Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XXE vulnerability #55

Closed
seanboylan opened this issue Jun 1, 2016 · 2 comments
Closed

XXE vulnerability #55

seanboylan opened this issue Jun 1, 2016 · 2 comments
Labels
enhancement

Comments

@seanboylan
Copy link

ezvcard.util.XMLUtils

private static Document toDocument(InputSource in) throws SAXException, IOException {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setNamespaceAware(true);
    factory.setIgnoringComments(true);

    DocumentBuilder builder;
    try {
        builder = factory.newDocumentBuilder();
    } catch (ParserConfigurationException e) {
        //should never be thrown because we're not doing anything fancy with the configuration
        throw new RuntimeException(e);
    }

    return builder.parse(in);
}

Has an XXE vulnerability - Please dsiable External xml entity processing:

References:
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
@mangstadt
Copy link
Owner

Thank you for reporting this, Sean. I will look into it.

mangstadt added a commit that referenced this issue Jun 4, 2016
@mangstadt
Added XXE protection.
e7822b7 
#55
@mangstadt
Copy link
Owner

Fixed in e7822b7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mangstadt @seanboylan