TAMAYA-277: Fix XXE possibility
diff --git a/metamodel/src/main/java/org/apache/tamaya/metamodel/MetaConfiguration.java b/metamodel/src/main/java/org/apache/tamaya/metamodel/MetaConfiguration.java
index 5b54812..f4c7525 100644
--- a/metamodel/src/main/java/org/apache/tamaya/metamodel/MetaConfiguration.java
+++ b/metamodel/src/main/java/org/apache/tamaya/metamodel/MetaConfiguration.java
@@ -26,6 +26,7 @@
import java.util.logging.Level;
import java.util.logging.Logger;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -111,12 +112,13 @@
LOG.info("TAMAYA: Loading tamaya-config.xml...");
Document document = null;
try {
- document = DocumentBuilderFactory.newInstance()
- .newDocumentBuilder().parse(configFile.openStream());
+ final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+
+ document = factory.newDocumentBuilder().parse(configFile.openStream());
ConfigurationBuilder builder = Configuration.createConfigurationBuilder();
for(MetaConfigurationReader reader: ServiceContextManager.getServiceContext().getServices(
- MetaConfigurationReader.class
- )){
+ MetaConfigurationReader.class)){
LOG.fine("TAMAYA: Executing MetaConfig-Reader: " + reader.getClass().getName() + "...");
reader.read(document, builder);
}
