disable DTD loading
git-svn-id: https://svn.apache.org/repos/asf/jackrabbit/commons/filevault/trunk@1844061 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/vault-vlt/src/main/java/org/apache/jackrabbit/vault/vlt/meta/xml/XmlEntries.java b/vault-vlt/src/main/java/org/apache/jackrabbit/vault/vlt/meta/xml/XmlEntries.java
index 62efe93..ba1721d 100644
--- a/vault-vlt/src/main/java/org/apache/jackrabbit/vault/vlt/meta/xml/XmlEntries.java
+++ b/vault-vlt/src/main/java/org/apache/jackrabbit/vault/vlt/meta/xml/XmlEntries.java
@@ -82,6 +82,8 @@
try {
DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
+ // disable DTD loading (bug #36897)
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document document = builder.parse(source);
Element doc = document.getDocumentElement();
diff --git a/vault-vlt/src/test/java/org/apache/jackrabbit/vault/vlt/meta/TextXMLEntries.java b/vault-vlt/src/test/java/org/apache/jackrabbit/vault/vlt/meta/TextXMLEntries.java
index 08ecb33..6a55c8a 100644
--- a/vault-vlt/src/test/java/org/apache/jackrabbit/vault/vlt/meta/TextXMLEntries.java
+++ b/vault-vlt/src/test/java/org/apache/jackrabbit/vault/vlt/meta/TextXMLEntries.java
@@ -16,10 +16,14 @@
*/
package org.apache.jackrabbit.vault.vlt.meta;
+import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.nio.charset.StandardCharsets;
import org.apache.jackrabbit.vault.vlt.VltException;
+import org.apache.jackrabbit.vault.vlt.meta.xml.XmlEntries;
import org.apache.jackrabbit.vault.vlt.meta.xml.zip.ZipMetaDir;
/**
@@ -52,4 +56,27 @@
}
+ public void testXSS() throws VltException {
+ String xml = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
+ "<!DOCTYPE entries [\n" +
+ " <!ENTITY % foo \"bar\">\n" +
+ "]>\n" +
+ "<entries path=\"/home/users/m/mCY2rm1YSMlKFlJ-NEN3\">\n" +
+ " <entry name=\".content.xml\" rp=\"\" ap=\"/home/users/m/mCY2rm1YSMlKFlJ-NEN3\">\n" +
+ " <base date=\"2018-10-02T11:44:02.000+02:00\" md5=\"268b8e1f6d7b3fc9ec71226ee1a9dc70\" contentType=\"text/xml\" size=\"946\"/>\n" +
+ " <work date=\"2018-10-02T11:44:02.000+02:00\" md5=\"268b8e1f6d7b3fc9ec71226ee1a9dc70\" contentType=\"text/xml\" size=\"946\"/>\n" +
+ " </entry>\n" +
+ " <entry name=\"_rep_policy.xml\" rp=\"\" ap=\"/home/users/m/mCY2rm1YSMlKFlJ-NEN3/rep:policy\">\n" +
+ " <base date=\"2018-10-02T11:44:02.000+02:00\" md5=\"5a788decc1968551e2838bc46914f75a\" contentType=\"text/xml\" size=\"500\"/>\n" +
+ " <work date=\"2018-10-02T11:44:02.000+02:00\" md5=\"5a788decc1968551e2838bc46914f75a\" contentType=\"text/xml\" size=\"500\"/>\n" +
+ " </entry>\n" +
+ "</entries>";
+ try {
+ XmlEntries entries = XmlEntries.load(new ByteArrayInputStream(xml.getBytes(StandardCharsets.UTF_8)));
+ assertTrue(entries.hasEntry(".content.xml"));
+ fail("XML entries with DTD should fail.");
+ } catch (VltException e) {
+ // ok
+ }
+ }
}
\ No newline at end of file
