diff options
| author | Matthias Sohn <matthias.sohn@sap.com> | 2025-05-14 10:19:15 +0200 |
|---|---|---|
| committer | Matthias Sohn <matthias.sohn@sap.com> | 2025-05-22 13:55:56 +0200 |
| commit | 3e0eedc57c056f57ccd0ec864f96837aa0ae6285 (patch) | |
| tree | af9b54103360550f025754b42e6954edaad9e60d | |
| parent | 07d00f6dfcb27f9972e3fd0cdbaa6a5724e802c5 (diff) | |
| download | jgit-3e0eedc57c056f57ccd0ec864f96837aa0ae6285.tar.gz jgit-3e0eedc57c056f57ccd0ec864f96837aa0ae6285.zip | |
AmazonS3: Do not accept DOCTYPE and entities
This follows OWASP recommendations in
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
Change-Id: I3d47debf14d95c8189d51256b4eb2ba991279452
| -rw-r--r-- | org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java index aaf9f8a08a..9d9f5495fe 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java @@ -760,6 +760,15 @@ public class AmazonS3 { SAXParserFactory saxParserFactory = SAXParserFactory .newInstance(); saxParserFactory.setNamespaceAware(true); + saxParserFactory.setFeature( + "http://xml.org/sax/features/external-general-entities", //$NON-NLS-1$ + false); + saxParserFactory.setFeature( + "http://xml.org/sax/features/external-parameter-entities", //$NON-NLS-1$ + false); + saxParserFactory.setFeature( + "http://apache.org/xml/features/disallow-doctype-decl", //$NON-NLS-1$ + true); xr = saxParserFactory.newSAXParser().getXMLReader(); } catch (SAXException | ParserConfigurationException e) { throw new IOException( |