From ad4a9f8c62f23ff18d167b3d486b727f70b45695 Mon Sep 17 00:00:00 2001 From: Michael Simacek <msimacek@redhat.com> Date: Wed, 26 Apr 2017 15:24:28 +0200 Subject: [PATCH] Backport fix for CVE-2017-5662 --- sources/org/apache/batik/dom/util/SAXDocumentFactory.java | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/sources/org/apache/batik/dom/util/SAXDocumentFactory.java b/sources/org/apache/batik/dom/util/SAXDocumentFactory.java index 21c8bc7..ad6c32b 100644 --- a/sources/org/apache/batik/dom/util/SAXDocumentFactory.java +++ b/sources/org/apache/batik/dom/util/SAXDocumentFactory.java @@ -402,6 +402,7 @@ public class SAXDocumentFactory try { saxFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); saxFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + saxFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); } catch (SAXNotRecognizedException e) { e.printStackTrace(); } catch (SAXNotSupportedException e) { @@ -444,6 +445,10 @@ public class SAXDocumentFactory true); parser.setFeature("http://xml.org/sax/features/validation", isValidating); + parser.setFeature("http://xml.org/sax/features/external-general-entities", false); + parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + parser.setProperty("http://xml.org/sax/properties/lexical-handler", this); parser.parse(is); -- 2.9.3