Changeset 8287 in josm for trunk/src/org/openstreetmap/josm/tools

Timestamp:

2015-04-28T01:11:18+02:00 (9 years ago)

Author:

Don-vip

Message:

fix findsecbugs:XXE_SAXPARSER - "Security - XML Parsing Vulnerable to XXE (SAXParser)"

Location:

trunk/src/org/openstreetmap/josm/tools

Files:

• Utils.java (modified) (2 diffs)
• XmlObjectParser.java (modified) (2 diffs)

trunk/src/org/openstreetmap/josm/tools/Utils.java

@@ -50 +50 @@
 import java.util.zip.ZipInputStream;
 
+import javax.xml.XMLConstants;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
+
 import org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream;
 import org.openstreetmap.josm.Main;
 import org.openstreetmap.josm.data.Version;
+import org.xml.sax.SAXException;
 
 /**
@@ -1164 +1170 @@
         return null;
     }
+
+    /**
+     * Returns a new secure SAX parser, supporting XML namespaces.
+     * @return a new secure SAX parser, supporting XML namespaces
+     * @throws ParserConfigurationException if a parser cannot be created which satisfies the requested configuration.
+     * @throws SAXException for SAX errors.
+     * @since 8287
+     */
+    public static SAXParser newSafeSAXParser() throws ParserConfigurationException, SAXException {
+        SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+        parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        parserFactory.setNamespaceAware(true);
+        return parserFactory.newSAXParser();
+    }
 }

trunk/src/org/openstreetmap/josm/tools/XmlObjectParser.java

@@ -20 +20 @@
 import javax.xml.XMLConstants;
 import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
-import javax.xml.parsers.SAXParserFactory;
 import javax.xml.transform.stream.StreamSource;
 import javax.xml.validation.Schema;
@@ -250 +248 @@
     private Iterable<Object> start(final Reader in, final ContentHandler contentHandler) throws SAXException, IOException {
         try {
-            SAXParserFactory parserFactory = SAXParserFactory.newInstance();
-            parserFactory.setNamespaceAware(true);
-            SAXParser saxParser = parserFactory.newSAXParser();
-            XMLReader reader = saxParser.getXMLReader();
+            XMLReader reader = Utils.newSafeSAXParser().getXMLReader();
             reader.setContentHandler(contentHandler);
             try {