HDFS-16410. Insecure Xml parsing in OfflineEditsXmlLoader (#3854)

Contributed by Ashutosh Gupta

(cherry picked from commit 43e5218a86)
This commit is contained in:
Ashutosh Gupta 2022-01-05 21:21:14 +05:30 committed by Akira Ajisaka
parent 1e1e4a2f51
commit 3992ba5d8c
No known key found for this signature in database
GPG Key ID: C1EDBB9CA400FD50
1 changed files with 4 additions and 0 deletions

View File

@ -86,6 +86,10 @@ class OfflineEditsXmlLoader
public void loadEdits() throws IOException { public void loadEdits() throws IOException {
try { try {
XMLReader xr = XMLReaderFactory.createXMLReader(); XMLReader xr = XMLReaderFactory.createXMLReader();
xr.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
xr.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
xr.setFeature("http://xml.org/sax/features/external-general-entities", false);
xr.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
xr.setContentHandler(this); xr.setContentHandler(this);
xr.setErrorHandler(this); xr.setErrorHandler(this);
xr.setDTDHandler(null); xr.setDTDHandler(null);