diff options
| author | Ben Murphy <benmmurphy@gmail.com> | 2013-02-08 02:48:22 +0000 |
|---|---|---|
| committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-03-15 17:48:27 -0700 |
| commit | c0d06633f0eafd1ef8cf51b4913894d6c8c9b58f (patch) | |
| tree | 8824b21fd82d9caee277498325710ffeca5ec159 /activesupport/lib/active_support | |
| parent | ff3b9ca1308056b2c939ce77fbea1c4665f3619e (diff) | |
| download | rails-c0d06633f0eafd1ef8cf51b4913894d6c8c9b58f.tar.gz rails-c0d06633f0eafd1ef8cf51b4913894d6c8c9b58f.tar.bz2 rails-c0d06633f0eafd1ef8cf51b4913894d6c8c9b58f.zip | |
JDOM XXE Protection [CVE-2013-1856]
Conflicts:
activesupport/test/xml_mini/jdom_engine_test.rb
Diffstat (limited to 'activesupport/lib/active_support')
| -rw-r--r-- | activesupport/lib/active_support/xml_mini/jdom.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb index 6c222b83ba..8d23ce4e18 100644 --- a/activesupport/lib/active_support/xml_mini/jdom.rb +++ b/activesupport/lib/active_support/xml_mini/jdom.rb @@ -38,6 +38,12 @@ module ActiveSupport {} else @dbf = DocumentBuilderFactory.new_instance + # secure processing of java xml + # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html + @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false) + @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false) + @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false) + @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true) xml_string_reader = StringReader.new(data) xml_input_source = InputSource.new(xml_string_reader) doc = @dbf.new_document_builder.parse(xml_input_source) |