-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SAXReader uses system XMLReaderFactory.createXMLReader() or SAXParserFactory.newInstance().newSAXParser() which has unsecure defaults #87
Comments
Fixed in 2.0.3 and 2.1.3. |
For posterity, this issue (and commit a822852) fixes CVE-2020-10683. I have requested an update to the description and references for CVE-2020-10683 to note that this issue was fixed with both 2.0.3 and 2.1.3. I also have submitted a request to update the CPE for the entry in the NVD so that it shows this fix on 2.0.3 as well as 2.1.3. |
This is a bit confusing. I understand that the mentioned commit probably fixes (in 2.0.3) the issue that was present in 2.0.2, but 2.1.1 was not vulnerable. I mean, 2.1.3 effectively applies the 'fix' twice. Because in 2.1.3, And because the // external entites
SAXHelper.setParserFeature(reader, "http://xml.org/sax/properties/external-general-entities", false);
SAXHelper.setParserFeature(reader, "http://xml.org/sax/properties/external-parameter-entities", false);
// external DTD
SAXHelper.setParserFeature(reader,"http://apache.org/xml/features/nonvalidating/load-external-dtd", false); So your desired defaults are applied here, and then again by the Moreover, as I argued in #51 the disabling of The correct behaviour IMHO is to throw an exception if you find entities and you aren't using an Once you have an Also, the parser configuration that I'm suggesting is valid for any compliant parser, while the |
In commit css4j/css4j-dom4j@23ced62 there are two tests that could be useful in checking whether the Versions 2.0.3, 2.1.1 and 2.1.3 pass both tests, 2.0.2 fails (haven't checked 2.1.0 but it would fail, and that was covered by an earlier CVE). |
The constructor
new org.dom4j.io.SAXReader()
calls one of the factory method form Java runtime library –org.xml.sax.helpers.XMLReaderFactory.createXMLReader()
orjavax.xml.parsers.SAXParserFactory.newInstance().newSAXParser()
. These factory methods do not have safe defaults, such as downloading external entities.Create the new factory method
org.dom4j.io.SAXReader.createDefault()
which overrides Java runtime library defaults and sets following features:The text was updated successfully, but these errors were encountered: