From c0d06633f0eafd1ef8cf51b4913894d6c8c9b58f Mon Sep 17 00:00:00 2001
From: Ben Murphy <benmmurphy@gmail.com>
Date: Fri, 8 Feb 2013 02:48:22 +0000
Subject: JDOM XXE Protection [CVE-2013-1856]

Conflicts:
	activesupport/test/xml_mini/jdom_engine_test.rb
---
 activesupport/lib/active_support/xml_mini/jdom.rb | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'activesupport/lib/active_support')

diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb
index 6c222b83ba..8d23ce4e18 100644
--- a/activesupport/lib/active_support/xml_mini/jdom.rb
+++ b/activesupport/lib/active_support/xml_mini/jdom.rb
@@ -38,6 +38,12 @@ module ActiveSupport
         {}
       else
         @dbf = DocumentBuilderFactory.new_instance
+        # secure processing of java xml
+        # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html
+        @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
+        @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false)
+        @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
+        @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true)
         xml_string_reader = StringReader.new(data)
         xml_input_source = InputSource.new(xml_string_reader)
         doc = @dbf.new_document_builder.parse(xml_input_source)
-- 
cgit v1.2.3