[jira] [Commented] (AXIS2-5879) WSDL20ToAxisServiceBuilder.java:1235 & 1255 (XML External Entity Injection)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (AXIS2-5879) WSDL20ToAxisServiceBuilder.java:1235 & 1255 (XML External Entity Injection)

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/AXIS2-5879?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16161850#comment-16161850 ]

Donald Kwakkel commented on AXIS2-5879:
---------------------------------------

Thanks for analyzing.

> WSDL20ToAxisServiceBuilder.java:1235 & 1255 (XML External Entity Injection)
> ---------------------------------------------------------------------------
>
>                 Key: AXIS2-5879
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5879
>             Project: Axis2
>          Issue Type: Bug
>          Components: kernel
>    Affects Versions: 1.7.6
>            Reporter: Donald Kwakkel
>            Priority: Critical
>              Labels: security
>
> XML parser configured in WSDL20ToAxisServiceBuilder.java:1235 and 1255 does not prevent nor limit external entities resolution. This can expose the parser to an XML External Entities attack.
> Proposed solution: Always disable external entities:
> {code:java}
> public static DocumentBuilderFactory createDocumentBuilderFactory() {
> DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
> factory.setNamespaceAware(true);
> try {
> factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
> factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
> }
> catch (ParserConfigurationException e) {
> throw new IllegalStateException(e);
> }
> return factory;
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]