Commit 7ef3f0d5 authored by Dave Cridland's avatar Dave Cridland

Disable External Entities in plugin.xml

parent b2d5616f
...@@ -24,7 +24,11 @@ import org.jivesoftware.openfire.XMPPServer; ...@@ -24,7 +24,11 @@ import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.util.Version; import org.jivesoftware.util.Version;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import org.xml.sax.EntityResolver;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import java.io.IOException;
import java.net.MalformedURLException; import java.net.MalformedURLException;
import java.net.URL; import java.net.URL;
import java.nio.file.Files; import java.nio.file.Files;
...@@ -503,6 +507,12 @@ public class PluginMetadataHelper ...@@ -503,6 +507,12 @@ public class PluginMetadataHelper
if ( Files.exists( pluginConfig ) ) if ( Files.exists( pluginConfig ) )
{ {
final SAXReader saxReader = new SAXReader(); final SAXReader saxReader = new SAXReader();
saxReader.setEntityResolver(new EntityResolver() {
@Override
public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
throw new IOException("External entity denied: " + publicId + " // " + systemId);
}
});
saxReader.setEncoding( "UTF-8" ); saxReader.setEncoding( "UTF-8" );
final Document pluginXML = saxReader.read( pluginConfig.toFile() ); final Document pluginXML = saxReader.read( pluginConfig.toFile() );
final Element element = (Element) pluginXML.selectSingleNode( xpath ); final Element element = (Element) pluginXML.selectSingleNode( xpath );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment