Because OData4j is responsible for parsing the Atom feed,
StaxXMLFactoryProvider2 simply creates XMLInputFactories without any options,
thus will perform external entity resolving by default. And this is not
optimal for a secured environment. So below is a recommended fix for resolving
this issue.
org.odata4j.stax2.staximpl.StaxXMLFactoryProvider2.diff
64c64,73
< return new StaxXMLInputFactory2(XMLInputFactory.newInstance());
---
> XMLInputFactory factory = XMLInputFactory.newInstance();
> factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES,
Boolean.FALSE);
> factory.setXMLResolver(new XMLResolver() {
> @Override
> public Object resolveEntity(String arg0, String arg1, String arg2,
> String arg3) throws XMLStreamException {
> throw new XMLStreamException("Reading external entities is disabled");
> }
> });
> return new StaxXMLInputFactory2(factory);
What version of the product are you using? On what operating system?
0.8.0-SNAPSHOT on linux
Original issue reported on code.google.com by thehalbe...@gmail.com on 28 Aug 2014 at 6:25
Original issue reported on code.google.com by
thehalbe...@gmail.comon 28 Aug 2014 at 6:25