diff options
author | Ben Murphy <benmmurphy@gmail.com> | 2013-02-08 02:48:22 +0000 |
---|---|---|
committer | Aaron Patterson <aaron.patterson@gmail.com> | 2013-03-15 17:46:15 -0700 |
commit | db8b636e50ee8a138f48117e8e8ad057cc7527a4 (patch) | |
tree | 7c1ae6592b0247285bf51f739158aacab3b12d38 /activesupport/lib | |
parent | 8be6913990c30f63618173da722148892348dcc9 (diff) | |
download | rails-db8b636e50ee8a138f48117e8e8ad057cc7527a4.tar.gz rails-db8b636e50ee8a138f48117e8e8ad057cc7527a4.tar.bz2 rails-db8b636e50ee8a138f48117e8e8ad057cc7527a4.zip |
JDOM XXE Protection [CVE-2013-1856]
Diffstat (limited to 'activesupport/lib')
-rw-r--r-- | activesupport/lib/active_support/xml_mini/jdom.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb index 4551dd2f2d..27c64c4dca 100644 --- a/activesupport/lib/active_support/xml_mini/jdom.rb +++ b/activesupport/lib/active_support/xml_mini/jdom.rb @@ -37,6 +37,12 @@ module ActiveSupport {} else @dbf = DocumentBuilderFactory.new_instance + # secure processing of java xml + # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html + @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false) + @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false) + @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false) + @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true) xml_string_reader = StringReader.new(data) xml_input_source = InputSource.new(xml_string_reader) doc = @dbf.new_document_builder.parse(xml_input_source) |