Hi, Johan, lets distinguish between two different questions:
- Whether there is a security issue. If so, this is of course of general interest and ought to be fixed immediately. I can imagine that you include an external entity into the clients message. I can also imagine that this adds a local files contents to the request. However, I have difficulties to understand why this should become a part of the response? Is this specific to your application? - Whether and how you'd like to access the SAX parser. Give me a few days to think about this. Jochen On Wed, Feb 3, 2010 at 11:23 AM, Johan Hägre <johan.ha...@home.se> wrote: > I should of course attach the patch as well, sorry. > > This is the first time I'm submitting a patch, so I'm hoping this is the > right way to do it. > > In our use of XML-RPC we have discovered a security issue regarding the use > of external entities in XML. By creating a custom XML message and sending it > to the XML-RPC handling service it is possible to get the contents of files > stored on the server's file system as part of the response. The way we would > like to solve this is to set the features > http://xml.org/sax/features/external-general-entities and > http://xml.org/sax/features/external-parameter-entities to false for the SAX > parser. However we have not been able to find a way to set this since we > can't get hold of the parser object. The solution we propose is to add a way > to set features in the org.apache.xmlrpc.util.SAXParsers class. The features > set here will be used for all XMLReaders created through subsequent calls to > SAXParsers.newXMLReader(). This modification will not affect any existing > application since if the setFeature() method in the SAXParsers class isn't > used nothing will happen. The patch file (created using svn diff) is > attached to this post. > > > Best regards > Johan Hägre > > > > > Index: SAXParsers.java > =================================================================== > --- SAXParsers.java (revision 905923) > +++ SAXParsers.java (arbetskopia) > @@ -23,6 +23,8 @@ > > import org.apache.xmlrpc.XmlRpcException; > import org.xml.sax.SAXException; > +import org.xml.sax.SAXNotRecognizedException; > +import org.xml.sax.SAXNotSupportedException; > import org.xml.sax.XMLReader; > > > @@ -36,6 +38,14 @@ > spf.setValidating(false); > } > > + public static void setFeature(String pName, boolean pValue) throws > SAXNotRecognizedException, SAXNotSupportedException, > ParserConfigurationException { > + spf.setFeature(pName, pValue); > + } > + > + public static boolean getFeature(String pName) throws > SAXNotRecognizedException, SAXNotSupportedException, > ParserConfigurationException { > + return spf.getFeature(pName); > + } > + > /** Creates a new instance of {...@link XMLReader}. > */ > public static XMLReader newXMLReader() throws XmlRpcException { > > -- Germanys national anthem is the most boring in the world - how telling!
