[
https://issues.apache.org/jira/browse/CXF-6217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14610227#comment-14610227
]
Donald Kwakkel commented on CXF-6217:
-------------------------------------
I would fix all locations, just to be sure that in case flow changes not
accidently a security issue is introduced.
> JmsPullPoint does not protect against external entities
> -------------------------------------------------------
>
> Key: CXF-6217
> URL: https://issues.apache.org/jira/browse/CXF-6217
> Project: CXF
> Issue Type: Bug
> Components: Core
> Affects Versions: 3.0.1
> Reporter: Donald Kwakkel
> Assignee: Daniel Kulp
> Fix For: 3.0.4, 2.7.15
>
>
> I am not sure if this is by design, but the unmarshell below does not prevent
> nor limit external entities resolution. This can expose the parser to an XML
> External Entities attack.
> JmsPullPoint:
> {code:java}
> protected synchronized List<NotificationMessageHolderType> getMessages(int
> max)
> throws ResourceUnknownFault, UnableToGetMessagesFault {
> try {
> if (max == 0) {
> max = 256;
> }
> initSession();
> List<NotificationMessageHolderType> messages = new
> ArrayList<NotificationMessageHolderType>();
> for (int i = 0; i < max; i++) {
> Message msg = consumer.receiveNoWait();
> if (msg == null) {
> break;
> }
> TextMessage txtMsg = (TextMessage) msg;
> StringReader reader = new StringReader(txtMsg.getText());
> Notify notify = (Notify)
> jaxbContext.createUnmarshaller().unmarshal(reader);
> messages.addAll(notify.getNotificationMessage());
> }
> return messages;
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
