Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBrian de Alwis2017-08-30 19:47:56 +0000
committerBrian de Alwis2017-08-31 14:03:37 +0000
commit71ce503c0e1dabec9f7d65841ee4852c59f0432f (patch)
tree056464f9a7ecd98f8b44b25cfcbf6fe9c9f208cf /bundles/org.eclipse.equinox.p2.core
parent70c366fd4d0475ed1fd826cbf2283f8ed3b3ebec (diff)
downloadrt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.tar.gz
rt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.tar.xz
rt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.zip
Bug 518031 - XML External Entity Vulnerability in Eclipse IDEI20170904-0230I20170903-2000I20170902-1500I20170901-2000
Ensure XML processors are configured to use XMLConstants.FEATURE_SECURE_PROCESSING=true to avoid accessing external DTDs and expanding external entities. Change-Id: Ic29e4a0aab1ea5f642ce49914bc6fcecd238efe8 Signed-off-by: Brian de Alwis <bsd@mt.ca>
Diffstat (limited to 'bundles/org.eclipse.equinox.p2.core')
-rw-r--r--bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java72
1 files changed, 72 insertions, 0 deletions
diff --git a/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java b/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java
new file mode 100644
index 000000000..3bd154bc8
--- /dev/null
+++ b/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java
@@ -0,0 +1,72 @@
+/*******************************************************************************
+ * Copyright (c) 20017 Manumitting Technologies Inc and others.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Manumitting Technologies Inc - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.equinox.internal.p2.core.helpers;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.*;
+import org.eclipse.core.runtime.IStatus;
+import org.eclipse.core.runtime.Status;
+import org.eclipse.equinox.internal.p2.core.Activator;
+import org.xml.sax.*;
+import org.xml.sax.helpers.XMLReaderFactory;
+
+/**
+ * A utility class for processing XML data in a secure fashion,
+ * avoiding XML Entity Expansion problems
+ */
+public class SecureXMLUtil {
+ /**
+ * Create a new {@link DocumentBuilderFactory} suitable for processing
+ * XML data from possibly malicious sources. For example, data retrieved
+ * from remote p2 metadata and artifacts repositories.
+ */
+ public static DocumentBuilderFactory newSecureDocumentBuilderFactory() {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ // FEATURE_SECURE_PROCESSING is documented as must be supported by all implementations
+ try {
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ }
+ return factory;
+ }
+
+ /**
+ * Create a new {@link SAXParserFactory} suitable for processing
+ * XML data from possibly malicious sources. For example, data retrieved
+ * from remote p2 metadata and artifacts repositories.
+ */
+ public static SAXParserFactory newSecureSAXParserFactory() {
+ SAXParserFactory factory = SAXParserFactory.newInstance();
+ // FEATURE_SECURE_PROCESSING is documented as must be supported by all implementations
+ try {
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException | SAXNotRecognizedException | SAXNotSupportedException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ }
+ return factory;
+ }
+
+ /**
+ * Create a new {@link XMLReader} suitable for processing
+ * XML data from possibly malicious sources. For example, data retrieved
+ * from remote p2 metadata and artifacts repositories.
+ */
+ public static XMLReader newSecureXMLReader() throws SAXException {
+ XMLReader reader = XMLReaderFactory.createXMLReader();
+ try {
+ reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (SAXNotRecognizedException | SAXNotSupportedException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ }
+ return reader;
+ }
+}

Back to the top