From b12e82ed59fbe7471213ac079e159963a23e45a4 Mon Sep 17 00:00:00 2001
From: Alan Davis <alan.davis@alfresco.com>
Date: Fri, 14 Mar 2014 15:21:33 +0000
Subject: [PATCH] Merged HEAD-BUG-FIX (4.3/Cloud) to HEAD (4.3/Cloud)    60524:
 MNT-10491: Merged V4.2-BUG-FIX (4.2.2) to HEAD-BUG-FIX (Cloud/4.3)      
 60523: MNT-10490: Merged V4.1-BUG-FIX (4.1.8) to V4.2-BUG-FIX (4.2.2)        
  60522: MNT-10489: Merged V3.4-BUG-FIX (3.4.14) to V4.1-BUG-FIX (4.1.8)      
       60521: MNT-10488: Merged CLOUD-R31 to V3.4-BUG-FIX (3.4.14)            
    60520: HOTFIX MNT-10484 [Security] Any OS file can be retrieved via WebDAV
                   - Change suggested by Viachaslau Tikhanovich at 24-Jan-14
 05:14 PM GMT

git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@64241 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
---
 source/java/org/alfresco/repo/webdav/WebDAVMethod.java | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/source/java/org/alfresco/repo/webdav/WebDAVMethod.java b/source/java/org/alfresco/repo/webdav/WebDAVMethod.java
index 1b45ce0584..ce77192685 100644
--- a/source/java/org/alfresco/repo/webdav/WebDAVMethod.java
+++ b/source/java/org/alfresco/repo/webdav/WebDAVMethod.java
@@ -534,6 +534,15 @@ public abstract class WebDAVMethod
             try
             {
                 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+                factory.setFeature("http://xml.org/sax/features/validation", false);
+                factory.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
+                factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+                factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+                factory.setFeature("http://xml.org/sax/features/use-entity-resolver2", false);   
+                factory.setFeature("http://apache.org/xml/features/validation/unparsed-entity-checking", false);
+                factory.setFeature("http://apache.org/xml/features/validation/dynamic", false);
+                factory.setFeature("http://apache.org/xml/features/validation/schema/augment-psvi", false);
                 factory.setNamespaceAware(true);
 
                 DocumentBuilder builder = factory.newDocumentBuilder();