HDFS-16410. Insecure Xml parsing in OfflineEditsXmlLoader (#3854)

Contributed by Ashutosh Gupta
2022-01-05 21:21:14 +05:30 · 2022-01-05 21:21:14 +05:30 · 6b83fe4a00
parent 3a82899493
commit 6b83fe4a00
1 changed files with 4 additions and 0 deletions
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/offlineEditsViewer/OfflineEditsXmlLoader.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/offlineEditsViewer/OfflineEditsXmlLoader.java
@ -86,6 +86,10 @@ class OfflineEditsXmlLoader
  public void loadEdits() throws IOException {
    try {
      XMLReader xr = XMLReaderFactory.createXMLReader();
+      xr.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+      xr.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+      xr.setFeature("http://xml.org/sax/features/external-general-entities", false);
+      xr.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
      xr.setContentHandler(this);
      xr.setErrorHandler(this);
      xr.setDTDHandler(null);