mirror
/
FairEmail
mirror of https://github.com/M66B/FairEmail.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Enable XML secure processing

This commit is contained in:
M66B 2023-12-11 17:58:39 +01:00
parent efc29f28c5
commit 7456ba958e
5 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/src/main/java/biweekly/io/xml/XCalDocument.java
View File

@ -21,6 +21,7 @@ import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.xml.XMLConstants;
import javax.xml.namespace.QName;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerConfigurationException;
@ -472,6 +473,7 @@ public class XCalDocument {
Transformer transformer;
try {
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
transformer = factory.newTransformer();
} catch (TransformerConfigurationException e) {

2
app/src/main/java/biweekly/io/xml/XCalReader.java
View File

@ -22,6 +22,7 @@ import java.util.List;
import java.util.concurrent.ArrayBlockingQueue;
import java.util.concurrent.BlockingQueue;
import javax.xml.XMLConstants;
import javax.xml.namespace.QName;
import javax.xml.transform.ErrorListener;
import javax.xml.transform.Source;
@ -206,6 +207,7 @@ public class XCalReader extends StreamReader {
//create the transformer
try {
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
XmlUtils.applyXXEProtection(factory);

2
app/src/main/java/biweekly/util/XmlUtils.java
View File

@ -14,6 +14,7 @@ import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.xml.XMLConstants;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@ -291,6 +292,7 @@ public final class XmlUtils {
public static void toWriter(Node node, Writer writer, Map<String, String> outputProperties) throws TransformerException {
try {
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
Transformer transformer = factory.newTransformer();
for (Map.Entry<String, String> property : outputProperties.entrySet()) {

2
app/src/main/java/com/bugsnag/android/repackaged/dslplatform/json/XmlConverter.java
View File

@ -39,6 +39,8 @@ public abstract class XmlConverter {
static {
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
try {
dbFactory.setXIncludeAware(false);
dbFactory.setExpandEntityReferences(false);
dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
documentBuilder = dbFactory.newDocumentBuilder();
} catch (ParserConfigurationException e) {

2
app/src/main/java/com/sun/mail/handlers/text_xml.java
View File

@ -23,6 +23,7 @@ import javax.activation.ActivationDataFlavor;
import javax.activation.DataSource;
import javax.mail.internet.ContentType;
import javax.mail.internet.ParseException;
import javax.xml.XMLConstants;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerFactory;
@ -80,6 +81,7 @@ public class text_xml extends text_plain {
try {
TransformerFactory factory = TransformerFactory.newInstance();
factory.setAttribute(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
Transformer transformer = factory.newTransformer();
StreamResult result = new StreamResult(os);