diff options
author | Brian de Alwis | 2017-08-30 19:47:56 +0000 |
---|---|---|
committer | Brian de Alwis | 2017-08-31 14:03:37 +0000 |
commit | 71ce503c0e1dabec9f7d65841ee4852c59f0432f (patch) | |
tree | 056464f9a7ecd98f8b44b25cfcbf6fe9c9f208cf /bundles/org.eclipse.equinox.p2.metadata.repository | |
parent | 70c366fd4d0475ed1fd826cbf2283f8ed3b3ebec (diff) | |
download | rt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.tar.gz rt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.tar.xz rt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.zip |
Bug 518031 - XML External Entity Vulnerability in Eclipse IDEI20170904-0230I20170903-2000I20170902-1500I20170901-2000
Ensure XML processors are configured to use XMLConstants.FEATURE_SECURE_PROCESSING=true
to avoid accessing external DTDs and expanding external entities.
Change-Id: Ic29e4a0aab1ea5f642ce49914bc6fcecd238efe8
Signed-off-by: Brian de Alwis <bsd@mt.ca>
Diffstat (limited to 'bundles/org.eclipse.equinox.p2.metadata.repository')
-rw-r--r-- | bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java b/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java index 07c5baa7b..65d33563d 100644 --- a/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java +++ b/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java @@ -15,6 +15,7 @@ import java.io.InputStream; import java.util.Arrays; import java.util.Collection; import javax.xml.parsers.*; +import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil; import org.eclipse.equinox.internal.p2.metadata.repository.io.MetadataParser; import org.eclipse.equinox.internal.p2.persistence.Messages; import org.eclipse.equinox.p2.metadata.IInstallableUnit; @@ -33,7 +34,7 @@ public class IUDeserializer { * Construct a new instance of the deserializer. */ public IUDeserializer() { - deserializer = new IUDeserializerParser(SAXParserFactory.newInstance()); + deserializer = new IUDeserializerParser(SecureXMLUtil.newSecureSAXParserFactory()); } /** |