fix CVE-2022-2414
This commit is contained in:
yinyongkang
parent
1f7cd1a2c4
commit
4bb1538af0
928
0001-Disable-access-to-external-entities-when-parsing-XML.patch
Normal file
928
0001-Disable-access-to-external-entities-when-parsing-XML.patch
Normal file
@ -0,0 +1,928 @@
|
||||
From b176837c317216185930a09e6eae916a39bbbe5e Mon Sep 17 00:00:00 2001
|
||||
From: rpm-build <rpm-build>
|
||||
Date: Fri, 15 Jul 2022 09:36:00 +0800
|
||||
Subject: [PATCH] Disable access to external entities when parsing XML
|
||||
|
||||
This reduces the vulnerability of XML parsers to XXE (XML external
|
||||
entity) injection.
|
||||
|
||||
The best way to prevent XXE is to stop using XML altogether, which we do
|
||||
plan to do. Until that happens I consider it worthwhile to tighten the
|
||||
security here though.
|
||||
---
|
||||
.../main/java/com/netscape/certsrv/account/Account.java | 4 ++++
|
||||
.../java/com/netscape/certsrv/base/PKIException.java | 4 ++++
|
||||
.../main/java/com/netscape/certsrv/base/RESTMessage.java | 4 ++++
|
||||
.../main/java/com/netscape/certsrv/cert/CertData.java | 4 ++++
|
||||
.../java/com/netscape/certsrv/cert/CertDataInfo.java | 4 ++++
|
||||
.../java/com/netscape/certsrv/cert/CertDataInfos.java | 4 ++++
|
||||
.../com/netscape/certsrv/cert/CertEnrollmentRequest.java | 4 ++++
|
||||
.../java/com/netscape/certsrv/cert/CertRequestInfo.java | 4 ++++
|
||||
.../java/com/netscape/certsrv/cert/CertRequestInfos.java | 4 ++++
|
||||
.../com/netscape/certsrv/cert/CertRetrievalRequest.java | 4 ++++
|
||||
.../com/netscape/certsrv/cert/CertRevokeRequest.java | 4 ++++
|
||||
.../com/netscape/certsrv/cert/CertSearchRequest.java | 4 ++++
|
||||
.../netscape/certsrv/key/AsymKeyGenerationRequest.java | 1 +
|
||||
.../com/netscape/certsrv/key/KeyArchivalRequest.java | 1 +
|
||||
.../java/com/netscape/certsrv/key/KeyRequestInfo.java | 4 ++++
|
||||
.../netscape/certsrv/key/KeyRequestInfoCollection.java | 4 ++++
|
||||
.../netscape/certsrv/key/SymKeyGenerationRequest.java | 1 +
|
||||
.../com/netscape/certsrv/profile/PolicyConstraint.java | 4 ++++
|
||||
.../netscape/certsrv/profile/PolicyConstraintValue.java | 4 ++++
|
||||
.../java/com/netscape/certsrv/profile/PolicyDefault.java | 4 ++++
|
||||
.../com/netscape/certsrv/profile/ProfileAttribute.java | 4 ++++
|
||||
.../java/com/netscape/certsrv/profile/ProfileData.java | 4 ++++
|
||||
.../com/netscape/certsrv/profile/ProfileDataInfo.java | 4 ++++
|
||||
.../com/netscape/certsrv/profile/ProfileDataInfos.java | 4 ++++
|
||||
.../java/com/netscape/certsrv/profile/ProfileInput.java | 4 ++++
|
||||
.../java/com/netscape/certsrv/profile/ProfileOutput.java | 4 ++++
|
||||
.../com/netscape/certsrv/profile/ProfileParameter.java | 4 ++++
|
||||
.../com/netscape/certsrv/request/CMSRequestInfo.java | 4 ++++
|
||||
base/common/src/main/java/org/dogtagpki/common/Info.java | 4 ++++
|
||||
.../cms/servlet/csadmin/SecurityDomainProcessor.java | 6 +++++-
|
||||
.../main/java/com/netscape/cmscore/apps/ServerXml.java | 1 +
|
||||
.../main/java/com/netscape/cmsutil/xml/XMLObject.java | 9 +++++++++
|
||||
32 files changed, 122 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/account/Account.java b/base/common/src/main/java/com/netscape/certsrv/account/Account.java
|
||||
index 7447bfa..6aaca9c 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/account/Account.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/account/Account.java
|
||||
@@ -23,6 +23,7 @@ import java.io.StringWriter;
|
||||
import java.util.Collection;
|
||||
import java.util.TreeSet;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -209,6 +210,8 @@ public class Account extends RESTMessage {
|
||||
document.appendChild(accountElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET,"");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -224,6 +227,7 @@ public class Account extends RESTMessage {
|
||||
public static Account fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java b/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java
|
||||
index f4876f8..6ea5c3d 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java
|
||||
@@ -21,6 +21,7 @@ import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
|
||||
import javax.ws.rs.core.Response;
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -158,6 +159,8 @@ public class PKIException extends RuntimeException {
|
||||
document.appendChild(element);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -173,6 +176,7 @@ public class PKIException extends RuntimeException {
|
||||
public static Data fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java b/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java
|
||||
index a62a1ae..e8bc5eb 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java
|
||||
@@ -10,6 +10,7 @@ import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import javax.ws.rs.core.MultivaluedMap;
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -317,11 +318,14 @@ public class RESTMessage implements JSONSerializer {
|
||||
document.appendChild(element);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
|
||||
DOMSource domSource = new DOMSource(document);
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
StringWriter sw = new StringWriter();
|
||||
StreamResult streamResult = new StreamResult(sw);
|
||||
transformer.transform(domSource, streamResult);
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java
|
||||
index 2a47c3c..a3a19e7 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java
|
||||
@@ -23,6 +23,7 @@ import java.security.Principal;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.Date;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -475,6 +476,8 @@ public class CertData implements JSONSerializer {
|
||||
document.appendChild(infoElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -490,6 +493,7 @@ public class CertData implements JSONSerializer {
|
||||
public static CertData fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java
|
||||
index 847e32b..516fac9 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java
|
||||
@@ -24,6 +24,7 @@ import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
import java.util.Date;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -513,6 +514,8 @@ public class CertDataInfo implements JSONSerializer {
|
||||
document.appendChild(infoElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -528,6 +531,7 @@ public class CertDataInfo implements JSONSerializer {
|
||||
public static CertDataInfo fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java
|
||||
index 8554da4..2262739 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java
|
||||
@@ -20,6 +20,7 @@ package com.netscape.certsrv.cert;
|
||||
import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -74,6 +75,8 @@ public class CertDataInfos extends DataCollection<CertDataInfo> {
|
||||
toDOM(document);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -118,6 +121,7 @@ public class CertDataInfos extends DataCollection<CertDataInfo> {
|
||||
public static CertDataInfos fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java
|
||||
index 88de02e..f48fa56 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java
|
||||
@@ -28,6 +28,7 @@ import java.util.Collection;
|
||||
import java.util.HashMap;
|
||||
|
||||
import javax.ws.rs.core.MultivaluedMap;
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -514,6 +515,8 @@ public class CertEnrollmentRequest extends RESTMessage {
|
||||
document.appendChild(element);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -527,6 +530,7 @@ public class CertEnrollmentRequest extends RESTMessage {
|
||||
|
||||
public static CertEnrollmentRequest fromXML(String xml) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java
|
||||
index 79bff39..b7aa718 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java
|
||||
@@ -21,6 +21,7 @@ package com.netscape.certsrv.cert;
|
||||
import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -246,6 +247,8 @@ public class CertRequestInfo extends CMSRequestInfo {
|
||||
document.appendChild(element);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -261,6 +264,7 @@ public class CertRequestInfo extends CMSRequestInfo {
|
||||
public static CertRequestInfo fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java
|
||||
index 8365e33..4720bc4 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java
|
||||
@@ -21,6 +21,7 @@ import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
import java.util.Collection;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -108,6 +109,8 @@ public class CertRequestInfos extends DataCollection<CertRequestInfo> implements
|
||||
document.appendChild(element);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -152,6 +155,7 @@ public class CertRequestInfos extends DataCollection<CertRequestInfo> implements
|
||||
public static CertRequestInfos fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java
|
||||
index db16917..bde7e99 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java
|
||||
@@ -25,6 +25,7 @@ import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
import java.util.Objects;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -126,6 +127,8 @@ public class CertRetrievalRequest implements JSONSerializer {
|
||||
document.appendChild(requestElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -141,6 +144,7 @@ public class CertRetrievalRequest implements JSONSerializer {
|
||||
public static CertRetrievalRequest fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java
|
||||
index 5f0a9f4..709db38 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java
|
||||
@@ -22,6 +22,7 @@ import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
import java.util.Date;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -226,6 +227,8 @@ public class CertRevokeRequest implements JSONSerializer {
|
||||
document.appendChild(requestElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -241,6 +244,7 @@ public class CertRevokeRequest implements JSONSerializer {
|
||||
public static CertRevokeRequest fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java
|
||||
index 1d178b6..67da3c1 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java
|
||||
@@ -25,6 +25,7 @@ import java.io.StringWriter;
|
||||
import java.util.Objects;
|
||||
|
||||
import javax.ws.rs.core.MultivaluedMap;
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -1079,6 +1080,8 @@ public class CertSearchRequest implements JSONSerializer {
|
||||
document.appendChild(rootElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -1094,6 +1097,7 @@ public class CertSearchRequest implements JSONSerializer {
|
||||
public static CertSearchRequest fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java
|
||||
index 05303b2..fc1fe0f 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java
|
||||
@@ -114,6 +114,7 @@ public class AsymKeyGenerationRequest extends KeyGenerationRequest {
|
||||
public static AsymKeyGenerationRequest fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java
|
||||
index 3152e88..462f228 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java
|
||||
@@ -256,6 +256,7 @@ public class KeyArchivalRequest extends RESTMessage {
|
||||
public static KeyArchivalRequest fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java
|
||||
index 8970a70..dca3f01 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java
|
||||
@@ -21,6 +21,7 @@ package com.netscape.certsrv.key;
|
||||
import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -139,6 +140,8 @@ public class KeyRequestInfo extends CMSRequestInfo {
|
||||
document.appendChild(element);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -154,6 +157,7 @@ public class KeyRequestInfo extends CMSRequestInfo {
|
||||
public static KeyRequestInfo fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java
|
||||
index c471f69..6cc9840 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java
|
||||
@@ -21,6 +21,7 @@ import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
import java.util.Collection;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -99,6 +100,8 @@ public class KeyRequestInfoCollection extends DataCollection<KeyRequestInfo> imp
|
||||
document.appendChild(element);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -143,6 +146,7 @@ public class KeyRequestInfoCollection extends DataCollection<KeyRequestInfo> imp
|
||||
public static KeyRequestInfoCollection fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java
|
||||
index f86bba2..e7542f6 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java
|
||||
@@ -103,6 +103,7 @@ public class SymKeyGenerationRequest extends KeyGenerationRequest {
|
||||
public static SymKeyGenerationRequest fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java
|
||||
index 763eaae..5d43bf1 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java
|
||||
@@ -22,6 +22,7 @@ import java.io.StringWriter;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -228,6 +229,8 @@ public class PolicyConstraint implements JSONSerializer {
|
||||
document.appendChild(accountElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -242,6 +245,7 @@ public class PolicyConstraint implements JSONSerializer {
|
||||
|
||||
public static PolicyConstraint fromXML(String xml) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java
|
||||
index be84f08..9986837 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java
|
||||
@@ -20,6 +20,7 @@ package com.netscape.certsrv.profile;
|
||||
import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -169,6 +170,8 @@ public class PolicyConstraintValue implements JSONSerializer {
|
||||
document.appendChild(pcvElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -183,6 +186,7 @@ public class PolicyConstraintValue implements JSONSerializer {
|
||||
|
||||
public static PolicyConstraintValue fromXML(String xml) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java
|
||||
index 49e2598..b4602c6 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java
|
||||
@@ -22,6 +22,7 @@ import java.io.StringWriter;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -231,6 +232,8 @@ public class PolicyDefault implements JSONSerializer {
|
||||
document.appendChild(pdElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -245,6 +248,7 @@ public class PolicyDefault implements JSONSerializer {
|
||||
|
||||
public static PolicyDefault fromXML(String xml) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java
|
||||
index 0e43db8..7abd149 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java
|
||||
@@ -20,6 +20,7 @@ package com.netscape.certsrv.profile;
|
||||
import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -180,6 +181,8 @@ public class ProfileAttribute implements JSONSerializer {
|
||||
document.appendChild(accountElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -193,6 +196,7 @@ public class ProfileAttribute implements JSONSerializer {
|
||||
|
||||
public static ProfileAttribute fromXML(String xml) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java
|
||||
index f80c0d5..450b832 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java
|
||||
@@ -31,6 +31,7 @@ import java.util.Map.Entry;
|
||||
import java.util.Objects;
|
||||
import java.util.Vector;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -554,6 +555,8 @@ public class ProfileData implements JSONSerializer {
|
||||
document.appendChild(pdElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -568,6 +571,7 @@ public class ProfileData implements JSONSerializer {
|
||||
|
||||
public static ProfileData fromXML(String xml) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java
|
||||
index 8f1744e..a67d697 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java
|
||||
@@ -21,6 +21,7 @@ import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
import java.util.Objects;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -177,6 +178,8 @@ public class ProfileDataInfo implements JSONSerializer {
|
||||
document.appendChild(profileParameterElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -191,6 +194,7 @@ public class ProfileDataInfo implements JSONSerializer {
|
||||
|
||||
public static ProfileDataInfo fromXML(String xml) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java
|
||||
index 7225c83..8975bc6 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java
|
||||
@@ -20,6 +20,7 @@ package com.netscape.certsrv.profile;
|
||||
import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -74,6 +75,8 @@ public class ProfileDataInfos extends DataCollection<ProfileDataInfo> {
|
||||
document.appendChild(element);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -118,6 +121,7 @@ public class ProfileDataInfos extends DataCollection<ProfileDataInfo> {
|
||||
public static ProfileDataInfos fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java
|
||||
index 303785d..aac8f0d 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java
|
||||
@@ -23,6 +23,7 @@ import java.util.ArrayList;
|
||||
import java.util.Collection;
|
||||
import java.util.List;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -354,6 +355,8 @@ public class ProfileInput implements JSONSerializer {
|
||||
document.appendChild(element);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -367,6 +370,7 @@ public class ProfileInput implements JSONSerializer {
|
||||
|
||||
public static ProfileInput fromXML(String xml) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java
|
||||
index b2442c7..c85bfed 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java
|
||||
@@ -22,6 +22,7 @@ import java.io.StringWriter;
|
||||
import java.util.ArrayList;
|
||||
import java.util.List;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -234,6 +235,8 @@ public class ProfileOutput implements JSONSerializer {
|
||||
document.appendChild(pdElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -248,6 +251,7 @@ public class ProfileOutput implements JSONSerializer {
|
||||
|
||||
public static ProfileOutput fromXML(String xml) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java
|
||||
index 55e07b4..b6a007f 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java
|
||||
@@ -21,6 +21,7 @@ import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
import java.util.Objects;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -128,6 +129,8 @@ public class ProfileParameter implements JSONSerializer {
|
||||
document.appendChild(profileParameterElement);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -142,6 +145,7 @@ public class ProfileParameter implements JSONSerializer {
|
||||
|
||||
public static ProfileParameter fromXML(String xml) throws Exception {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java
|
||||
index b6c2fa4..661355a 100644
|
||||
--- a/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java
|
||||
+++ b/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java
|
||||
@@ -20,6 +20,7 @@ package com.netscape.certsrv.request;
|
||||
import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -229,6 +230,8 @@ public class CMSRequestInfo implements JSONSerializer {
|
||||
document.appendChild(element);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -244,6 +247,7 @@ public class CMSRequestInfo implements JSONSerializer {
|
||||
public static CMSRequestInfo fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/common/src/main/java/org/dogtagpki/common/Info.java b/base/common/src/main/java/org/dogtagpki/common/Info.java
|
||||
index 0929ada..3d1b693 100644
|
||||
--- a/base/common/src/main/java/org/dogtagpki/common/Info.java
|
||||
+++ b/base/common/src/main/java/org/dogtagpki/common/Info.java
|
||||
@@ -21,6 +21,7 @@ package org.dogtagpki.common;
|
||||
import java.io.StringReader;
|
||||
import java.io.StringWriter;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
@@ -183,6 +184,8 @@ public class Info extends RESTMessage {
|
||||
document.appendChild(element);
|
||||
|
||||
TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
@@ -198,6 +201,7 @@ public class Info extends RESTMessage {
|
||||
public static Info fromXML(String xml) throws Exception {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(new InputSource(new StringReader(xml)));
|
||||
|
||||
diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
|
||||
index bdd485e..07fae1a 100644
|
||||
--- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
|
||||
+++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java
|
||||
@@ -24,6 +24,7 @@ import java.util.Enumeration;
|
||||
import java.util.Locale;
|
||||
import java.util.Vector;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.ParserConfigurationException;
|
||||
import javax.xml.transform.OutputKeys;
|
||||
import javax.xml.transform.Transformer;
|
||||
@@ -697,7 +698,10 @@ public class SecurityDomainProcessor extends Processor {
|
||||
XMLObject xmlObject = convertDomainInfoToXMLObject(before);
|
||||
Document document = xmlObject.getDocument();
|
||||
|
||||
- Transformer transformer = TransformerFactory.newInstance().newTransformer();
|
||||
+ TransformerFactory transformerFactory = TransformerFactory.newInstance();
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
+ Transformer transformer = transformerFactory.newTransformer();
|
||||
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
|
||||
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4");
|
||||
|
||||
diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
|
||||
index 2a02d72..d9ac572 100644
|
||||
--- a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
|
||||
+++ b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java
|
||||
@@ -41,6 +41,7 @@ public class ServerXml {
|
||||
ServerXml serverXml = new ServerXml();
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder builder = factory.newDocumentBuilder();
|
||||
Document document = builder.parse(filename);
|
||||
|
||||
diff --git a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
|
||||
index 81fdbf4..1043bcb 100644
|
||||
--- a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
|
||||
+++ b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java
|
||||
@@ -25,6 +25,7 @@ import java.io.OutputStream;
|
||||
import java.io.StringWriter;
|
||||
import java.util.Vector;
|
||||
|
||||
+import javax.xml.XMLConstants;
|
||||
import javax.xml.parsers.DocumentBuilder;
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import javax.xml.parsers.ParserConfigurationException;
|
||||
@@ -56,6 +57,7 @@ public class XMLObject {
|
||||
public XMLObject(InputStream s)
|
||||
throws SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||
mDoc = docBuilder.parse(s);
|
||||
}
|
||||
@@ -63,6 +65,7 @@ public class XMLObject {
|
||||
public XMLObject(File f)
|
||||
throws SAXException, IOException, ParserConfigurationException {
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
DocumentBuilder docBuilder = factory.newDocumentBuilder();
|
||||
mDoc = docBuilder.parse(f);
|
||||
}
|
||||
@@ -159,6 +162,8 @@ public class XMLObject {
|
||||
public byte[] toByteArray() throws TransformerConfigurationException, TransformerException {
|
||||
ByteArrayOutputStream bos = new ByteArrayOutputStream();
|
||||
TransformerFactory tranFactory = TransformerFactory.newInstance();
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer aTransformer = tranFactory.newTransformer();
|
||||
Source src = new DOMSource(mDoc);
|
||||
Result dest = new StreamResult(bos);
|
||||
@@ -169,6 +174,8 @@ public class XMLObject {
|
||||
public void output(OutputStream os)
|
||||
throws TransformerConfigurationException, TransformerException {
|
||||
TransformerFactory tranFactory = TransformerFactory.newInstance();
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer aTransformer = tranFactory.newTransformer();
|
||||
Source src = new DOMSource(mDoc);
|
||||
Result dest = new StreamResult(os);
|
||||
@@ -177,6 +184,8 @@ public class XMLObject {
|
||||
|
||||
public String toXMLString() throws TransformerConfigurationException, TransformerException {
|
||||
TransformerFactory tranFactory = TransformerFactory.newInstance();
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
||||
+ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
||||
Transformer transformer = tranFactory.newTransformer();
|
||||
Source src = new DOMSource(mDoc);
|
||||
StreamResult dest = new StreamResult(new StringWriter());
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -8,12 +8,15 @@
|
||||
|
||||
Name: pki-core
|
||||
Version: 11.0.0
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: The PKI Core Package
|
||||
License: GPLv2 and LGPLv2
|
||||
URL: http://www.dogtagpki.org/
|
||||
Source0: https://github.com/dogtagpki/pki/archive/v%{version}/pki-v%{version}.tar.gz
|
||||
Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz
|
||||
|
||||
Patch0001: 0001-Disable-access-to-external-entities-when-parsing-XML.patch
|
||||
|
||||
BuildRequires: git make cmake >= 2.8.9-1 gcc-c++ zip java-latest-openjdk-devel java-latest-openjdk-headless
|
||||
BuildRequires: ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io
|
||||
BuildRequires: apache-commons-lang jakarta-commons-httpclient glassfish-jaxb-api slf4j
|
||||
@ -441,6 +444,12 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Jul 15 2022 yinyongkang <yinyongkang@kylinos.cn> - 11.0.0-2
|
||||
- Type:CVE
|
||||
- ID:CVE-2022-2414
|
||||
- SUG:NA
|
||||
- DESC:Fix CVE-2022-2414
|
||||
|
||||
* Thu Jun 16 2022 liyanan <liyanan32@h-partners.com> - 11.0.0-1
|
||||
- Update to 11.0.0
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user