[struts] 02/04: WW-5233 Disables XML external entity parsing

Sat, 29 Jul 2023 23:00:12 -0700 

This is an automated email from the ASF dual-hosted git repository.

lukaszlenart pushed a commit to branch WW-5233-tiles
in repository https://gitbox.apache.org/repos/asf/struts.git

commit 01ccc0bcb32b16c3e44a83b2c8c0be1a9b069e55
Author: Lukasz Lenart <lukaszlen...@apache.org>
AuthorDate: Fri Jul 14 08:15:19 2023 +0200

    WW-5233 Disables XML external entity parsing
---
 .../definition/digester/DigesterDefinitionsReader.java    | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git 
a/plugins/tiles/src/main/java/org/apache/tiles/core/definition/digester/DigesterDefinitionsReader.java
 
b/plugins/tiles/src/main/java/org/apache/tiles/core/definition/digester/DigesterDefinitionsReader.java
index 4d756bbb2..ccbed0a81 100644
--- 
a/plugins/tiles/src/main/java/org/apache/tiles/core/definition/digester/DigesterDefinitionsReader.java
+++ 
b/plugins/tiles/src/main/java/org/apache/tiles/core/definition/digester/DigesterDefinitionsReader.java
@@ -21,6 +21,7 @@ package org.apache.tiles.core.definition.digester;
 
 import org.apache.commons.digester.Digester;
 import org.apache.commons.digester.Rule;
+import org.apache.struts2.StrutsException;
 import org.apache.tiles.api.Attribute;
 import org.apache.tiles.api.Definition;
 import org.apache.tiles.api.Expression;
@@ -30,8 +31,11 @@ import org.apache.tiles.core.definition.DefinitionsReader;
 import org.xml.sax.Attributes;
 import org.xml.sax.ErrorHandler;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.SAXParseException;
 
+import javax.xml.parsers.ParserConfigurationException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.URL;
@@ -256,6 +260,17 @@ public class DigesterDefinitionsReader implements 
DefinitionsReader {
         digester.setNamespaceAware(true);
         digester.setUseContextClassLoader(true);
         digester.setErrorHandler(new ThrowingErrorHandler());
+        try {
+            //OWASP
+            
//https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
+            
digester.setFeature("http://xml.org/sax/features/external-general-entities";, 
false);
+            
digester.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
false);
+            // Disable external DTDs as well
+            
digester.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
 false);
+            digester.setXIncludeAware(false);
+        } catch (ParserConfigurationException | SAXNotRecognizedException | 
SAXNotSupportedException e) {
+            throw new StrutsException("Unable to disable external XML entity 
parsing", e);
+        }
 
         // Register our local copy of the DTDs that we can find
         String[] registrations = getRegistrations();

Reply via email to