Fixed 24556. Disallow referencing external entities in /ws/dal/
authorStefan Hühner <stefan.huehner@openbravo.com>
Wed, 21 Aug 2013 17:53:18 +0200
changeset 21023 1a84e5398da6
parent 21022 11aefb77bdf1
child 21024 df03edbc8f2b
Fixed 24556. Disallow referencing external entities in /ws/dal/
Reconfigure the xml-parser used behind /ws/dal to not accept
external entity references as the xml data is coming from outside
Openbravo.
src/org/openbravo/service/rest/DalWebService.java
--- a/src/org/openbravo/service/rest/DalWebService.java	Thu Aug 08 14:44:30 2013 +0200
+++ b/src/org/openbravo/service/rest/DalWebService.java	Wed Aug 21 17:53:18 2013 +0200
@@ -387,6 +387,9 @@
 
     try {
       final SAXReader reader = new SAXReader();
+      reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+      reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+      reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
       final Document document = reader.read(request.getInputStream());
 
       // now parse the xml and let it be translated to a set of