From 4551594a1f71ab69f6d0bed1336255ea2a41ac17 Mon Sep 17 00:00:00 2001 From: Chris Kelley Date: Fri, 10 Jun 2022 17:25:07 +0100 Subject: [PATCH] Disable access to external entities when parsing XML Origin: https://github.com/dogtagpki/pki/commit/4551594a1f71ab69f6d0bed1336255ea2a41ac17 This reduces the vulnerability of XML parsers to XXE (XML external entity) injection. The best way to prevent XXE is to stop using XML altogether, which we do plan to do. Until that happens I consider it worthwhile to tighten the security here though. --- .../main/java/com/netscape/certsrv/account/Account.java | 4 ++++ .../java/com/netscape/certsrv/base/PKIException.java | 4 ++++ .../main/java/com/netscape/certsrv/base/RESTMessage.java | 4 ++++ .../main/java/com/netscape/certsrv/cert/CertData.java | 4 ++++ .../java/com/netscape/certsrv/cert/CertDataInfo.java | 4 ++++ .../java/com/netscape/certsrv/cert/CertDataInfos.java | 4 ++++ .../com/netscape/certsrv/cert/CertEnrollmentRequest.java | 4 ++++ .../java/com/netscape/certsrv/cert/CertRequestInfo.java | 4 ++++ .../java/com/netscape/certsrv/cert/CertRequestInfos.java | 4 ++++ .../com/netscape/certsrv/cert/CertRetrievalRequest.java | 4 ++++ .../com/netscape/certsrv/cert/CertRevokeRequest.java | 4 ++++ .../com/netscape/certsrv/cert/CertSearchRequest.java | 4 ++++ .../netscape/certsrv/key/AsymKeyGenerationRequest.java | 1 + .../com/netscape/certsrv/key/KeyArchivalRequest.java | 1 + .../java/com/netscape/certsrv/key/KeyRequestInfo.java | 4 ++++ .../netscape/certsrv/key/KeyRequestInfoCollection.java | 4 ++++ .../netscape/certsrv/key/SymKeyGenerationRequest.java | 1 + .../com/netscape/certsrv/profile/PolicyConstraint.java | 4 ++++ .../netscape/certsrv/profile/PolicyConstraintValue.java | 4 ++++ .../java/com/netscape/certsrv/profile/PolicyDefault.java | 4 ++++ .../com/netscape/certsrv/profile/ProfileAttribute.java | 4 ++++ .../java/com/netscape/certsrv/profile/ProfileData.java | 4 ++++ .../com/netscape/certsrv/profile/ProfileDataInfo.java | 4 ++++ .../com/netscape/certsrv/profile/ProfileDataInfos.java | 4 ++++ .../java/com/netscape/certsrv/profile/ProfileInput.java | 4 ++++ .../java/com/netscape/certsrv/profile/ProfileOutput.java | 4 ++++ .../com/netscape/certsrv/profile/ProfileParameter.java | 4 ++++ .../com/netscape/certsrv/request/CMSRequestInfo.java | 4 ++++ base/common/src/main/java/org/dogtagpki/common/Info.java | 4 ++++ .../cms/servlet/csadmin/SecurityDomainProcessor.java | 6 +++++- .../main/java/com/netscape/cmscore/apps/ServerXml.java | 1 + .../main/java/com/netscape/cmsutil/xml/XMLObject.java | 9 +++++++++ 32 files changed, 122 insertions(+), 1 deletion(-) diff --git a/base/common/src/main/java/com/netscape/certsrv/account/Account.java b/base/common/src/main/java/com/netscape/certsrv/account/Account.java index 7447bfa36f1..6aaca9ccde1 100644 --- a/base/common/src/main/java/com/netscape/certsrv/account/Account.java +++ b/base/common/src/main/java/com/netscape/certsrv/account/Account.java @@ -23,6 +23,7 @@ import java.util.Collection; import java.util.TreeSet; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -209,6 +210,8 @@ public String toXML() throws Exception { document.appendChild(accountElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -224,6 +227,7 @@ public String toXML() throws Exception { public static Account fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java b/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java index f4876f8bd2d..6ea5c3d6fdf 100644 --- a/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java +++ b/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java @@ -21,6 +21,7 @@ import java.io.StringWriter; import javax.ws.rs.core.Response; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -158,6 +159,8 @@ public String toXML() throws Exception { document.appendChild(element); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -173,6 +176,7 @@ public String toXML() throws Exception { public static Data fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java b/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java index a62a1aea0fc..136fcf54a84 100644 --- a/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java +++ b/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java @@ -10,6 +10,7 @@ import java.util.Map; import javax.ws.rs.core.MultivaluedMap; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -317,6 +318,8 @@ public String toXML() throws Exception { document.appendChild(element); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -332,6 +335,7 @@ public String toXML() throws Exception { public static RESTMessage fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java index 2a47c3c6653..a3a19e71a2e 100644 --- a/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java +++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java @@ -23,6 +23,7 @@ import java.security.cert.X509Certificate; import java.util.Date; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -475,6 +476,8 @@ public String toXML() throws Exception { document.appendChild(infoElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -490,6 +493,7 @@ public String toXML() throws Exception { public static CertData fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java index 847e32b0c48..516fac96027 100644 --- a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java +++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java @@ -24,6 +24,7 @@ import java.io.StringWriter; import java.util.Date; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -513,6 +514,8 @@ public String toXML() throws Exception { document.appendChild(infoElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -528,6 +531,7 @@ public String toXML() throws Exception { public static CertDataInfo fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java index 8554da4692d..22627396ba6 100644 --- a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java +++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java @@ -20,6 +20,7 @@ import java.io.StringReader; import java.io.StringWriter; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -74,6 +75,8 @@ public String toXML() throws Exception { toDOM(document); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -118,6 +121,7 @@ public static CertDataInfos fromDOM(Element infosElement) { public static CertDataInfos fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java index 88de02e755e..f48fa56564f 100644 --- a/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java +++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java @@ -28,6 +28,7 @@ import java.util.HashMap; import javax.ws.rs.core.MultivaluedMap; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -514,6 +515,8 @@ public String toXML() throws Exception { document.appendChild(element); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -527,6 +530,7 @@ public String toXML() throws Exception { public static CertEnrollmentRequest fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java index 79bff39c93a..b7aa718db5e 100644 --- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java +++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java @@ -21,6 +21,7 @@ import java.io.StringReader; import java.io.StringWriter; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -246,6 +247,8 @@ public String toXML() throws Exception { document.appendChild(element); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -261,6 +264,7 @@ public String toXML() throws Exception { public static CertRequestInfo fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java index 8365e334f7a..4720bc42fce 100644 --- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java +++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java @@ -21,6 +21,7 @@ import java.io.StringWriter; import java.util.Collection; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -108,6 +109,8 @@ public String toXML() throws Exception { document.appendChild(element); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -152,6 +155,7 @@ public static CertRequestInfos fromDOM(Element infosElement) { public static CertRequestInfos fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java index db169174d27..bde7e992d3a 100644 --- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java +++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java @@ -25,6 +25,7 @@ import java.io.StringWriter; import java.util.Objects; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -126,6 +127,8 @@ public String toXML() throws Exception { document.appendChild(requestElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -141,6 +144,7 @@ public String toXML() throws Exception { public static CertRetrievalRequest fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java index 5f0a9f4d069..709db381a29 100644 --- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java +++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java @@ -22,6 +22,7 @@ import java.io.StringWriter; import java.util.Date; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -226,6 +227,8 @@ public String toXML() throws Exception { document.appendChild(requestElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -241,6 +244,7 @@ public String toXML() throws Exception { public static CertRevokeRequest fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java index 1d178b6b7ca..67da3c1b61d 100644 --- a/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java +++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java @@ -25,6 +25,7 @@ import java.util.Objects; import javax.ws.rs.core.MultivaluedMap; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -1079,6 +1080,8 @@ public String toXML() throws Exception { document.appendChild(rootElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -1094,6 +1097,7 @@ public String toXML() throws Exception { public static CertSearchRequest fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java index 05303b29faa..fc1fe0fff7f 100644 --- a/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java +++ b/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java @@ -114,6 +114,7 @@ public static AsymKeyGenerationRequest fromDOM(Element element) { public static AsymKeyGenerationRequest fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java index 3152e8880fe..462f2284b66 100644 --- a/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java +++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java @@ -256,6 +256,7 @@ public static KeyArchivalRequest fromDOM(Element element) { public static KeyArchivalRequest fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java index 8970a70ebaa..dca3f01d42a 100644 --- a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java +++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java @@ -21,6 +21,7 @@ import java.io.StringReader; import java.io.StringWriter; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -139,6 +140,8 @@ public String toXML() throws Exception { document.appendChild(element); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -154,6 +157,7 @@ public String toXML() throws Exception { public static KeyRequestInfo fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java index c471f6985f2..6cc98407a72 100644 --- a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java +++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java @@ -21,6 +21,7 @@ import java.io.StringWriter; import java.util.Collection; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -99,6 +100,8 @@ public String toXML() throws Exception { document.appendChild(element); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -143,6 +146,7 @@ public static KeyRequestInfoCollection fromDOM(Element infosElement) { public static KeyRequestInfoCollection fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java index f86bba27bfa..e7542f6d5af 100644 --- a/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java +++ b/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java @@ -103,6 +103,7 @@ public static SymKeyGenerationRequest fromDOM(Element element) { public static SymKeyGenerationRequest fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java index 763eaaec9dc..5d43bf187a0 100644 --- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java +++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java @@ -22,6 +22,7 @@ import java.util.ArrayList; import java.util.List; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -228,6 +229,8 @@ public String toXML() throws Exception { document.appendChild(accountElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -242,6 +245,7 @@ public String toXML() throws Exception { public static PolicyConstraint fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java index be84f086cd2..9986837cffc 100644 --- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java +++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java @@ -20,6 +20,7 @@ import java.io.StringReader; import java.io.StringWriter; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -169,6 +170,8 @@ public String toXML() throws Exception { document.appendChild(pcvElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -183,6 +186,7 @@ public String toXML() throws Exception { public static PolicyConstraintValue fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java index 49e25989f43..b4602c68e0f 100644 --- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java +++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java @@ -22,6 +22,7 @@ import java.util.ArrayList; import java.util.List; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -231,6 +232,8 @@ public String toXML() throws Exception { document.appendChild(pdElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -245,6 +248,7 @@ public String toXML() throws Exception { public static PolicyDefault fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java index 0e43db83d9c..7abd149c165 100644 --- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java +++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java @@ -20,6 +20,7 @@ import java.io.StringReader; import java.io.StringWriter; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -180,6 +181,8 @@ public String toXML() throws Exception { document.appendChild(accountElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -193,6 +196,7 @@ public String toXML() throws Exception { public static ProfileAttribute fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java index f80c0d55669..7506a7f334e 100644 --- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java +++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java @@ -31,6 +31,7 @@ import java.util.Objects; import java.util.Vector; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -554,6 +555,8 @@ public String toXML() throws Exception { document.appendChild(pdElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -568,6 +571,7 @@ public String toXML() throws Exception { public static ProfileData fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java index 8f1744e76e0..a67d6972429 100644 --- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java +++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java @@ -21,6 +21,7 @@ import java.io.StringWriter; import java.util.Objects; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -177,6 +178,8 @@ public String toXML() throws Exception { document.appendChild(profileParameterElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -191,6 +194,7 @@ public String toXML() throws Exception { public static ProfileDataInfo fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java index 7225c83a571..8975bc6d99f 100644 --- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java +++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java @@ -20,6 +20,7 @@ import java.io.StringReader; import java.io.StringWriter; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -74,6 +75,8 @@ public String toXML() throws Exception { document.appendChild(element); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -118,6 +121,7 @@ public static ProfileDataInfos fromDOM(Element infosElement) { public static ProfileDataInfos fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java index 303785da978..aac8f0d0dc7 100644 --- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java +++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java @@ -23,6 +23,7 @@ import java.util.Collection; import java.util.List; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -354,6 +355,8 @@ public String toXML() throws Exception { document.appendChild(element); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -367,6 +370,7 @@ public String toXML() throws Exception { public static ProfileInput fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java index b2442c7fb39..c85bfede2a4 100644 --- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java +++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java @@ -22,6 +22,7 @@ import java.util.ArrayList; import java.util.List; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -234,6 +235,8 @@ public String toXML() throws Exception { document.appendChild(pdElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -248,6 +251,7 @@ public String toXML() throws Exception { public static ProfileOutput fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java index 55e07b419ca..e868eaccd23 100644 --- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java +++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java @@ -21,6 +21,7 @@ import java.io.StringWriter; import java.util.Objects; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -128,6 +129,8 @@ public String toXML() throws Exception { document.appendChild(profileParameterElement); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -142,6 +145,7 @@ public String toXML() throws Exception { public static ProfileParameter fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java index b6c2fa491e8..661355ae179 100644 --- a/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java +++ b/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java @@ -20,6 +20,7 @@ import java.io.StringReader; import java.io.StringWriter; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -229,6 +230,8 @@ public String toXML() throws Exception { document.appendChild(element); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -244,6 +247,7 @@ public String toXML() throws Exception { public static CMSRequestInfo fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/common/src/main/java/org/dogtagpki/common/Info.java b/base/common/src/main/java/org/dogtagpki/common/Info.java index 0929ada9b05..3d1b693157f 100644 --- a/base/common/src/main/java/org/dogtagpki/common/Info.java +++ b/base/common/src/main/java/org/dogtagpki/common/Info.java @@ -21,6 +21,7 @@ import java.io.StringReader; import java.io.StringWriter; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.transform.OutputKeys; @@ -183,6 +184,8 @@ public String toXML() throws Exception { document.appendChild(element); TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); @@ -198,6 +201,7 @@ public String toXML() throws Exception { public static Info fromXML(String xml) throws Exception { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(new InputSource(new StringReader(xml))); diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java index bdd485e89ab..07fae1ad50c 100644 --- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java +++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java @@ -24,6 +24,7 @@ import java.util.Locale; import java.util.Vector; +import javax.xml.XMLConstants; import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.OutputKeys; import javax.xml.transform.Transformer; @@ -697,7 +698,10 @@ public static void main(String args[]) throws Exception { XMLObject xmlObject = convertDomainInfoToXMLObject(before); Document document = xmlObject.getDocument(); - Transformer transformer = TransformerFactory.newInstance().newTransformer(); + TransformerFactory transformerFactory = TransformerFactory.newInstance(); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); transformer.setOutputProperty(OutputKeys.INDENT, "yes"); transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java index 2a02d722a1f..d9ac5727476 100644 --- a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java +++ b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java @@ -41,6 +41,7 @@ public static ServerXml load(String filename) throws Exception { ServerXml serverXml = new ServerXml(); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder builder = factory.newDocumentBuilder(); Document document = builder.parse(filename); diff --git a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java index 81fdbf4b2e0..1043bcb477f 100644 --- a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java +++ b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java @@ -25,6 +25,7 @@ import java.io.StringWriter; import java.util.Vector; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -56,6 +57,7 @@ public XMLObject() throws ParserConfigurationException { public XMLObject(InputStream s) throws SAXException, IOException, ParserConfigurationException { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder docBuilder = factory.newDocumentBuilder(); mDoc = docBuilder.parse(s); } @@ -63,6 +65,7 @@ public XMLObject(InputStream s) public XMLObject(File f) throws SAXException, IOException, ParserConfigurationException { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder docBuilder = factory.newDocumentBuilder(); mDoc = docBuilder.parse(f); } @@ -159,6 +162,8 @@ public Vector getValuesFromContainer(Node container, String tagname) { public byte[] toByteArray() throws TransformerConfigurationException, TransformerException { ByteArrayOutputStream bos = new ByteArrayOutputStream(); TransformerFactory tranFactory = TransformerFactory.newInstance(); + tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer aTransformer = tranFactory.newTransformer(); Source src = new DOMSource(mDoc); Result dest = new StreamResult(bos); @@ -169,6 +174,8 @@ public byte[] toByteArray() throws TransformerConfigurationException, Transforme public void output(OutputStream os) throws TransformerConfigurationException, TransformerException { TransformerFactory tranFactory = TransformerFactory.newInstance(); + tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer aTransformer = tranFactory.newTransformer(); Source src = new DOMSource(mDoc); Result dest = new StreamResult(os); @@ -177,6 +184,8 @@ public void output(OutputStream os) public String toXMLString() throws TransformerConfigurationException, TransformerException { TransformerFactory tranFactory = TransformerFactory.newInstance(); + tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer transformer = tranFactory.newTransformer(); Source src = new DOMSource(mDoc); StreamResult dest = new StreamResult(new StringWriter());