From ad4a9f8c62f23ff18d167b3d486b727f70b45695 Mon Sep 17 00:00:00 2001
From: Michael Simacek <msimacek@redhat.com>
Date: Wed, 26 Apr 2017 15:24:28 +0200
Subject: [PATCH] Backport fix for CVE-2017-5662
---
sources/org/apache/batik/dom/util/SAXDocumentFactory.java | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/sources/org/apache/batik/dom/util/SAXDocumentFactory.java b/sources/org/apache/batik/dom/util/SAXDocumentFactory.java
index 21c8bc7..ad6c32b 100644
--- a/sources/org/apache/batik/dom/util/SAXDocumentFactory.java
+++ b/sources/org/apache/batik/dom/util/SAXDocumentFactory.java
@@ -402,6 +402,7 @@ public class SAXDocumentFactory
try {
saxFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
saxFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ saxFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
} catch (SAXNotRecognizedException e) {
e.printStackTrace();
} catch (SAXNotSupportedException e) {
@@ -444,6 +445,10 @@ public class SAXDocumentFactory
true);
parser.setFeature("http://xml.org/sax/features/validation",
isValidating);
+ parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
parser.setProperty("http://xml.org/sax/properties/lexical-handler",
this);
parser.parse(is);
--
2.9.3
