This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch karaf-4.2.x
in repository https://gitbox.apache.org/repos/asf/karaf.git
The following commit(s) were added to refs/heads/karaf-4.2.x by this push:
new 78a665c [KARAF-6923] Avoid XML entity injection in several locations
78a665c is described below
commit 78a665c5b51e4c254daa969779a349103bed421b
Author: jbonofre <[email protected]>
AuthorDate: Wed Nov 25 14:04:39 2020 +0100
[KARAF-6923] Avoid XML entity injection in several locations
(cherry picked from commit b2d5a9993f71bbaeafa980dfb86bf431910715f4)
---
.../org/apache/karaf/bundle/core/internal/MavenConfigService.java | 5 ++++-
.../apache/karaf/deployer/features/FeatureDeploymentListener.java | 2 ++
.../org/apache/karaf/deployer/spring/SpringDeploymentListener.java | 2 ++
.../features/internal/service/FeaturesProcessingSerializer.java | 5 ++++-
.../src/main/java/org/apache/karaf/tooling/AssemblyMojo.java | 2 ++
5 files changed, 14 insertions(+), 2 deletions(-)
diff --git
a/bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
b/bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
index 4ff09bc..112d629 100644
---
a/bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
+++
b/bundle/core/src/main/java/org/apache/karaf/bundle/core/internal/MavenConfigService.java
@@ -86,7 +86,10 @@ public class MavenConfigService {
private static String getLocalRepositoryFromSettings(File file) {
XMLStreamReader reader = null;
try (InputStream fin = new FileInputStream(file)) {
- reader =
XMLInputFactory.newFactory().createXMLStreamReader(fin);
+ XMLInputFactory factory = XMLInputFactory.newFactory();
+ factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+ reader = factory.createXMLStreamReader(fin);
int event;
String elementName = null;
while ((event = reader.next()) !=
XMLStreamConstants.END_DOCUMENT) {
diff --git
a/deployer/features/src/main/java/org/apache/karaf/deployer/features/FeatureDeploymentListener.java
b/deployer/features/src/main/java/org/apache/karaf/deployer/features/FeatureDeploymentListener.java
index 58bfc2b..61e26b5 100644
---
a/deployer/features/src/main/java/org/apache/karaf/deployer/features/FeatureDeploymentListener.java
+++
b/deployer/features/src/main/java/org/apache/karaf/deployer/features/FeatureDeploymentListener.java
@@ -258,6 +258,8 @@ public class FeatureDeploymentListener implements
ArtifactUrlTransformer, Bundle
private QName getRootElementName(File artifact) throws Exception {
if (xif == null) {
xif = XMLInputFactory.newFactory();
+ xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+ xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
false);
xif.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, true);
}
try (InputStream is = new FileInputStream(artifact)) {
diff --git
a/deployer/spring/src/main/java/org/apache/karaf/deployer/spring/SpringDeploymentListener.java
b/deployer/spring/src/main/java/org/apache/karaf/deployer/spring/SpringDeploymentListener.java
index d49ba74..0953f66 100644
---
a/deployer/spring/src/main/java/org/apache/karaf/deployer/spring/SpringDeploymentListener.java
+++
b/deployer/spring/src/main/java/org/apache/karaf/deployer/spring/SpringDeploymentListener.java
@@ -71,6 +71,8 @@ public class SpringDeploymentListener implements
ArtifactUrlTransformer {
try {
if (factory == null) {
factory = XMLInputFactory.newInstance();
+
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
}
in = new FileInputStream(artifact);
parser = factory.createXMLEventReader(in);
diff --git
a/features/core/src/main/java/org/apache/karaf/features/internal/service/FeaturesProcessingSerializer.java
b/features/core/src/main/java/org/apache/karaf/features/internal/service/FeaturesProcessingSerializer.java
index 6277a75..432ef24 100644
---
a/features/core/src/main/java/org/apache/karaf/features/internal/service/FeaturesProcessingSerializer.java
+++
b/features/core/src/main/java/org/apache/karaf/features/internal/service/FeaturesProcessingSerializer.java
@@ -161,7 +161,10 @@ public class FeaturesProcessingSerializer {
Properties props = new Properties();
props.load(getClass().getResourceAsStream("feature-processing-comments.properties"));
- XMLEventReader xmlEventReader =
XMLInputFactory.newFactory().createXMLEventReader(new
ByteArrayInputStream(baos.toByteArray()));
+ XMLInputFactory factory = XMLInputFactory.newFactory();
+ factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+ XMLEventReader xmlEventReader = factory.createXMLEventReader(new
ByteArrayInputStream(baos.toByteArray()));
XMLEventWriter xmlEventWriter = new
IndentingXMLEventWriter(XMLOutputFactory.newFactory().createXMLEventWriter(writer),
" ");
XMLEventFactory evFactory = XMLEventFactory.newFactory();
int depth = 0;
diff --git
a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/AssemblyMojo.java
b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/AssemblyMojo.java
index 69a1bcb..e5e5723 100644
---
a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/AssemblyMojo.java
+++
b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/AssemblyMojo.java
@@ -823,6 +823,8 @@ public class AssemblyMojo extends MojoSupport {
try (InputStream is = new FileInputStream(artifact.getFile())) {
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, true);
+ xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
XMLStreamReader r = xif.createXMLStreamReader(is);
r.nextTag();
QName name = r.getName();
