Enable secure processing on all DocumentBuilderFactory.newInstance() 321/head
authorColm O hEigeartaigh <coheigea@apache.org>
Thu, 22 Nov 2018 10:24:43 +0000 (10:24 +0000)
committerColm O hEigeartaigh <coheigea@apache.org>
Thu, 22 Nov 2018 10:24:43 +0000 (10:24 +0000)
activemq-client/src/main/java/org/apache/activemq/filter/XPathExpression.java
activemq-console/src/main/java/org/apache/activemq/console/command/CreateCommand.java
activemq-runtime-config/src/main/java/org/apache/activemq/plugin/RuntimeConfigurationBroker.java

index 75ab087..e90e15f 100644 (file)
@@ -25,6 +25,7 @@ import java.util.Map;
 import java.util.Properties;
 
 import javax.jms.JMSException;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -59,6 +60,7 @@ public final class XPathExpression implements BooleanExpression {
                 builderFactory.setIgnoringComments(true);
                 try {
                     // set some reasonable defaults
+                    builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
                     builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
                     builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
                     builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
index 28080e6..f9f0fb0 100644 (file)
@@ -20,6 +20,7 @@ import org.w3c.dom.Attr;
 import org.w3c.dom.Element;
 import org.xml.sax.SAXException;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -158,7 +159,10 @@ public class CreateCommand extends AbstractCommand {
         File dest = new File(targetBase, DEFAULT_TARGET_ACTIVEMQ_CONF);
         context.print("Copying from: " + src.getCanonicalPath() + "\n          to: " + dest.getCanonicalPath());
 
-        DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        DocumentBuilder builder = dbf.newDocumentBuilder();
         Element docElem = builder.parse(src).getDocumentElement();
 
         XPath xpath = XPathFactory.newInstance().newXPath();
index 7a06c87..0d7e17f 100644 (file)
@@ -180,6 +180,9 @@ public class RuntimeConfigurationBroker extends AbstractRuntimeConfigurationBrok
                 // skip beans and pull out the broker node to validate
                 DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
                 dbf.setNamespaceAware(true);
+                dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+                dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+
                 DocumentBuilder db = dbf.newDocumentBuilder();
                 Document doc = db.parse(configToMonitor.getInputStream());
                 Node brokerRootNode = doc.getElementsByTagNameNS("*","broker").item(0);
@@ -252,4 +255,4 @@ public class RuntimeConfigurationBroker extends AbstractRuntimeConfigurationBrok
         this.checkPeriod = checkPeriod;
     }
 
-}
\ No newline at end of file
+}