From 6dc92ead70fb609a6445248fc8084c53adb3a075 Mon Sep 17 00:00:00 2001 From: Alan Davis Date: Sat, 1 Feb 2014 20:05:48 +0000 Subject: [PATCH] MNT-10589: Merged V4.2-BUG-FIX (4.2.2) to V4.2.1 (4.2.1) 60891: Merged BRANCHES/DEV/V4.1-BUG-FIX to BRANCHES/DEV/V4.2-BUG-FIX: 60889: Merged BRANCHES/DEV/V3.4-BUG-FIX to BRANCHES/DEV/V4.1-BUG-FIX: 60873: MNT-10560: Security: The Apache Xerces XML parser exposes security vulnerabilities 60876: MNT-10560: Security: The Apache Xerces XML parser exposes security vulnerabilities 60887: MNT-10560: Security: The Apache Xerces XML parser exposes security vulnerabilities git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/PATCHES/V4.2.1/root@60909 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../repo/web/scripts/bean/ADMRemoteStore.java | 3 ++- .../repo/web/scripts/bean/AVMRemoteStore.java | 3 ++- .../org/alfresco/repo/webdav/WebDAVMethod.java | 15 ++------------- 3 files changed, 6 insertions(+), 15 deletions(-) diff --git a/source/java/org/alfresco/repo/web/scripts/bean/ADMRemoteStore.java b/source/java/org/alfresco/repo/web/scripts/bean/ADMRemoteStore.java index 78598ad581..ae853571bd 100644 --- a/source/java/org/alfresco/repo/web/scripts/bean/ADMRemoteStore.java +++ b/source/java/org/alfresco/repo/web/scripts/bean/ADMRemoteStore.java @@ -70,6 +70,7 @@ import org.alfresco.service.cmr.site.SiteInfo; import org.alfresco.service.cmr.site.SiteService; import org.alfresco.service.namespace.NamespaceService; import org.alfresco.service.namespace.QName; +import org.alfresco.util.XMLUtil; import org.apache.axis.utils.ByteArrayOutputStream; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -391,7 +392,7 @@ public class ADMRemoteStore extends BaseRemoteStore { try { - DocumentBuilder documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); + DocumentBuilder documentBuilder = XMLUtil.getDocumentBuilderFactory(true, false).newDocumentBuilder(); Document document; document = documentBuilder.parse(in); Element docEl = document.getDocumentElement(); diff --git a/source/java/org/alfresco/repo/web/scripts/bean/AVMRemoteStore.java b/source/java/org/alfresco/repo/web/scripts/bean/AVMRemoteStore.java index 015857704b..a782e39a57 100644 --- a/source/java/org/alfresco/repo/web/scripts/bean/AVMRemoteStore.java +++ b/source/java/org/alfresco/repo/web/scripts/bean/AVMRemoteStore.java @@ -47,6 +47,7 @@ import org.alfresco.service.cmr.repository.ContentIOException; import org.alfresco.service.cmr.repository.ContentReader; import org.alfresco.service.cmr.repository.ContentWriter; import org.alfresco.service.cmr.search.SearchService; +import org.alfresco.util.XMLUtil; import org.apache.axis.utils.ByteArrayOutputStream; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; @@ -288,7 +289,7 @@ public class AVMRemoteStore extends BaseRemoteStore try { Set checkedPaths = new HashSet(16); - DocumentBuilder documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); + DocumentBuilder documentBuilder = XMLUtil.getDocumentBuilder(); Document document = documentBuilder.parse(in); Element docEl = document.getDocumentElement(); Transformer transformer = AVMRemoteStore.this.transformer.get(); diff --git a/source/java/org/alfresco/repo/webdav/WebDAVMethod.java b/source/java/org/alfresco/repo/webdav/WebDAVMethod.java index 2fe8d282fd..3549363e89 100644 --- a/source/java/org/alfresco/repo/webdav/WebDAVMethod.java +++ b/source/java/org/alfresco/repo/webdav/WebDAVMethod.java @@ -67,6 +67,7 @@ import org.alfresco.service.cmr.security.PermissionService; import org.alfresco.service.namespace.NamespaceService; import org.alfresco.service.transaction.TransactionService; import org.alfresco.util.TempFileProvider; +import org.alfresco.util.XMLUtil; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.dom4j.DocumentHelper; @@ -533,19 +534,7 @@ public abstract class WebDAVMethod try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - factory.setFeature("http://xml.org/sax/features/validation", false); - factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false); - factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); - factory.setFeature("http://xml.org/sax/features/external-general-entities", false); - factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); - factory.setFeature("http://xml.org/sax/features/use-entity-resolver2", false); - factory.setFeature("http://apache.org/xml/features/validation/unparsed-entity-checking", false); - factory.setFeature("http://apache.org/xml/features/validation/dynamic", false); - factory.setFeature("http://apache.org/xml/features/validation/schema/augment-psvi", false); - factory.setNamespaceAware(true); - - DocumentBuilder builder = factory.newDocumentBuilder(); + DocumentBuilder builder = XMLUtil.getDocumentBuilderFactory(true, false).newDocumentBuilder(); if (m_request.getCharacterEncoding() == null) { // Let the XML parser work out the encoding if it is not explicitly declared in the HTTP header