Fixed 24556. Disallow referencing external entities in /ws/dal/
authorStefan Hühner <stefan.huehner@openbravo.com>
Wed, 21 Aug 2013 17:53:18 +0200
changeset 21031 87a67cacdd7a
parent 21030 e7643eff94a4
child 21032 b881fe55648e
Fixed 24556. Disallow referencing external entities in /ws/dal/
Reconfigure the xml-parser used behind /ws/dal to not accept
external entity references as the xml data is coming from outside
Openbravo.
src/org/openbravo/service/rest/DalWebService.java
--- a/src/org/openbravo/service/rest/DalWebService.java	Tue Aug 20 14:28:41 2013 +0200
+++ b/src/org/openbravo/service/rest/DalWebService.java	Wed Aug 21 17:53:18 2013 +0200
@@ -387,6 +387,9 @@
 
     try {
       final SAXReader reader = new SAXReader();
+      reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+      reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+      reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
       final Document document = reader.read(request.getInputStream());
 
       // now parse the xml and let it be translated to a set of