Changeset 10404 in josm for trunk/src/org/openstreetmap/josm/data/CustomConfigurator.java

Timestamp:

2016-06-16T19:10:53+02:00 (8 years ago)

Author:

Don-vip

Message:

findbugs security - XML Parsing Vulnerable to XXE - enable FEATURE_SECURE_PROCESSING for DOM builders

File:

• trunk/src/org/openstreetmap/josm/data/CustomConfigurator.java (modified) (3 diffs)

trunk/src/org/openstreetmap/josm/data/CustomConfigurator.java

@@ -35 +35 @@
 import javax.swing.SwingUtilities;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.stream.XMLStreamException;
@@ -269 +268 @@
         try {
             String toXML = Main.pref.toXML(true);
-            InputStream is = new ByteArrayInputStream(toXML.getBytes(StandardCharsets.UTF_8));
-            DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
-            builderFactory.setValidating(false);
-            builderFactory.setNamespaceAware(false);
-            DocumentBuilder builder = builderFactory.newDocumentBuilder();
-            document = builder.parse(is);
+            DocumentBuilder builder = Utils.newSafeDOMBuilder();
+            document = builder.parse(new ByteArrayInputStream(toXML.getBytes(StandardCharsets.UTF_8)));
             exportDocument = builder.newDocument();
             root = document.getDocumentElement();
@@ -465 +460 @@
         public void openAndReadXML(InputStream is) {
             try {
-                DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
-                builderFactory.setValidating(false);
-                builderFactory.setNamespaceAware(true);
-                DocumentBuilder builder = builderFactory.newDocumentBuilder();
-                Document document = builder.parse(is);
+                Document document = Utils.parseSafeDOM(is);
                 synchronized (CustomConfigurator.class) {
                     processXML(document);