packages/jackson
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
jackson/CVE-2019-10172-1.patch
starlet-dx 55834bfb8c fix CVE-2019-10172
2021-09-13 14:40:37 +08:00

49 lines
2.3 KiB
Diff
Raw Permalink Blame History

From 54c6bc36aa57741ea669ad110ce28acaa1600864 Mon Sep 17 00:00:00 2001
From: PJ Fanning <pj.fanning@workday.com>
Date: Fri, 1 Jul 2016 01:49:46 +0100
Subject: [PATCH] Set Secure Processing flag on DocumentBuilderFactory
---
.../java/org/codehaus/jackson/map/ext/DOMDeserializer.java | 7 +++++++
.../codehaus/jackson/xc/DomElementJsonDeserializer.java | 1 +
2 files changed, 8 insertions(+)
diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
index 50e6016c2..3a486b9e4 100644
--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
@@ -2,7 +2,9 @@
import java.io.StringReader;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
import org.codehaus.jackson.map.DeserializationContext;
import org.codehaus.jackson.map.deser.std.FromStringDeserializer;
@@ -22,6 +24,11 @@
_parserFactory = DocumentBuilderFactory.newInstance();
// yup, only cave men do XML without recognizing namespaces...
_parserFactory.setNamespaceAware(true);
+ try {
+ _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch(ParserConfigurationException pce) {
+ System.err.println("[DOMDeserializer] Problem setting SECURE_PROCESSING_FEATURE: " + pce.toString());
+ }
}
protected DOMDeserializer(Class<T> cls) { super(cls); }
diff --git a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
index cf9c073d9..ccd631aa3 100644
--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
@@ -30,6 +30,7 @@ public DomElementJsonDeserializer()
try {
DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance();
bf.setNamespaceAware(true);
+ bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
builder = bf.newDocumentBuilder();
} catch (ParserConfigurationException e) {
throw new RuntimeException();
Reference in New Issue View Git Blame Copy Permalink