Changeset 10404 in josm for trunk/src/org/openstreetmap/josm/io

Timestamp:

2016-06-16T19:10:53+02:00 (9 years ago)

Author:

Don-vip

Message:

findbugs security - XML Parsing Vulnerable to XXE - enable FEATURE_SECURE_PROCESSING for DOM builders

Location:

trunk/src/org/openstreetmap/josm/io

Files:

• OsmServerUserInfoReader.java (modified) (3 diffs)
• imagery/WMSImagery.java (modified) (2 diffs)
• session/SessionReader.java (modified) (2 diffs)
• session/SessionWriter.java (modified) (2 diffs)

trunk/src/org/openstreetmap/josm/io/OsmServerUserInfoReader.java

@@ -9 +9 @@
 import java.util.List;
 
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.xpath.XPath;
@@ -20 +19 @@
 import org.openstreetmap.josm.data.osm.UserInfo;
 import org.openstreetmap.josm.gui.progress.ProgressMonitor;
+import org.openstreetmap.josm.tools.Utils;
 import org.openstreetmap.josm.tools.XmlParsingException;
 import org.openstreetmap.josm.tools.date.DateUtils;
@@ -175 +175 @@
             monitor.indeterminateSubTask(tr("Reading user info ..."));
             try (InputStream in = getInputStream("user/details", monitor.createSubTaskMonitor(1, true), reason)) {
-                return buildFromXML(
-                        DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(in)
-                );
+                return buildFromXML(Utils.parseSafeDOM(in));
             }
         } catch (OsmTransferException e) {

trunk/src/org/openstreetmap/josm/io/imagery/WMSImagery.java

@@ -18 +18 @@
 import javax.imageio.ImageIO;
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 
@@ -152 +151 @@
 
         try {
-            DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
-            builderFactory.setValidating(false);
-            builderFactory.setNamespaceAware(true);
-            DocumentBuilder builder = builderFactory.newDocumentBuilder();
+            DocumentBuilder builder = Utils.newSafeDOMBuilder();
             builder.setEntityResolver(new EntityResolver() {
                 @Override

trunk/src/org/openstreetmap/josm/io/session/SessionReader.java

@@ -29 +29 @@
 import javax.swing.JOptionPane;
 import javax.swing.SwingUtilities;
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 
@@ -633 +631 @@
 
         try {
-            DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
-            builderFactory.setValidating(false);
-            builderFactory.setNamespaceAware(true);
-            DocumentBuilder builder = builderFactory.newDocumentBuilder();
-            Document document = builder.parse(josIS);
-            parseJos(document, progressMonitor);
+            parseJos(Utils.parseSafeDOM(josIS), progressMonitor);
         } catch (SAXException e) {
             throw new IllegalDataException(e);

trunk/src/org/openstreetmap/josm/io/session/SessionWriter.java

@@ -19 +19 @@
 
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.OutputKeys;
@@ -201 +200 @@
      */
     public Document createJosDocument() throws IOException {
-        DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
-        builderFactory.setValidating(false);
-        builderFactory.setNamespaceAware(true);
         DocumentBuilder builder = null;
         try {
-            builder = builderFactory.newDocumentBuilder();
+            builder = Utils.newSafeDOMBuilder();
         } catch (ParserConfigurationException e) {
-            throw new RuntimeException(e);
+            throw new IOException(e);
         }
         Document doc = builder.newDocument();