From 5ebef77d7ad3cde11fca97015a0d9a44d7f17e68 Mon Sep 17 00:00:00 2001 From: Benoit Xhenseval Date: Mon, 25 Oct 2021 07:51:42 +0100 Subject: [PATCH] Fix security issue XXE Fix security issue --- flatpack/src/main/java/net/sf/flatpack/xml/MapParser.java | 2 ++ src/changes/changes.xml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/flatpack/src/main/java/net/sf/flatpack/xml/MapParser.java b/flatpack/src/main/java/net/sf/flatpack/xml/MapParser.java index 9738ac04..fac9894b 100644 --- a/flatpack/src/main/java/net/sf/flatpack/xml/MapParser.java +++ b/flatpack/src/main/java/net/sf/flatpack/xml/MapParser.java @@ -43,6 +43,7 @@ import java.util.Map.Entry; import java.util.Set; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -98,6 +99,7 @@ public static Map parse(final Reader xmlStreamReader, final Pars final Map mdIndex = new LinkedHashMap<>(); // retain the same order final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); final DocumentBuilder builder = factory.newDocumentBuilder(); builder.setEntityResolver(new ResolveLocalDTD()); final org.w3c.dom.Document document = builder.parse(new InputSource(xmlStreamReader)); diff --git a/src/changes/changes.xml b/src/changes/changes.xml index c1ab1b3f..b81c232b 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -6,6 +6,9 @@ Changes + + Fixed Security issue for XXE. + Fixed when new line of a multi line starts with "".