kink80 / odata4j

Automatically exported from code.google.com/p/odata4j
0 stars 0 forks source link

Guard against external entity resolving #282

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Because OData4j is responsible for parsing the Atom feed, 
StaxXMLFactoryProvider2 simply creates XMLInputFactories without any options, 
thus will perform external entity resolving by default.  And this is not 
optimal for a secured environment.  So below is a recommended fix for resolving 
this issue.

org.odata4j.stax2.staximpl.StaxXMLFactoryProvider2.diff

64c64,73
<     return new StaxXMLInputFactory2(XMLInputFactory.newInstance());

---
>     XMLInputFactory factory = XMLInputFactory.newInstance();
>     factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, 
Boolean.FALSE);
>     factory.setXMLResolver(new XMLResolver() {
>       @Override
>       public Object resolveEntity(String arg0, String arg1, String arg2,
>         String arg3) throws XMLStreamException {
>         throw new XMLStreamException("Reading external entities is disabled");
>       }
>     });
>     return new StaxXMLInputFactory2(factory);

What version of the product are you using? On what operating system?

0.8.0-SNAPSHOT on linux

Original issue reported on code.google.com by thehalbe...@gmail.com on 28 Aug 2014 at 6:25