Hi,
I thought that this would be worth sharing.
The XXE Vulnerability reported for BlazeDS a few weeks ago has left me pretty
aware of this problem. Looking for vulnerabilities wherever I go. I recently
came up with a solution that should be able to fix this everywhere.
The problem is that the JDKs DocumentBuilderFactory creates vulnerable
instances per default. I couldn't find a way to configure this. However this
could be easily fixed by creating a custom DocumentBuilderFactory that simply
sets the security features in it's constructor.
public class SecureDocumentBuilderFactory extends DocumentBuilderFactoryImpl {
public SecureDocumentBuilderFactory() {
try {
setFeature("http://xml.org/sax/features/external-general-entities";,
false);
setFeature("http://xml.org/sax/features/external-parameter-entities";, false);
setXIncludeAware(false);
setExpandEntityReferences(false);
} catch (ParserConfigurationException e) {
// Well ignore for now.
}
}
}
In order to make the JVM use this instance you have to set a system property
"javax.xml.parsers.DocumentBuilderFactory" to the custom class name.
With this custom DocumentBuilderFactory you should be safe to continue working
with any old version of BlazeDS ... even if I really hope you update to out
cool new one :-)
(Eventually this could even fix LCDS, but I won't bet my life on it ... please
contact Adobe for confirmation on this, if you need to)
Hope this proves to be useful for someone ...
Chris
