mirror of https://github.com/apache/activemq.git
Enable secure processing on all DocumentBuilderFactory.newInstance()
This commit is contained in:
parent
8cc0c5ad6c
commit
a87b61e8be
|
@ -25,6 +25,7 @@ import java.util.Map;
|
|||
import java.util.Properties;
|
||||
|
||||
import javax.jms.JMSException;
|
||||
import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.parsers.ParserConfigurationException;
|
||||
|
@ -59,6 +60,7 @@ public final class XPathExpression implements BooleanExpression {
|
|||
builderFactory.setIgnoringComments(true);
|
||||
try {
|
||||
// set some reasonable defaults
|
||||
builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
|
||||
builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
|
|
|
@ -20,6 +20,7 @@ import org.w3c.dom.Attr;
|
|||
import org.w3c.dom.Element;
|
||||
import org.xml.sax.SAXException;
|
||||
|
||||
import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.parsers.ParserConfigurationException;
|
||||
|
@ -158,7 +159,10 @@ public class CreateCommand extends AbstractCommand {
|
|||
File dest = new File(targetBase, DEFAULT_TARGET_ACTIVEMQ_CONF);
|
||||
context.print("Copying from: " + src.getCanonicalPath() + "\n to: " + dest.getCanonicalPath());
|
||||
|
||||
DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
|
||||
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
|
||||
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
|
||||
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = dbf.newDocumentBuilder();
|
||||
Element docElem = builder.parse(src).getDocumentElement();
|
||||
|
||||
XPath xpath = XPathFactory.newInstance().newXPath();
|
||||
|
|
|
@ -180,6 +180,9 @@ public class RuntimeConfigurationBroker extends AbstractRuntimeConfigurationBrok
|
|||
// skip beans and pull out the broker node to validate
|
||||
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
|
||||
dbf.setNamespaceAware(true);
|
||||
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
|
||||
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
|
||||
DocumentBuilder db = dbf.newDocumentBuilder();
|
||||
Document doc = db.parse(configToMonitor.getInputStream());
|
||||
Node brokerRootNode = doc.getElementsByTagNameNS("*","broker").item(0);
|
||||
|
@ -252,4 +255,4 @@ public class RuntimeConfigurationBroker extends AbstractRuntimeConfigurationBrok
|
|||
this.checkPeriod = checkPeriod;
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue