Commits

Oswaldo Hernandez committed a48c6e7

Validate workflow descriptors through the SecureDTDEntityResolver, which will not resolve external references to unknown xml entities when loading a workflow descriptor definition.

  • Participants
  • Parent commits 92f43e6

Comments (0)

Files changed (1)

src/java/com/opensymphony/workflow/loader/WorkflowDescriptor.java

 
 import com.opensymphony.workflow.InvalidWorkflowDescriptorException;
 import com.opensymphony.workflow.util.Validatable;
-
-import org.w3c.dom.*;
-
-import org.xml.sax.*;
-
-import java.io.*;
-
-import java.util.*;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.InputSource;
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import java.io.PrintWriter;
+import java.io.StringReader;
+import java.io.StringWriter;
+import java.util.*;
 
 
 /**
     }
 
     private void validateDTD() throws InvalidWorkflowDescriptorException {
-        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
         dbf.setNamespaceAware(true);
         dbf.setValidating(true);
 
 
         try {
             DocumentBuilder db = dbf.newDocumentBuilder();
-            db.setEntityResolver(new DTDEntityResolver());
+            db.setEntityResolver(new SecureDTDEntityResolver());
 
             db.setErrorHandler(errorHandler);
             db.parse(new InputSource(new StringReader(sw.toString())));