Fixed 24556. Disallow referencing external entities in /ws/dal/
authorStefan Hühner <stefan.huehner@openbravo.com>
Wed, 21 Aug 2013 17:53:18 +0200
changeset 21008 b975d72dec38
parent 21007 8008267023a0
child 21010 69875a4590b9
Fixed 24556. Disallow referencing external entities in /ws/dal/
Reconfigure the xml-parser used behind /ws/dal to not accept
external entity references as the xml data is coming from outside
Openbravo.
src/org/openbravo/service/rest/DalWebService.java
--- a/src/org/openbravo/service/rest/DalWebService.java	Wed Aug 21 13:30:31 2013 +0200
+++ b/src/org/openbravo/service/rest/DalWebService.java	Wed Aug 21 17:53:18 2013 +0200
@@ -498,6 +498,9 @@
 
     try {
       final SAXReader reader = new SAXReader();
+      reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+      reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+      reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
       final Document document = reader.read(request.getInputStream());
 
       // now parse the xml and let it be translated to a set of