY_THROWABLE, false);
serializationContext.legacyBigNumbers = serialization.getPropertyAsBoolean(LEGACY_BIG_NUMBERS, false);
serializationContext.legacyExternalizable = serialization.getPropertyAsBoolean(LEGACY_EXTERNALIZABLE, false);
+ serializationContext.allowXmlDoctypeDeclaration = serialization.getPropertyAsBoolean(ALLOW_XML_DOCTYPE_DECLARATION, false);
serializationContext.allowXmlExternalEntityExpansion = serialization.getPropertyAsBoolean(ALLOW_XML_EXTERNAL_ENTITY_EXPANSION, false);
serializationContext.maxObjectNestLevel = (int)serialization.getPropertyAsLong(MAX_OBJECT_NEST_LEVEL, 512);
serializationContext.maxCollectionNestLevel = (int)serialization.getPropertyAsLong(MAX_COLLECTION_NEST_LEVEL, 15);
diff --git a/modules/core/src/flex/messaging/io/SerializationContext.java b/modules/core/src/flex/messaging/io/SerializationContext.java
index d4a9f41..9ffe17c 100644
--- a/modules/core/src/flex/messaging/io/SerializationContext.java
+++ b/modules/core/src/flex/messaging/io/SerializationContext.java
@@ -80,6 +80,7 @@
// Similarly like how many dimensional matrix that we support for serialization.
public int maxCollectionNestLevel = 15;
+ public boolean allowXmlDoctypeDeclaration = false;
public boolean allowXmlExternalEntityExpansion = false;
/**
@@ -227,6 +228,7 @@
context.deserializationValidator = deserializationValidator;
context.maxObjectNestLevel = maxObjectNestLevel;
context.maxCollectionNestLevel = maxCollectionNestLevel;
+ context.allowXmlDoctypeDeclaration = allowXmlDoctypeDeclaration;
context.allowXmlExternalEntityExpansion = allowXmlExternalEntityExpansion;
context.preferVectors = preferVectors;
return context;
diff --git a/modules/core/src/flex/messaging/io/amf/AbstractAmfInput.java b/modules/core/src/flex/messaging/io/amf/AbstractAmfInput.java
index 5d985f6..a62a546 100644
--- a/modules/core/src/flex/messaging/io/amf/AbstractAmfInput.java
+++ b/modules/core/src/flex/messaging/io/amf/AbstractAmfInput.java
@@ -83,7 +83,7 @@
// Validation performed in XMLUtil#stringToDocument.
return XMLUtil.stringToDocument(xml, !(context.legacyXMLNamespaces),
- context.allowXmlExternalEntityExpansion);
+ context.allowXmlDoctypeDeclaration, context.allowXmlExternalEntityExpansion);
}
/**
diff --git a/modules/core/src/flex/messaging/io/amfx/AmfxInput.java b/modules/core/src/flex/messaging/io/amfx/AmfxInput.java
index 8944049..83911ff 100644
--- a/modules/core/src/flex/messaging/io/amfx/AmfxInput.java
+++ b/modules/core/src/flex/messaging/io/amfx/AmfxInput.java
@@ -1050,7 +1050,7 @@
// Validation performed in XMLUtil#stringToDocument.
Object value = XMLUtil.stringToDocument(xml, !(context.legacyXMLNamespaces),
- context.allowXmlExternalEntityExpansion);
+ context.allowXmlDoctypeDeclaration, context.allowXmlExternalEntityExpansion);
setValue(value);
}
diff --git a/modules/core/src/flex/messaging/util/XMLUtil.java b/modules/core/src/flex/messaging/util/XMLUtil.java
index abc224d..e27149c 100644
--- a/modules/core/src/flex/messaging/util/XMLUtil.java
+++ b/modules/core/src/flex/messaging/util/XMLUtil.java
@@ -97,7 +97,7 @@
*/
public static Document stringToDocument(String xml)
{
- return stringToDocument(xml, true, false);
+ return stringToDocument(xml, true, false, false);
}
/**
@@ -109,7 +109,8 @@
* is name-space aware
* @return Document
*/
- public static Document stringToDocument(String xml, boolean nameSpaceAware, boolean allowXmlExternalEntityExpansion)
+ public static Document stringToDocument(String xml, boolean nameSpaceAware, boolean allowXmlDoctypeDeclaration,
+ boolean allowXmlExternalEntityExpansion)
{
ClassUtil.validateCreation(Document.class);
@@ -122,6 +123,11 @@
InputSource input = new InputSource(reader);
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ if(!allowXmlDoctypeDeclaration)
+ {
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ }
+
if(!allowXmlExternalEntityExpansion)
{
// Disable local resolution of entities due to security issues
diff --git a/modules/opt/pom.xml b/modules/opt/pom.xml
index d77fcf4..051ed24 100755
--- a/modules/opt/pom.xml
+++ b/modules/opt/pom.xml
@@ -22,7 +22,7 @@
<parent>
<groupId>org.apache.flex.blazeds</groupId>
<artifactId>blazeds</artifactId>
- <version>4.8.0-SNAPSHOT</version>
+ <version>4.7.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
diff --git a/modules/opt/poms/tomcat4/pom.xml b/modules/opt/poms/tomcat4/pom.xml
index d7d5f5b..2d742ee 100755
--- a/modules/opt/poms/tomcat4/pom.xml
+++ b/modules/opt/poms/tomcat4/pom.xml
@@ -22,7 +22,7 @@
<parent>
<groupId>org.apache.flex.blazeds</groupId>
<artifactId>flex-messaging-opt</artifactId>
- <version>4.8.0-SNAPSHOT</version>
+ <version>4.7.2-SNAPSHOT</version>
<relativePath>../../pom.xml</relativePath>
</parent>
diff --git a/modules/opt/poms/tomcat6/pom.xml b/modules/opt/poms/tomcat6/pom.xml
index d609a99..364d017 100755
--- a/modules/opt/poms/tomcat6/pom.xml
+++ b/modules/opt/poms/tomcat6/pom.xml
@@ -22,7 +22,7 @@
<parent>
<groupId>org.apache.flex.blazeds</groupId>
<artifactId>flex-messaging-opt</artifactId>
- <version>4.8.0-SNAPSHOT</version>
+ <version>4.7.2-SNAPSHOT</version>
<relativePath>../../pom.xml</relativePath>
</parent>
diff --git a/modules/opt/poms/tomcat7/pom.xml b/modules/opt/poms/tomcat7/pom.xml
index e80781e..6b73f3b 100755
--- a/modules/opt/poms/tomcat7/pom.xml
+++ b/modules/opt/poms/tomcat7/pom.xml
@@ -22,7 +22,7 @@
<parent>
<groupId>org.apache.flex.blazeds</groupId>
<artifactId>flex-messaging-opt</artifactId>
- <version>4.8.0-SNAPSHOT</version>
+ <version>4.7.2-SNAPSHOT</version>
<relativePath>../../pom.xml</relativePath>
</parent>
diff --git a/modules/pom.xml b/modules/pom.xml
index 33da3bb..6045b34 100755
--- a/modules/pom.xml
+++ b/modules/pom.xml
@@ -29,7 +29,7 @@
<groupId>org.apache.flex.blazeds</groupId>
<artifactId>blazeds</artifactId>
- <version>4.8.0-SNAPSHOT</version>
+ <version>4.7.2-SNAPSHOT</version>
<packaging>pom</packaging>
<name>Apache Flex: BlazeDS</name>
diff --git a/modules/proxy/pom.xml b/modules/proxy/pom.xml
index 296d351..b1d9102 100755
--- a/modules/proxy/pom.xml
+++ b/modules/proxy/pom.xml
@@ -22,7 +22,7 @@
<parent>
<groupId>org.apache.flex.blazeds</groupId>
<artifactId>blazeds</artifactId>
- <version>4.8.0-SNAPSHOT</version>
+ <version>4.7.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
diff --git a/modules/remoting/pom.xml b/modules/remoting/pom.xml
index 4ac1c74..93a6bfb 100755
--- a/modules/remoting/pom.xml
+++ b/modules/remoting/pom.xml
@@ -22,7 +22,7 @@
<parent>
<groupId>org.apache.flex.blazeds</groupId>
<artifactId>blazeds</artifactId>
- <version>4.8.0-SNAPSHOT</version>
+ <version>4.7.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
diff --git a/modules/testsuite/pom.xml b/modules/testsuite/pom.xml
index 8206cc5..1428f30 100644
--- a/modules/testsuite/pom.xml
+++ b/modules/testsuite/pom.xml
@@ -22,7 +22,7 @@
<parent>
<groupId>org.apache.flex.blazeds</groupId>
<artifactId>blazeds</artifactId>
- <version>4.8.0-SNAPSHOT</version>
+ <version>4.7.2-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
diff --git a/modules/testsuite/src/test/java/flex/messaging/io/amfx/AllowDocumentTypeDeclaration.java b/modules/testsuite/src/test/java/flex/messaging/io/amfx/AllowDocumentTypeDeclaration.java
new file mode 100644
index 0000000..c4427e7
--- /dev/null
+++ b/modules/testsuite/src/test/java/flex/messaging/io/amfx/AllowDocumentTypeDeclaration.java
@@ -0,0 +1,151 @@
+/*
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package flex.messaging.io.amfx;
+
+import flex.messaging.MessageException;
+import flex.messaging.util.XMLUtil;
+import junit.framework.Assert;
+import junit.framework.TestCase;
+
+import java.io.BufferedReader;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.io.OutputStream;
+import java.net.ServerSocket;
+import java.net.Socket;
+
+/**
+ * Created by christoferdutz on 23.07.15.
+ */
+
+public class AllowDocumentTypeDeclaration extends TestCase {
+
+ public void testDoctypeEnabled() throws Exception {
+ // Start a simple server socket.
+ TinyServer server = new TinyServer();
+ server.start();
+
+ // Sleep for half a second.
+ Thread.sleep(500);
+
+ try {
+ StringBuffer xml = new StringBuffer(512);
+ xml.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n");
+ xml.append("<!DOCTYPE foo PUBLIC \"-//VSR//PENTEST//EN\" \"http://localhost:" + server.getPort() +
+ "/service?ssrf\">");
+ xml.append("<foo>Some content</foo>");
+ XMLUtil.stringToDocument(xml.toString(), true, true, false);
+
+ // The server should have been contacted.
+ Assert.assertTrue(server.connected);
+ } finally {
+ server.kill();
+ }
+ }
+
+ public void testDoctypeDisabled() throws Exception {
+ // Start a simple server socket.
+ TinyServer server = new TinyServer();
+ server.start();
+
+ // Sleep for half a second.
+ Thread.sleep(500);
+
+ try {
+ StringBuffer xml = new StringBuffer(512);
+ xml.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n");
+ xml.append("<!DOCTYPE foo PUBLIC \"-//VSR//PENTEST//EN\" \"http://localhost:" + server.getPort() +
+ "/service?ssrf\">");
+ xml.append("<foo>Some content</foo>");
+ try {
+ XMLUtil.stringToDocument(xml.toString(), true, false, false);
+ Assert.fail("This should have failed.");
+ } catch (MessageException me) {
+ Assert.assertTrue(me.getMessage().contains("DOCTYPE"));
+ }
+
+ // The server should not have been contacted.
+ Assert.assertFalse(server.connected);
+ } finally {
+ server.kill();
+ }
+ }
+
+ private class TinyServer extends Thread {
+
+ private int port;
+ private boolean connected = false;
+
+ private ServerSocket serverSocket;
+ private Socket clientSocket;
+
+ @Override
+ public void run() {
+ try {
+ serverSocket = new ServerSocket(0);
+ port = serverSocket.getLocalPort();
+ clientSocket = serverSocket.accept();
+ connected = true;
+ BufferedReader reader = new BufferedReader(new InputStreamReader(clientSocket.getInputStream()));
+ while(reader.ready()) {
+ String line = reader.readLine();
+ System.out.println(line);
+ }
+ OutputStream out = clientSocket.getOutputStream();
+ out.write("HTTP/1.0 200 OK".getBytes());
+ out.write("Content-Type: text/plain".getBytes());
+ out.write("Content-Length: 1354".getBytes());
+ out.write(("<!DOCTYPE foo [" +
+ "<!ELEMENT foo>" +
+ "]>").getBytes());
+ out.flush();
+ } catch (Exception e) {
+ // Ignore.
+ } finally {
+ try {
+ clientSocket.getOutputStream().close();
+ } catch(Exception e) {
+ // Ignore ...
+ }
+ try {
+ clientSocket.getOutputStream().close();
+ } catch(Exception e) {
+ // Ignore ...
+ }
+ }
+ }
+
+ public void kill() {
+ try {
+ serverSocket.close();
+ } catch (IOException e) {
+ // Ignore.
+ }
+ }
+
+ public int getPort() {
+ return port;
+ }
+
+ public boolean isConnected() {
+ return connected;
+ }
+ }
+
+}