This is an automated email from the ASF dual-hosted git repository.
dhavalshah9131 pushed a commit to branch ranger-2.8
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/ranger-2.8 by this push:
new 2c3e3be6c RANGER-5477:XML External Entity Injection Security issue in
Ranger (#852)
2c3e3be6c is described below
commit 2c3e3be6cb70088e2d7b1a05aa7afbe4d2ec7f68
Author: Bhaavesh Amol Amre <[email protected]>
AuthorDate: Mon Feb 16 10:48:44 2026 +0530
RANGER-5477:XML External Entity Injection Security issue in Ranger (#852)
---
.../src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java | 2 ++
1 file changed, 2 insertions(+)
diff --git
a/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
b/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
index 270e52181..4514a5963 100644
---
a/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
+++
b/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
@@ -263,6 +263,8 @@ else if ("var".equals(actionType)) {
}
TransformerFactory tfactory =
TransformerFactory.newInstance();
+ tfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD,
"");
+
tfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
Transformer transformer = tfactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
