Commits

Oswaldo Hernandez committed 9eb05f4

Prevent billion laughs attack by enabling secure processing feature in the xml parser. This will place limits so xml entities are not expanded recursively and exhaust memory.

  • Participants
  • Parent commits e195b5c

Comments (0)

Files changed (1)

src/java/com/opensymphony/workflow/loader/WorkflowLoader.java

 package com.opensymphony.workflow.loader;
 
 import com.opensymphony.workflow.InvalidWorkflowDescriptorException;
-
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
-
 import org.xml.sax.ErrorHandler;
 import org.xml.sax.SAXException;
 import org.xml.sax.SAXParseException;
 
-import java.io.IOException;
-import java.io.InputStream;
-
-import java.net.URL;
-
-import java.util.ArrayList;
-import java.util.List;
-
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.List;
 
 
 /**
         DocumentBuilder db;
 
         try {
+            dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             db = dbf.newDocumentBuilder();
             db.setEntityResolver(new SecureDTDEntityResolver());
         } catch (ParserConfigurationException e) {