Headline
CVE-2023-46502: fixes XML eXternal Entity injection (XXE) · opencrx/opencrx@ce7a71d
An issue in OpenCRX v.5.2.2 allows a remote attacker to execute arbitrary code via a crafted request.
Expand Up
@@ -221,16 +221,40 @@ protected String getCleanPath(
}
/**
* Return JAXP document builder instance.
* Get XML document builder.
*
* @return
* @throws ServiceException
*/
protected DocumentBuilder getDocumentBuilder(
) throws ServiceException {
DocumentBuilder documentBuilder = null;
DocumentBuilderFactory documentBuilderFactory = null;
documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
// Flags required to prevent XML eXternal Entity injection (XXE)
try {
documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
} catch (ParserConfigurationException e) {
throw new ServiceException(e);
}
try {
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
} catch (ParserConfigurationException e) {
throw new ServiceException(e);
}
try {
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
} catch (ParserConfigurationException e) {
throw new ServiceException(e);
}
try {
documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
} catch (ParserConfigurationException e) {
throw new ServiceException(e);
}
try {
documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
documentBuilder = documentBuilderFactory.newDocumentBuilder();
documentBuilder = documentBuilderFactory.newDocumentBuilder();
} catch (ParserConfigurationException e) {
throw new ServiceException(e);
}
Expand Down
Related news
An issue in OpenCRX v.5.2.2 allows a remote attacker to execute arbitrary code via a crafted request.