Fix for Bug#30657312, Disable external entities in Fabric's XML parser.

mysql · Jan 7, 2020 · 179957f · 179957f
1 parent 4fea1b1
commit 179957f
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/CHANGES b/CHANGES
@@ -3,6 +3,8 @@
 
 Version 5.1.49
 
+  - Fix for Bug#30657312, Disable external entities in Fabric's XML parser.
+
   - Fix for Bug#96442 (30151808), INCORRECT DATE ERROR WHEN CALLING GETMETADATA ON PREPARED STATEMENT.
 
 Version 5.1.48

diff --git a/src/com/mysql/fabric/xmlrpc/Client.java b/src/com/mysql/fabric/xmlrpc/Client.java
@@ -1,5 +1,5 @@
 /*
-  Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
+  Copyright (c) 2013, 2020, Oracle and/or its affiliates. All rights reserved.
 
   The MySQL Connector/J is licensed under the terms of the GPLv2
   <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>, like most MySQL Connectors.
@@ -32,6 +32,7 @@
 import java.util.HashMap;
 import java.util.Map;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
@@ -89,6 +90,8 @@ public MethodResponse execute(MethodCall methodCall) throws IOException, ParserC
             // Get Response
             InputStream is = connection.getInputStream();
             SAXParserFactory factory = SAXParserFactory.newInstance();
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             SAXParser parser = factory.newSAXParser();
             ResponseParser saxp = new ResponseParser();