XEE injection security in XML extension. Reported by Man Yue Mo.

restlet · Oct 2, 2017 · fe75aff · fe75aff
1 parent 93fbbc9
commit fe75aff
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/build/tmpl/text/changes.txt b/build/tmpl/text/changes.txt
@@ -4,6 +4,9 @@ Changes log
 ===========
 
 @version-full@ (@release-date@)
+    - Bugs fixed
+       - XEE injection security in XML extension.
+         Reported by Man Yue Mo.
 
 - 2.3.11 (09/28/2017)
     - Bugs fixed

diff --git a/modules/org.restlet.ext.xml/src/org/restlet/ext/xml/XmlRepresentation.java b/modules/org.restlet.ext.xml/src/org/restlet/ext/xml/XmlRepresentation.java
@@ -370,7 +370,10 @@ protected DocumentBuilder getDocumentBuilder() throws IOException {
             dbf.setNamespaceAware(isNamespaceAware());
             dbf.setValidating(isValidatingDtd());
             dbf.setCoalescing(isCoalescing());
-            dbf.setExpandEntityReferences(isExpandingEntityRefs());
+            dbf.setExpandEntityReferences(false);
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities",isExpandingEntityRefs());
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities",isExpandingEntityRefs());
+
             dbf.setIgnoringComments(isIgnoringComments());
             dbf.setIgnoringElementContentWhitespace(isIgnoringExtraWhitespaces());