Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBrian de Alwis2017-08-30 19:47:56 +0000
committerBrian de Alwis2017-08-31 14:03:37 +0000
commit71ce503c0e1dabec9f7d65841ee4852c59f0432f (patch)
tree056464f9a7ecd98f8b44b25cfcbf6fe9c9f208cf /bundles/org.eclipse.equinox.p2.artifact.repository
parent70c366fd4d0475ed1fd826cbf2283f8ed3b3ebec (diff)
downloadrt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.tar.gz
rt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.tar.xz
rt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.zip
Bug 518031 - XML External Entity Vulnerability in Eclipse IDEI20170904-0230I20170903-2000I20170902-1500I20170901-2000
Ensure XML processors are configured to use XMLConstants.FEATURE_SECURE_PROCESSING=true to avoid accessing external DTDs and expanding external entities. Change-Id: Ic29e4a0aab1ea5f642ce49914bc6fcecd238efe8 Signed-off-by: Brian de Alwis <bsd@mt.ca>
Diffstat (limited to 'bundles/org.eclipse.equinox.p2.artifact.repository')
-rw-r--r--bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java7
1 files changed, 3 insertions, 4 deletions
diff --git a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java
index 8e7fae428..a8cf92c71 100644
--- a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java
+++ b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java
@@ -24,8 +24,7 @@ import java.util.*;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.eclipse.core.runtime.*;
-import org.eclipse.equinox.internal.p2.core.helpers.LogHelper;
-import org.eclipse.equinox.internal.p2.core.helpers.Tracing;
+import org.eclipse.equinox.internal.p2.core.helpers.*;
import org.eclipse.equinox.internal.p2.repository.DownloadStatus;
import org.eclipse.equinox.internal.p2.repository.Transport;
import org.eclipse.equinox.p2.repository.IRepository;
@@ -266,7 +265,7 @@ public class MirrorSelector {
}
mirrorsURL = mirrorsURL + "countryCode=" + countryCode + "&timeZone=" + timeZone + "&format=xml"; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
- DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory domFactory = SecureXMLUtil.newSecureDocumentBuilderFactory();
DocumentBuilder builder = domFactory.newDocumentBuilder();
Document document = null;
// Use Transport to read the mirrors list (to benefit from proxy support, authentication, etc)
@@ -292,7 +291,7 @@ public class MirrorSelector {
|| mirrorsURL.startsWith("https://") //$NON-NLS-1$
|| mirrorsURL.startsWith("file://") //$NON-NLS-1$
|| mirrorsURL.startsWith("ftp://") //$NON-NLS-1$
- || mirrorsURL.startsWith("jar://"))) //$NON-NLS-1$
+ || mirrorsURL.startsWith("jar://"))) //$NON-NLS-1$
log("Error processing mirrors URL: " + mirrorsURL, e); //$NON-NLS-1$
return null;
}

Back to the top