Google Git
Sign in
eclipse/sourceediting/webtools.sourceediting/3742771f8d12872cb3d18d2c0c0c199743cb241a^!/.
commit
3742771f8d12872cb3d18d2c0c0c199743cb241a
[log]
author
Nitin Dahyabhai <nitind@us.ibm.com>
Wed Feb 22 01:14:58 2017 -0500
committer
Nitin Dahyabhai <nitind@us.ibm.com>
Wed Feb 22 01:14:58 2017 -0500
tree
b624bd77da7af102dad3d25c5e40c5e326084784
parent
648b9fef68880c05405a18addcf8ba00778a3647 [diff]
[508083]  XML External Entity vulnerability during validation
    Change jsp.core to just disable entity expansion due to API restriction

diff --git a/bundles/org.eclipse.jst.jsp.core/src/org/eclipse/jst/jsp/core/internal/util/CommonXML.java b/bundles/org.eclipse.jst.jsp.core/src/org/eclipse/jst/jsp/core/internal/util/CommonXML.java
index 9846f2e..8d685f3 100644
--- a/bundles/org.eclipse.jst.jsp.core/src/org/eclipse/jst/jsp/core/internal/util/CommonXML.java
+++ b/bundles/org.eclipse.jst.jsp.core/src/org/eclipse/jst/jsp/core/internal/util/CommonXML.java

@@ -27,10 +27,7 @@
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
 
-import org.eclipse.core.runtime.preferences.InstanceScope;
 import org.eclipse.jst.jsp.core.internal.Logger;
-import org.eclipse.wst.xml.core.internal.XMLCorePlugin;
-import org.eclipse.wst.xml.core.internal.preferences.XMLCorePreferenceNames;
 import org.w3c.dom.Document;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
@@ -42,11 +39,7 @@
 		DocumentBuilder result = null;
 		try {
 			DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
-
-			String xmlCoreId = XMLCorePlugin.getDefault().getBundle().getSymbolicName();
-			boolean resolveExternalEntities = InstanceScope.INSTANCE.getNode(xmlCoreId).getBoolean(XMLCorePreferenceNames.RESOLVE_EXTERNAL_ENTITIES, false);
-			documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", resolveExternalEntities);
-			documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", resolveExternalEntities);
+			documentBuilderFactory.setExpandEntityReferences(false);
 
 			result = documentBuilderFactory.newDocumentBuilder();
 			result.setEntityResolver(getEntityResolver());
@@ -62,11 +55,6 @@
 		try {
 			DocumentBuilderFactory instance = DocumentBuilderFactory.newInstance();
 
-			String xmlCoreId = XMLCorePlugin.getDefault().getBundle().getSymbolicName();
-			boolean resolveExternalEntities = InstanceScope.INSTANCE.getNode(xmlCoreId).getBoolean(XMLCorePreferenceNames.RESOLVE_EXTERNAL_ENTITIES, false);
-			instance.setFeature("http://xml.org/sax/features/external-general-entities", resolveExternalEntities);
-			instance.setFeature("http://xml.org/sax/features/external-parameter-entities", resolveExternalEntities);
-
 			instance.setValidating(validating);
 			instance.setExpandEntityReferences(false);
 			instance.setCoalescing(true);