Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Use the FEATURE_SECURE_PROCESSING feature for loading resource ids
This fixes a potential security issues reported by ready-research at
https://huntr.dev/bounties/c68f1aed-2922-4ebb-9699-00e0aea1d662
  • Loading branch information
JesusFreke committed Mar 8, 2022
1 parent 81bd303 commit 2771eae
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions baksmali/src/main/java/org/jf/baksmali/BaksmaliOptions.java
Expand Up @@ -38,6 +38,7 @@
import org.xml.sax.SAXException;
import org.xml.sax.helpers.DefaultHandler;

import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
Expand Down Expand Up @@ -84,9 +85,12 @@ public class BaksmaliOptions {
public void loadResourceIds(Map<String, File> resourceFiles) throws SAXException, IOException {
for (Map.Entry<String, File> entry: resourceFiles.entrySet()) {
try {
SAXParser saxp = SAXParserFactory.newInstance().newSAXParser();
SAXParserFactory parserFactory = SAXParserFactory.newInstance();
parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
SAXParser parser = parserFactory.newSAXParser();

final String prefix = entry.getKey();
saxp.parse(entry.getValue(), new DefaultHandler() {
parser.parse(entry.getValue(), new DefaultHandler() {
@Override
public void startElement(String uri, String localName, String qName,
Attributes attr) throws SAXException {
Expand Down

0 comments on commit 2771eae

Please sign in to comment.