diff options
| author | Matthias Sohn <matthias.sohn@sap.com> | 2025-05-14 10:19:15 +0200 |
|---|---|---|
| committer | Matthias Sohn <matthias.sohn@sap.com> | 2025-05-15 01:25:49 +0200 |
| commit | c6fc3607079022e95b018b60c830b3da63bf6fef (patch) | |
| tree | 180dc45d506001761e32bde9ad0857cace726bb2 | |
| parent | dab4f52d49a4638142027b916e31a5a470df7f03 (diff) | |
| download | jgit-c6fc3607079022e95b018b60c830b3da63bf6fef.tar.gz jgit-c6fc3607079022e95b018b60c830b3da63bf6fef.zip | |
AmazonS3: Do not accept DOCTYPE and entities
This follows OWASP recommendations in
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
Change-Id: I3d47debf14d95c8189d51256b4eb2ba991279452
| -rw-r--r-- | org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java b/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java index aaf9f8a08a..9d9f5495fe 100644 --- a/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java +++ b/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java @@ -760,6 +760,15 @@ public class AmazonS3 { SAXParserFactory saxParserFactory = SAXParserFactory .newInstance(); saxParserFactory.setNamespaceAware(true); + saxParserFactory.setFeature( + "http://xml.org/sax/features/external-general-entities", //$NON-NLS-1$ + false); + saxParserFactory.setFeature( + "http://xml.org/sax/features/external-parameter-entities", //$NON-NLS-1$ + false); + saxParserFactory.setFeature( + "http://apache.org/xml/features/disallow-doctype-decl", //$NON-NLS-1$ + true); xr = saxParserFactory.newSAXParser().getXMLReader(); } catch (SAXException | ParserConfigurationException e) { throw new IOException( |