Skip to content

Commit 47bc367

Browse files
committed
Disable by default DTD parsing in webdav support, close AsyncHttpClient#1666
see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
1 parent f88caed commit 47bc367

File tree

1 file changed

+19
-8
lines changed

1 file changed

+19
-8
lines changed

client/src/main/java/org/asynchttpclient/webdav/WebDavCompletionHandlerBase.java

Lines changed: 19 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -23,7 +23,6 @@
2323
import javax.xml.parsers.DocumentBuilderFactory;
2424
import javax.xml.parsers.ParserConfigurationException;
2525

26-
import org.asynchttpclient.AsyncCompletionHandlerBase;
2726
import org.asynchttpclient.AsyncHandler;
2827
import org.asynchttpclient.HttpResponseBodyPart;
2928
import org.asynchttpclient.HttpResponseHeaders;
@@ -43,7 +42,20 @@
4342
* @param <T> the result type
4443
*/
4544
public abstract class WebDavCompletionHandlerBase<T> implements AsyncHandler<T> {
46-
private final Logger logger = LoggerFactory.getLogger(AsyncCompletionHandlerBase.class);
45+
private static final Logger LOGGER = LoggerFactory.getLogger(WebDavCompletionHandlerBase.class);
46+
private static final DocumentBuilderFactory DOCUMENT_BUILDER_FACTORY;
47+
48+
static {
49+
DOCUMENT_BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
50+
if (Boolean.getBoolean("org.asynchttpclient.webdav.enableDtd")) {
51+
try {
52+
DOCUMENT_BUILDER_FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
53+
} catch (ParserConfigurationException e) {
54+
LOGGER.error("Failed to disable doctype declaration");
55+
throw new ExceptionInInitializerError(e);
56+
}
57+
}
58+
}
4759

4860
private HttpResponseStatus status;
4961
private HttpResponseHeaders headers;
@@ -77,19 +89,18 @@ public final State onHeadersReceived(final HttpResponseHeaders headers) throws E
7789
}
7890

7991
private Document readXMLResponse(InputStream stream) {
80-
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
8192
Document document = null;
8293
try {
83-
document = factory.newDocumentBuilder().parse(stream);
94+
document = DOCUMENT_BUILDER_FACTORY.newDocumentBuilder().parse(stream);
8495
parse(document);
8596
} catch (SAXException e) {
86-
logger.error(e.getMessage(), e);
97+
LOGGER.error(e.getMessage(), e);
8798
throw new RuntimeException(e);
8899
} catch (IOException e) {
89-
logger.error(e.getMessage(), e);
100+
LOGGER.error(e.getMessage(), e);
90101
throw new RuntimeException(e);
91102
} catch (ParserConfigurationException e) {
92-
logger.error(e.getMessage(), e);
103+
LOGGER.error(e.getMessage(), e);
93104
throw new RuntimeException(e);
94105
}
95106
return document;
@@ -130,7 +141,7 @@ public final T onCompleted() throws Exception {
130141
*/
131142
@Override
132143
public void onThrowable(Throwable t) {
133-
logger.debug(t.getMessage(), t);
144+
LOGGER.debug(t.getMessage(), t);
134145
}
135146

136147
/**

0 commit comments

Comments
 (0)