Skip to content

Commit cd67c7b

Browse files
pitbulkpitbulk
committed
Avoid XEE attacks
Read more at: https://community.emc.com/docs/DOC-25651
1 parent 7198720 commit cd67c7b

1 file changed

Lines changed: 2 additions & 0 deletions

File tree

com/onelogin/saml/Response.java

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
import java.security.cert.CertificateException;
66
import java.security.cert.X509Certificate;
77

8+
import javax.xml.XMLConstants;
89
import javax.xml.crypto.dsig.XMLSignature;
910
import javax.xml.crypto.dsig.XMLSignatureFactory;
1011
import javax.xml.crypto.dsig.dom.DOMValidateContext;
@@ -37,6 +38,7 @@ public Response(AccountSettings accountSettings) throws CertificateException {
3738
public void loadXml(String xml) throws ParserConfigurationException, SAXException, IOException {
3839
DocumentBuilderFactory fty = DocumentBuilderFactory.newInstance();
3940
fty.setNamespaceAware(true);
41+
fty.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
4042
DocumentBuilder builder = fty.newDocumentBuilder();
4143
ByteArrayInputStream bais = new ByteArrayInputStream(xml.getBytes());
4244
xmlDoc = builder.parse(bais);

0 commit comments

Comments
 (0)