Oswaldo Hernandez [Atlassian] Bugmaster  committed 4e9032b

Enable secure processing feature in the xml parser when validating workflow descriptors. This will place limits so xml entities are not expanded recursively and exhaust memory.

  • Participants
  • Parent commits a48c6e7
  • Branches default

Comments (0)

Files changed (1)

File src/java/com/opensymphony/workflow/loader/

 import org.w3c.dom.NodeList;
 import org.xml.sax.InputSource;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
         try {
             DocumentBuilder db = dbf.newDocumentBuilder();
+            dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             db.setEntityResolver(new SecureDTDEntityResolver());