MNT-10589: Merged V4.2-BUG-FIX (4.2.2) to V4.2.1 (4.2.1)

60891: Merged BRANCHES/DEV/V4.1-BUG-FIX to BRANCHES/DEV/V4.2-BUG-FIX: 60889: Merged BRANCHES/DEV/V3.4-BUG-FIX to BRANCHES/DEV/V4.1-BUG-FIX: 60873: MNT-10560: Security: The Apache Xerces XML parser exposes security vulnerabilities 60876: MNT-10560: Security: The Apache Xerces XML parser exposes security vulnerabilities 60887: MNT-10560: Security: The Apache Xerces XML parser exposes security vulnerabilities git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/PATCHES/V4.2.1/root@60909 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-08-21 18:09:20 +00:00 · 2014-02-01 20:05:48 +00:00
parent 504d1a2ae3
commit 6dc92ead70
3 changed files with 6 additions and 15 deletions
--- a/source/java/org/alfresco/repo/web/scripts/bean/ADMRemoteStore.java
+++ b/source/java/org/alfresco/repo/web/scripts/bean/ADMRemoteStore.java
@@ -70,6 +70,7 @@ import org.alfresco.service.cmr.site.SiteInfo;
 import org.alfresco.service.cmr.site.SiteService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.namespace.QName;
 import org.alfresco.util.XMLUtil;
 import org.apache.axis.utils.ByteArrayOutputStream;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -391,7 +392,7 @@ public class ADMRemoteStore extends BaseRemoteStore
    {
        try
        {
-            DocumentBuilder documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); 
+            DocumentBuilder documentBuilder = XMLUtil.getDocumentBuilderFactory(true, false).newDocumentBuilder(); 
            Document document;
            document = documentBuilder.parse(in);
            Element docEl = document.getDocumentElement();
--- a/source/java/org/alfresco/repo/web/scripts/bean/AVMRemoteStore.java
+++ b/source/java/org/alfresco/repo/web/scripts/bean/AVMRemoteStore.java
@@ -47,6 +47,7 @@ import org.alfresco.service.cmr.repository.ContentIOException;
 import org.alfresco.service.cmr.repository.ContentReader;
 import org.alfresco.service.cmr.repository.ContentWriter;
 import org.alfresco.service.cmr.search.SearchService;
 import org.alfresco.util.XMLUtil;
 import org.apache.axis.utils.ByteArrayOutputStream;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -288,7 +289,7 @@ public class AVMRemoteStore extends BaseRemoteStore
                try
                {
                    Set<String> checkedPaths = new HashSet<String>(16);
-                    DocumentBuilder documentBuilder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); 
+                    DocumentBuilder documentBuilder = XMLUtil.getDocumentBuilder(); 
                    Document document = documentBuilder.parse(in);
                    Element docEl = document.getDocumentElement();
                    Transformer transformer = AVMRemoteStore.this.transformer.get();
--- a/source/java/org/alfresco/repo/webdav/WebDAVMethod.java
+++ b/source/java/org/alfresco/repo/webdav/WebDAVMethod.java
@@ -67,6 +67,7 @@ import org.alfresco.service.cmr.security.PermissionService;
 import org.alfresco.service.namespace.NamespaceService;
 import org.alfresco.service.transaction.TransactionService;
 import org.alfresco.util.TempFileProvider;
 import org.alfresco.util.XMLUtil;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.dom4j.DocumentHelper;
@@ -533,19 +534,7 @@ public abstract class WebDAVMethod
            try
            {
-                DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+                DocumentBuilder builder = XMLUtil.getDocumentBuilderFactory(true, false).newDocumentBuilder();
                factory.setFeature("http://xml.org/sax/features/validation", false);
                factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
                factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
                factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
                factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
                factory.setFeature("http://xml.org/sax/features/use-entity-resolver2", false);   
                factory.setFeature("http://apache.org/xml/features/validation/unparsed-entity-checking", false);
                factory.setFeature("http://apache.org/xml/features/validation/dynamic", false);
                factory.setFeature("http://apache.org/xml/features/validation/schema/augment-psvi", false);
                factory.setNamespaceAware(true);
                DocumentBuilder builder = factory.newDocumentBuilder();
                if (m_request.getCharacterEncoding() == null)
                {
                    // Let the XML parser work out the encoding if it is not explicitly declared in the HTTP header