Bug 518031 - XML External Entity Vulnerability in Eclipse IDEY20170921-1000Y20170920-1000Y20170919-1000Y20170918-1000Y20170917-1000Y20170916-1000Y20170915-1000Y20170914-1000Y20170913-1335Y20170913-1000Y20170912-1000Y20170911-1000Y20170907-1000U20170928-0110U20170927-1900U20170927-0115U20170926-1200U20170922-1005U20170922-0835U20170922-0750U20170921-1315U20170921-0520U20170921-0430U20170921-0400U20170914-0400U20170913-1405U20170913-1050U20170913-0250U20170912-1305U20170912-0740U20170907-0400S4_7_1_aRC1S4_7_1_RC4R4_7_1M20170927-1700M20170927-0400M20170926-1700M20170926-1000M20170925-0650M20170922-1005M20170922-0855M20170922-0740M20170921-1315M20170921-0255M20170920-2345M20170920-1700M20170920-0400M20170919-1155M20170919-0830M20170918-1300M20170906-1700

Ensure XML processors are configured to use
XMLConstants.FEATURE_SECURE_PROCESSING=true
to avoid accessing external DTDs and expanding external entities.

(Backport to 4.7)

Change-Id: Icabb6e0d55dd546a66ad506cde7e24a996484f1a
Signed-off-by: Brian de Alwis <bsd@mt.ca>
Signed-off-by: Thomas Watson <tjwatson@us.ibm.com>

3 files changed, 4 insertions, 3 deletions

diff --git a/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF
index 06c6ee6f8..b8fdf1036 100644
--- a/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
 Bundle-ManifestVersion: 2
 Bundle-Name: %pluginName
 Bundle-SymbolicName: org.eclipse.equinox.p2.metadata.repository;singleton:=true
-Bundle-Version: 1.2.400.qualifier
+Bundle-Version: 1.2.401.qualifier
 Bundle-Activator: org.eclipse.equinox.internal.p2.metadata.repository.Activator
 Bundle-Vendor: %providerName
 Bundle-Localization: plugin
diff --git a/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml b/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml
index b2d98ee6b..0ea826cd9 100644
--- a/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml
@@ -19,6 +19,6 @@
 	</parent>
 	<groupId>org.eclipse.equinox</groupId>
 	<artifactId>org.eclipse.equinox.p2.metadata.repository</artifactId>
-	<version>1.2.400-SNAPSHOT</version>
+	<version>1.2.401-SNAPSHOT</version>
 	<packaging>eclipse-plugin</packaging>
 </project>
diff --git a/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java b/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java
index 63ace1841..cd7b0202a 100644
--- a/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java
+++ b/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java
@@ -15,6 +15,7 @@ import java.io.InputStream;
 import java.util.Arrays;
 import java.util.Collection;
 import javax.xml.parsers.*;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
 import org.eclipse.equinox.internal.p2.metadata.repository.io.MetadataParser;
 import org.eclipse.equinox.internal.p2.persistence.Messages;
 import org.eclipse.equinox.p2.metadata.IInstallableUnit;
@@ -33,7 +34,7 @@ public class IUDeserializer {
 	 * Construct a new instance of the deserializer.
 	 */
 	public IUDeserializer() {
-		deserializer = new IUDeserializerParser(SAXParserFactory.newInstance());
+		deserializer = new IUDeserializerParser(SecureXMLUtil.newSecureSAXParserFactory());
 	}
 
 	/**