Donald Kwakkel created CXF-6217:
-----------------------------------
Summary: JmsPullPoint does not protect against external entities
Key: CXF-6217
URL: https://issues.apache.org/jira/browse/CXF-6217
Project: CXF
Issue Type: Bug
Components: Core
Affects Versions: 3.0.1
Reporter: Donald Kwakkel
I am not sure if this is by design, but the unmarshell below does not prevent
nor limit external entities resolution. This can expose the parser to an XML
External Entities attack.
JmsPullPoint:
protected synchronized List<NotificationMessageHolderType> getMessages(int
max)
throws ResourceUnknownFault, UnableToGetMessagesFault {
try {
if (max == 0) {
max = 256;
}
initSession();
List<NotificationMessageHolderType> messages = new
ArrayList<NotificationMessageHolderType>();
for (int i = 0; i < max; i++) {
Message msg = consumer.receiveNoWait();
if (msg == null) {
break;
}
TextMessage txtMsg = (TextMessage) msg;
StringReader reader = new StringReader(txtMsg.getText());
Notify notify = (Notify)
jaxbContext.createUnmarshaller().unmarshal(reader);
messages.addAll(notify.getNotificationMessage());
}
return messages;
}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
