diff options
author | Brian de Alwis | 2017-08-30 19:47:56 +0000 |
---|---|---|
committer | Brian de Alwis | 2017-08-31 14:03:37 +0000 |
commit | 71ce503c0e1dabec9f7d65841ee4852c59f0432f (patch) | |
tree | 056464f9a7ecd98f8b44b25cfcbf6fe9c9f208cf /bundles/org.eclipse.equinox.p2.artifact.repository | |
parent | 70c366fd4d0475ed1fd826cbf2283f8ed3b3ebec (diff) | |
download | rt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.tar.gz rt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.tar.xz rt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.zip |
Bug 518031 - XML External Entity Vulnerability in Eclipse IDEI20170904-0230I20170903-2000I20170902-1500I20170901-2000
Ensure XML processors are configured to use XMLConstants.FEATURE_SECURE_PROCESSING=true
to avoid accessing external DTDs and expanding external entities.
Change-Id: Ic29e4a0aab1ea5f642ce49914bc6fcecd238efe8
Signed-off-by: Brian de Alwis <bsd@mt.ca>
Diffstat (limited to 'bundles/org.eclipse.equinox.p2.artifact.repository')
-rw-r--r-- | bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java index 8e7fae428..a8cf92c71 100644 --- a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java +++ b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java @@ -24,8 +24,7 @@ import java.util.*; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import org.eclipse.core.runtime.*; -import org.eclipse.equinox.internal.p2.core.helpers.LogHelper; -import org.eclipse.equinox.internal.p2.core.helpers.Tracing; +import org.eclipse.equinox.internal.p2.core.helpers.*; import org.eclipse.equinox.internal.p2.repository.DownloadStatus; import org.eclipse.equinox.internal.p2.repository.Transport; import org.eclipse.equinox.p2.repository.IRepository; @@ -266,7 +265,7 @@ public class MirrorSelector { } mirrorsURL = mirrorsURL + "countryCode=" + countryCode + "&timeZone=" + timeZone + "&format=xml"; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ - DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory domFactory = SecureXMLUtil.newSecureDocumentBuilderFactory(); DocumentBuilder builder = domFactory.newDocumentBuilder(); Document document = null; // Use Transport to read the mirrors list (to benefit from proxy support, authentication, etc) @@ -292,7 +291,7 @@ public class MirrorSelector { || mirrorsURL.startsWith("https://") //$NON-NLS-1$ || mirrorsURL.startsWith("file://") //$NON-NLS-1$ || mirrorsURL.startsWith("ftp://") //$NON-NLS-1$ - || mirrorsURL.startsWith("jar://"))) //$NON-NLS-1$ + || mirrorsURL.startsWith("jar://"))) //$NON-NLS-1$ log("Error processing mirrors URL: " + mirrorsURL, e); //$NON-NLS-1$ return null; } |