Commits

Oswaldo Hernandez committed 4e9032b

Enable secure processing feature in the xml parser when validating workflow descriptors. This will place limits so xml entities are not expanded recursively and exhaust memory.

Comments (0)

Files changed (1)

src/java/com/opensymphony/workflow/loader/WorkflowDescriptor.java

 import org.w3c.dom.NodeList;
 import org.xml.sax.InputSource;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import java.io.PrintWriter;
 
         try {
             DocumentBuilder db = dbf.newDocumentBuilder();
+            dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             db.setEntityResolver(new SecureDTDEntityResolver());
 
             db.setErrorHandler(errorHandler);