From c1b412c4579f4c9b1a12a49bc0d07d1d8ad7adea Mon Sep 17 00:00:00 2001 From: Florian Schmaus Date: Mon, 5 Oct 2020 08:52:51 +0200 Subject: [PATCH] [xmlparser-stax] Disable external entities and DTD Before that, the StAX parser used by Smack for XML parsing had only external entity replacement disabled. We further harden the parser by disabling DTDs. See also: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser --- .../smack/xml/stax/StaxXmlPullParserFactory.java | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/smack-xmlparser-stax/src/main/java/org/jivesoftware/smack/xml/stax/StaxXmlPullParserFactory.java b/smack-xmlparser-stax/src/main/java/org/jivesoftware/smack/xml/stax/StaxXmlPullParserFactory.java index 6b442c5bb..7055d20de 100644 --- a/smack-xmlparser-stax/src/main/java/org/jivesoftware/smack/xml/stax/StaxXmlPullParserFactory.java +++ b/smack-xmlparser-stax/src/main/java/org/jivesoftware/smack/xml/stax/StaxXmlPullParserFactory.java @@ -1,6 +1,6 @@ /** * - * Copyright 2019 Florian Schmaus + * Copyright 2020-2020 Florian Schmaus * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -34,7 +34,10 @@ public class StaxXmlPullParserFactory implements XmlPullParserFactory { // getText(). xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, true); // Internal and external entity references are prohibited in XMPP (RFC 6120 ยง 11.1). + xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); xmlInputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false); + // We don't need to support DTDs in XMPP. + xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); } @Override