Group :: Desenvolvimento/Outros
RPM: jgraphx
Main Changelog Spec Patches Sources Download Gear Bugs e FR Repocop
Patch: CVE-2017-18197-XXE-fix.patch
Download
Download
diff --git a/jgraphx/src/com/mxgraph/reader/mxGraphViewImageReader.java b/jgraphx/src/com/mxgraph/reader/mxGraphViewImageReader.java
index 6c49cdc..19bc69e 100644
--- a/jgraphx/src/com/mxgraph/reader/mxGraphViewImageReader.java
+++ b/jgraphx/src/com/mxgraph/reader/mxGraphViewImageReader.java
@@ -270,8 +270,11 @@ public class mxGraphViewImageReader extends mxGraphViewReader
throws ParserConfigurationException, SAXException, IOException
{
BufferedImage result = null;
- SAXParser parser = SAXParserFactory.newInstance().newSAXParser();
- XMLReader reader = parser.getXMLReader();
+ XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader();
+ reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
reader.setContentHandler(viewReader);
reader.parse(inputSource);