Protect methods which parses XML documents

GluuFederation / oxTrust

Gluu Server UI for managing authentication, authorization and users.

https://gluu.org/docs/ce

MIT License

134 stars 61 forks source link

Protect methods which parses XML documents #363

Closed yurem closed 7 years ago

yurem commented 8 years ago

We fixed simular issue in oxSaml/oxService: https://github.com/GluuFederation/oxCore/issues/7

In oxTrust we also have XML parsing in Saml and in SCIM. We need to do: 1) Use XmlService.getXmlDocument() instead of DocumentBuilderFactory.newInstance().newDocumentBuilder().parse... XmlService.getXmlDocument() contains XXE fix. 2) Check if all places after applying this replace works fine.

yurem commented 7 years ago

Fixed