[PATCH] Setting SAX features for XML-RPC

Wed, 03 Feb 2010 04:35:28 -0800 

I should of course attach the patch as well, sorry.
This is the first time I'm submitting a patch, so I'm hoping this is the right way to do it. 


In our use of XML-RPC we have discovered a security issue regarding the 
use of external entities in XML. By creating a custom XML message and 
sending it to the XML-RPC handling service it is possible to get the 
contents of files stored on the server's file system as part of the 
response. The way we would like to solve this is to set the features 
http://xml.org/sax/features/external-general-entities and 
http://xml.org/sax/features/external-parameter-entities to false for the 
SAX parser. However we have not been able to find a way to set this 
since we can't get hold of the parser object. The solution we propose is 
to add a way to set features in the org.apache.xmlrpc.util.SAXParsers 
class. The features set here will be used for all XMLReaders created 
through subsequent calls to SAXParsers.newXMLReader(). This modification 
will not affect any existing application since if the setFeature() 
method in the SAXParsers class isn't used nothing will happen. The patch 
file (created using svn diff) is attached to this post.



Best regards
Johan Hägre




Index: SAXParsers.java
===================================================================
--- SAXParsers.java     (revision 905923)
+++ SAXParsers.java     (arbetskopia)
@@ -23,6 +23,8 @@
 
 import org.apache.xmlrpc.XmlRpcException;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.XMLReader;
 
 
@@ -36,6 +38,14 @@
                spf.setValidating(false);
        }
 
+       public static void setFeature(String pName, boolean pValue) throws 
SAXNotRecognizedException, SAXNotSupportedException, 
ParserConfigurationException {
+               spf.setFeature(pName, pValue);
+       }
+       
+       public static boolean getFeature(String pName) throws 
SAXNotRecognizedException, SAXNotSupportedException, 
ParserConfigurationException {
+               return spf.getFeature(pName);
+       }
+       
        /** Creates a new instance of {...@link XMLReader}.
         */
        public static XMLReader newXMLReader() throws XmlRpcException {






















					Reply via email to