Skip to content

Commit

Permalink
Fix CWE-611
Browse files Browse the repository at this point in the history
This commit fixes the issue described on
https://cwe.mitre.org/data/definitions/611.html

test
  • Loading branch information
gturri committed Oct 15, 2020
1 parent 2e59d03 commit ad6615b
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 1 deletion.
2 changes: 2 additions & 0 deletions Changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
Fix security issue CWE-611

1.12.0
Add flag ACCEPT_NULL_DATES

Expand Down
11 changes: 10 additions & 1 deletion src/main/java/de/timroes/axmlrpc/ResponseParser.java
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@

import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
Expand Down Expand Up @@ -45,9 +46,17 @@ public class ResponseParser {
public Object parse(SerializerHandler serializerHandler, InputStream response, boolean debugMode) throws XMLRPCException {

try {

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();

// Ensure the xml parser won't allow exploitation of the vuln CWE-611
// (described on https://cwe.mitre.org/data/definitions/611.html )
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setExpandEntityReferences(false);
factory.setNamespaceAware(true);
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);
// End of the configuration of the parser for CWE-611

DocumentBuilder builder = factory.newDocumentBuilder();
Document dom = builder.parse(response);
if (debugMode ){
Expand Down

0 comments on commit ad6615b

Please sign in to comment.