mirror of
https://github.com/vanitasvitae/Smack.git
synced 2024-12-30 14:37:59 +01:00
[xmlparser-stax] Disable external entities and DTD
Before that, the StAX parser used by Smack for XML parsing had only external entity replacement disabled. We further harden the parser by disabling DTDs. See also: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser
This commit is contained in:
parent
6d39a4e3ac
commit
c1b412c457
1 changed files with 4 additions and 1 deletions
|
@ -1,6 +1,6 @@
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* Copyright 2019 Florian Schmaus
|
* Copyright 2020-2020 Florian Schmaus
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
|
@ -34,7 +34,10 @@ public class StaxXmlPullParserFactory implements XmlPullParserFactory {
|
||||||
// getText().
|
// getText().
|
||||||
xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, true);
|
xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, true);
|
||||||
// Internal and external entity references are prohibited in XMPP (RFC 6120 § 11.1).
|
// Internal and external entity references are prohibited in XMPP (RFC 6120 § 11.1).
|
||||||
|
xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
|
||||||
xmlInputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
|
xmlInputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
|
||||||
|
// We don't need to support DTDs in XMPP.
|
||||||
|
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
|
Loading…
Reference in a new issue