[
https://issues.apache.org/jira/browse/CXF-6217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Kulp updated CXF-6217:
-----------------------------
Description:
I am not sure if this is by design, but the unmarshell below does not prevent
nor limit external entities resolution. This can expose the parser to an XML
External Entities attack.
JmsPullPoint:
{code:java}
protected synchronized List<NotificationMessageHolderType> getMessages(int
max)
throws ResourceUnknownFault, UnableToGetMessagesFault {
try {
if (max == 0) {
max = 256;
}
initSession();
List<NotificationMessageHolderType> messages = new
ArrayList<NotificationMessageHolderType>();
for (int i = 0; i < max; i++) {
Message msg = consumer.receiveNoWait();
if (msg == null) {
break;
}
TextMessage txtMsg = (TextMessage) msg;
StringReader reader = new StringReader(txtMsg.getText());
Notify notify = (Notify)
jaxbContext.createUnmarshaller().unmarshal(reader);
messages.addAll(notify.getNotificationMessage());
}
return messages;
}
{code}
was:
I am not sure if this is by design, but the unmarshell below does not prevent
nor limit external entities resolution. This can expose the parser to an XML
External Entities attack.
JmsPullPoint:
protected synchronized List<NotificationMessageHolderType> getMessages(int
max)
throws ResourceUnknownFault, UnableToGetMessagesFault {
try {
if (max == 0) {
max = 256;
}
initSession();
List<NotificationMessageHolderType> messages = new
ArrayList<NotificationMessageHolderType>();
for (int i = 0; i < max; i++) {
Message msg = consumer.receiveNoWait();
if (msg == null) {
break;
}
TextMessage txtMsg = (TextMessage) msg;
StringReader reader = new StringReader(txtMsg.getText());
Notify notify = (Notify)
jaxbContext.createUnmarshaller().unmarshal(reader);
messages.addAll(notify.getNotificationMessage());
}
return messages;
}
> JmsPullPoint does not protect against external entities
> -------------------------------------------------------
>
> Key: CXF-6217
> URL: https://issues.apache.org/jira/browse/CXF-6217
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.0.1
> Reporter: Donald Kwakkel
>
> I am not sure if this is by design, but the unmarshell below does not prevent
> nor limit external entities resolution. This can expose the parser to an XML
> External Entities attack.
> JmsPullPoint:
> {code:java}
> protected synchronized List<NotificationMessageHolderType> getMessages(int
> max)
> throws ResourceUnknownFault, UnableToGetMessagesFault {
> try {
> if (max == 0) {
> max = 256;
> }
> initSession();
> List<NotificationMessageHolderType> messages = new
> ArrayList<NotificationMessageHolderType>();
> for (int i = 0; i < max; i++) {
> Message msg = consumer.receiveNoWait();
> if (msg == null) {
> break;
> }
> TextMessage txtMsg = (TextMessage) msg;
> StringReader reader = new StringReader(txtMsg.getText());
> Notify notify = (Notify)
> jaxbContext.createUnmarshaller().unmarshal(reader);
> messages.addAll(notify.getNotificationMessage());
> }
> return messages;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
