Disable XML external entities before parsing.

author: Boris Grozev <boris@jitsi.org> 2014-12-04 14:21:52 +0200
committer: Boris Grozev <boris@jitsi.org> 2014-12-04 14:21:52 +0200
commit: b1e75a29614352a74693c838be234238aaa2fb0f (patch)
tree: 02091a628366eab2c7481965e43dafd4234d3e55 /src/net
parent: 96bb3746a3ad194ec76b43b63aecf9aaba6968d2 (diff)
download: jitsi-b1e75a29614352a74693c838be234238aaa2fb0f.zip
jitsi-b1e75a29614352a74693c838be234238aaa2fb0f.tar.gz
jitsi-b1e75a29614352a74693c838be234238aaa2fb0f.tar.bz2
16 files changed, 38 insertions, 5 deletions
diff --git a/src/net/java/sip/communicator/impl/contactlist/MclStorageManager.java b/src/net/java/sip/communicator/impl/contactlist/MclStorageManager.java
index 01721ef..77fd7c2 100644
--- a/src/net/java/sip/communicator/impl/contactlist/MclStorageManager.java
+++ b/src/net/java/sip/communicator/impl/contactlist/MclStorageManager.java
@@ -348,6 +348,7 @@ public class MclStorageManager
             // load the contact list
             DocumentBuilderFactory factory =
                 DocumentBuilderFactory.newInstance();
+            XMLUtils.disableExternalEntities(factory);
             DocumentBuilder builder = factory.newDocumentBuilder();
             if (contactlistFile.length() == 0)
             {
diff --git a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/thumbnail/ThumbnailElement.java b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/thumbnail/ThumbnailElement.java
index 3b89bdd..9f1b9fe 100644
--- a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/thumbnail/ThumbnailElement.java
+++ b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/thumbnail/ThumbnailElement.java
@@ -13,6 +13,7 @@ import javax.xml.parsers.*;
 
 import net.java.sip.communicator.util.*;
 
+import org.jitsi.util.xml.*;
 import org.w3c.dom.*;
 
 /**
@@ -97,6 +98,7 @@ public class ThumbnailElement
     {
         DocumentBuilderFactory factory =
             DocumentBuilderFactory.newInstance();
+        XMLUtils.disableExternalEntities(factory);
 
           DocumentBuilder builder;
           try
diff --git a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectCircleJabberImpl.java b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectCircleJabberImpl.java
index 9dfa974..24dc0d1 100644
--- a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectCircleJabberImpl.java
+++ b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectCircleJabberImpl.java
@@ -16,6 +16,7 @@ import net.java.sip.communicator.service.protocol.*;
 import net.java.sip.communicator.service.protocol.whiteboardobjects.*;
 import net.java.sip.communicator.util.*;
 
+import org.jitsi.util.xml.*;
 import org.w3c.dom.*;
 
 /**
@@ -68,6 +69,7 @@ public class WhiteboardObjectCircleJabberImpl
     {
         DocumentBuilderFactory factory =
           DocumentBuilderFactory.newInstance ();
+        XMLUtils.disableExternalEntities(factory);
         DocumentBuilder builder;
         try
         {
diff --git a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectImageJabberImpl.java b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectImageJabberImpl.java
index b04263d..2c658d4 100644
--- a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectImageJabberImpl.java
+++ b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectImageJabberImpl.java
@@ -15,6 +15,7 @@ import net.java.sip.communicator.service.protocol.*;
 import net.java.sip.communicator.service.protocol.whiteboardobjects.*;
 import net.java.sip.communicator.util.*;
 
+import org.jitsi.util.xml.*;
 import org.w3c.dom.*;
 
 /**
@@ -69,6 +70,7 @@ public class WhiteboardObjectImageJabberImpl
     {
         DocumentBuilderFactory factory =
           DocumentBuilderFactory.newInstance ();
+        XMLUtils.disableExternalEntities(factory);
         DocumentBuilder builder;
         try
         {
diff --git a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectLineJabberImpl.java b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectLineJabberImpl.java
index 55085e1..3a1106a 100644
--- a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectLineJabberImpl.java
+++ b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectLineJabberImpl.java
@@ -16,6 +16,7 @@ import net.java.sip.communicator.service.protocol.*;
 import net.java.sip.communicator.service.protocol.whiteboardobjects.*;
 import net.java.sip.communicator.util.*;
 
+import org.jitsi.util.xml.*;
 import org.w3c.dom.*;
 
 /**
@@ -60,6 +61,7 @@ public class WhiteboardObjectLineJabberImpl
     {
         DocumentBuilderFactory factory =
           DocumentBuilderFactory.newInstance ();
+        XMLUtils.disableExternalEntities(factory);
         DocumentBuilder builder;
         try
         {
diff --git a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPacketExtension.java b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPacketExtension.java
index 1d2e69c..f78ca3f 100644
--- a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPacketExtension.java
+++ b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPacketExtension.java
@@ -13,6 +13,7 @@ import javax.xml.parsers.*;
 
 import net.java.sip.communicator.util.*;
 
+import org.jitsi.util.xml.*;
 import org.jivesoftware.smack.packet.*;
 import org.w3c.dom.*;
 
@@ -110,6 +111,7 @@ public class WhiteboardObjectPacketExtension implements PacketExtension
     {
         DocumentBuilderFactory factory =
           DocumentBuilderFactory.newInstance ();
+        XMLUtils.disableExternalEntities(factory);
         DocumentBuilder builder;
         try
         {
diff --git a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPathJabberImpl.java b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPathJabberImpl.java
index 3db8cfe..9dd7de1 100644
--- a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPathJabberImpl.java
+++ b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPathJabberImpl.java
@@ -18,6 +18,7 @@ import net.java.sip.communicator.service.protocol.*;
 import net.java.sip.communicator.service.protocol.whiteboardobjects.*;
 import net.java.sip.communicator.util.*;
 
+import org.jitsi.util.xml.*;
 import org.w3c.dom.*;
 
 /**
@@ -59,6 +60,7 @@ public class WhiteboardObjectPathJabberImpl
     {
         DocumentBuilderFactory factory =
           DocumentBuilderFactory.newInstance ();
+        XMLUtils.disableExternalEntities(factory);
         DocumentBuilder builder;
         try
         {
diff --git a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPolyLineJabberImpl.java b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPolyLineJabberImpl.java
index fd62eca..0fcb284 100644
--- a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPolyLineJabberImpl.java
+++ b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPolyLineJabberImpl.java
@@ -17,6 +17,7 @@ import net.java.sip.communicator.service.protocol.*;
 import net.java.sip.communicator.service.protocol.whiteboardobjects.*;
 import net.java.sip.communicator.util.*;
 
+import org.jitsi.util.xml.*;
 import org.w3c.dom.*;
 
 /**
@@ -58,6 +59,7 @@ public class WhiteboardObjectPolyLineJabberImpl
     {
         DocumentBuilderFactory factory =
           DocumentBuilderFactory.newInstance ();
+        XMLUtils.disableExternalEntities(factory);
         DocumentBuilder builder;
         try
         {
diff --git a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPolygonJabberImpl.java b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPolygonJabberImpl.java
index 4bc933a..0a1a281 100644
--- a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPolygonJabberImpl.java
+++ b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectPolygonJabberImpl.java
@@ -17,6 +17,7 @@ import net.java.sip.communicator.service.protocol.*;
 import net.java.sip.communicator.service.protocol.whiteboardobjects.*;
 import net.java.sip.communicator.util.*;
 
+import org.jitsi.util.xml.*;
 import org.w3c.dom.*;
 
 /**
@@ -68,6 +69,7 @@ public class WhiteboardObjectPolygonJabberImpl
     {
         DocumentBuilderFactory factory =
           DocumentBuilderFactory.newInstance ();
+        XMLUtils.disableExternalEntities(factory);
         DocumentBuilder builder;
         try
         {
diff --git a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectRectJabberImpl.java b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectRectJabberImpl.java
index 34b992d..896ea3e 100644
--- a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectRectJabberImpl.java
+++ b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectRectJabberImpl.java
@@ -16,6 +16,7 @@ import net.java.sip.communicator.service.protocol.*;
 import net.java.sip.communicator.service.protocol.whiteboardobjects.*;
 import net.java.sip.communicator.util.*;
 
+import org.jitsi.util.xml.*;
 import org.w3c.dom.*;
 
 /**
@@ -102,6 +103,7 @@ public class WhiteboardObjectRectJabberImpl
     {
         DocumentBuilderFactory factory =
           DocumentBuilderFactory.newInstance ();
+        XMLUtils.disableExternalEntities(factory);
         DocumentBuilder builder;
         try
         {
diff --git a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectTextJabberImpl.java b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectTextJabberImpl.java
index e0d1fef..cf9dc26 100644
--- a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectTextJabberImpl.java
+++ b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardObjectTextJabberImpl.java
@@ -16,6 +16,7 @@ import net.java.sip.communicator.service.protocol.*;
 import net.java.sip.communicator.service.protocol.whiteboardobjects.*;
 import net.java.sip.communicator.util.*;
 
+import org.jitsi.util.xml.*;
 import org.w3c.dom.*;
 
 /**
@@ -73,6 +74,7 @@ public class WhiteboardObjectTextJabberImpl
     {
         DocumentBuilderFactory factory =
           DocumentBuilderFactory.newInstance ();
+        XMLUtils.disableExternalEntities(factory);
         DocumentBuilder builder;
         try
         {
diff --git a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardSessionPacketExtension.java b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardSessionPacketExtension.java
index 8a303e8..dbf590c 100644
--- a/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardSessionPacketExtension.java
+++ b/src/net/java/sip/communicator/impl/protocol/jabber/extensions/whiteboard/WhiteboardSessionPacketExtension.java
@@ -13,6 +13,7 @@ import javax.xml.parsers.*;
 import net.java.sip.communicator.impl.protocol.jabber.*;
 import net.java.sip.communicator.util.*;
 
+import org.jitsi.util.xml.*;
 import org.jivesoftware.smack.packet.*;
 import org.w3c.dom.*;
 
@@ -86,6 +87,7 @@ public class WhiteboardSessionPacketExtension
     {
         DocumentBuilderFactory factory =
           DocumentBuilderFactory.newInstance ();
+        XMLUtils.disableExternalEntities(factory);
 
         DocumentBuilder builder;
         try
diff --git a/src/net/java/sip/communicator/impl/protocol/sip/OperationSetDesktopSharingServerSipImpl.java b/src/net/java/sip/communicator/impl/protocol/sip/OperationSetDesktopSharingServerSipImpl.java
index e332a52..fc4e810 100644
--- a/src/net/java/sip/communicator/impl/protocol/sip/OperationSetDesktopSharingServerSipImpl.java
+++ b/src/net/java/sip/communicator/impl/protocol/sip/OperationSetDesktopSharingServerSipImpl.java
@@ -27,6 +27,7 @@ import net.java.sip.communicator.util.*;
 import org.jitsi.service.neomedia.MediaType;
 import org.jitsi.service.neomedia.device.*;
 import org.jitsi.service.neomedia.format.*;
+import org.jitsi.util.xml.*;
 import org.w3c.dom.*;
 import org.xml.sax.*;
 
@@ -489,9 +490,11 @@ public class OperationSetDesktopSharingServerSipImpl
 
                 try
                 {
+                    DocumentBuilderFactory factory
+                        = DocumentBuilderFactory.newInstance();
+                    XMLUtils.disableExternalEntities(factory);
                     document
-                        = DocumentBuilderFactory.newInstance()
-                            .newDocumentBuilder()
+                        = factory.newDocumentBuilder()
                                 .parse(new ByteArrayInputStream(rawContent));
                 }
                 catch (IOException ioe)
diff --git a/src/net/java/sip/communicator/plugin/jabberaccregwizz/JabberServerChooserDialog.java b/src/net/java/sip/communicator/plugin/jabberaccregwizz/JabberServerChooserDialog.java
index 9abaad6..9737a37 100644
--- a/src/net/java/sip/communicator/plugin/jabberaccregwizz/JabberServerChooserDialog.java
+++ b/src/net/java/sip/communicator/plugin/jabberaccregwizz/JabberServerChooserDialog.java
@@ -23,6 +23,7 @@ import net.java.sip.communicator.plugin.desktoputil.*;
 import net.java.sip.communicator.util.*;
 
 import org.jitsi.service.fileaccess.*;
+import org.jitsi.util.xml.*;
 import org.osgi.framework.*;
 import org.w3c.dom.*;
 import org.xml.sax.*;
@@ -239,8 +240,9 @@ public class JabberServerChooserDialog
             }
 
             FileInputStream fis = new FileInputStream(localServersListFile);
-            DocumentBuilderFactory factory = DocumentBuilderFactory
-                .newInstance();
+            DocumentBuilderFactory factory
+                = DocumentBuilderFactory.newInstance();
+            XMLUtils.disableExternalEntities(factory);
             DocumentBuilder constructor = factory.newDocumentBuilder();
             Document document = constructor.parse(fis);
             Element root = document.getDocumentElement();
@@ -314,6 +316,7 @@ public class JabberServerChooserDialog
                 // Create a builder factory
                 DocumentBuilderFactory factory
                     = DocumentBuilderFactory.newInstance();
+                XMLUtils.disableExternalEntities(factory);
 
                 // Create the builder and parse the file
                 serverComments = factory.newDocumentBuilder()
diff --git a/src/net/java/sip/communicator/plugin/jabberaccregwizz/jabberaccregwizz.manifest.mf b/src/net/java/sip/communicator/plugin/jabberaccregwizz/jabberaccregwizz.manifest.mf
index 2ad0e96..e1b222c 100755
--- a/src/net/java/sip/communicator/plugin/jabberaccregwizz/jabberaccregwizz.manifest.mf
+++ b/src/net/java/sip/communicator/plugin/jabberaccregwizz/jabberaccregwizz.manifest.mf
@@ -46,5 +46,6 @@ Import-Package: org.osgi.framework,
  javax.swing.tree,
  javax.swing.undo,
  javax.swing.border,
+ org.jitsi.util.xml,
  org.jivesoftware.smack,
  org.jivesoftware.smack.packet
diff --git a/src/net/java/sip/communicator/service/protocol/media/ConferenceInfoDocument.java b/src/net/java/sip/communicator/service/protocol/media/ConferenceInfoDocument.java
index 2641fce..3d8778c 100644
--- a/src/net/java/sip/communicator/service/protocol/media/ConferenceInfoDocument.java
+++ b/src/net/java/sip/communicator/service/protocol/media/ConferenceInfoDocument.java
@@ -224,8 +224,11 @@ public class ConferenceInfoDocument
 
         try
         {
+            DocumentBuilderFactory factory
+                = DocumentBuilderFactory.newInstance();
+            XMLUtils.disableExternalEntities(factory);
             document
-                    = DocumentBuilderFactory.newInstance().newDocumentBuilder()
+                = factory.newDocumentBuilder()
                     .parse(new ByteArrayInputStream(bytes));
         }
         catch (Exception e)
author	Boris Grozev <boris@jitsi.org>	2014-12-04 14:21:52 +0200
committer	Boris Grozev <boris@jitsi.org>	2014-12-04 14:21:52 +0200
commit	b1e75a29614352a74693c838be234238aaa2fb0f (patch)
tree	02091a628366eab2c7481965e43dafd4234d3e55 /src/net
parent	96bb3746a3ad194ec76b43b63aecf9aaba6968d2 (diff)
download	jitsi-b1e75a29614352a74693c838be234238aaa2fb0f.zip jitsi-b1e75a29614352a74693c838be234238aaa2fb0f.tar.gz jitsi-b1e75a29614352a74693c838be234238aaa2fb0f.tar.bz2