ACCUMULO-4534 Disable external entities in SAX parser Closes apache/accumulo#192
Project: http://git-wip-us.apache.org/repos/asf/accumulo/repo Commit: http://git-wip-us.apache.org/repos/asf/accumulo/commit/3bd701b8 Tree: http://git-wip-us.apache.org/repos/asf/accumulo/tree/3bd701b8 Diff: http://git-wip-us.apache.org/repos/asf/accumulo/diff/3bd701b8 Branch: refs/heads/master Commit: 3bd701b883492f06766631af30e7b08f14d3454c Parents: 47b57f7 Author: Josh Elser <els...@apache.org> Authored: Thu Dec 8 22:44:09 2016 -0500 Committer: Josh Elser <els...@apache.org> Committed: Sun Dec 11 16:15:39 2016 -0500 ---------------------------------------------------------------------- .../java/org/apache/accumulo/server/util/RestoreZookeeper.java | 3 +++ 1 file changed, 3 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/accumulo/blob/3bd701b8/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java ---------------------------------------------------------------------- diff --git a/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java b/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java index 8da1ce9..b30ccfb 100644 --- a/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java +++ b/server/base/src/main/java/org/apache/accumulo/server/util/RestoreZookeeper.java @@ -118,6 +118,9 @@ public class RestoreZookeeper { } SAXParserFactory factory = SAXParserFactory.newInstance(); + // Prevent external entities by failing on any doctypes. We don't expect any doctypes, so this + // is a simple switch to remove any chance of external entities causing problems. + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); SAXParser parser = factory.newSAXParser(); parser.parse(in, new Restore(ZooReaderWriter.getInstance(), opts.overwrite)); in.close();
