Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBrian de Alwis2017-08-30 19:47:56 +0000
committerBrian de Alwis2017-08-31 14:03:37 +0000
commit71ce503c0e1dabec9f7d65841ee4852c59f0432f (patch)
tree056464f9a7ecd98f8b44b25cfcbf6fe9c9f208cf /bundles/org.eclipse.equinox.p2.publisher.eclipse
parent70c366fd4d0475ed1fd826cbf2283f8ed3b3ebec (diff)
downloadrt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.tar.gz
rt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.tar.xz
rt.equinox.p2-71ce503c0e1dabec9f7d65841ee4852c59f0432f.zip
Bug 518031 - XML External Entity Vulnerability in Eclipse IDEI20170904-0230I20170903-2000I20170902-1500I20170901-2000
Ensure XML processors are configured to use XMLConstants.FEATURE_SECURE_PROCESSING=true to avoid accessing external DTDs and expanding external entities. Change-Id: Ic29e4a0aab1ea5f642ce49914bc6fcecd238efe8 Signed-off-by: Brian de Alwis <bsd@mt.ca>
Diffstat (limited to 'bundles/org.eclipse.equinox.p2.publisher.eclipse')
-rw-r--r--bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java3
-rw-r--r--bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java5
2 files changed, 4 insertions, 4 deletions
diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java
index a7e0e7281..9e983a9aa 100644
--- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java
+++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java
@@ -19,6 +19,7 @@ import java.util.ArrayList;
import java.util.List;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
import org.eclipse.equinox.p2.metadata.VersionRange;
import org.eclipse.equinox.p2.publisher.eclipse.Feature;
import org.eclipse.equinox.p2.publisher.eclipse.FeatureEntry;
@@ -33,7 +34,7 @@ import org.xml.sax.helpers.DefaultHandler;
*/
public class FeatureManifestParser extends DefaultHandler {
- private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+ private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory();
private SAXParser parser;
protected Feature result;
private URL url;
diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java
index 1fc305cba..bc632fc1f 100644
--- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java
+++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java
@@ -25,8 +25,7 @@ import java.util.Map.Entry;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
import org.eclipse.equinox.frameworkadmin.BundleInfo;
-import org.eclipse.equinox.internal.p2.core.helpers.ServiceHelper;
-import org.eclipse.equinox.internal.p2.core.helpers.URLUtil;
+import org.eclipse.equinox.internal.p2.core.helpers.*;
import org.eclipse.equinox.p2.metadata.IVersionedId;
import org.eclipse.equinox.p2.metadata.VersionedId;
import org.eclipse.equinox.p2.publisher.eclipse.FeatureEntry;
@@ -67,7 +66,7 @@ public class ProductFile extends DefaultHandler implements IProductDescriptor {
private static final String PROPERTY_ECLIPSE_APPLICATION = "eclipse.application"; //$NON-NLS-1$
private static final String PROPERTY_ECLIPSE_PRODUCT = "eclipse.product"; //$NON-NLS-1$
- private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+ private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory();
private static final String PROGRAM_ARGS = "programArgs"; //$NON-NLS-1$
private static final String PROGRAM_ARGS_LINUX = "programArgsLin"; //$NON-NLS-1$

Back to the top