fix incorrect XML builder defaults to prevent DTD entity loading

jrivard · jrivard · commit 4b102843f28a · 2023-02-02T17:46:23.000-05:00
diff --git a/server/src/main/java/password/pwm/util/java/XmlFactory.java b/server/src/main/java/password/pwm/util/java/XmlFactory.java
@@ -31,6 +31,7 @@
 import password.pwm.error.PwmError;
 import password.pwm.error.PwmUnrecoverableException;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -217,7 +218,8 @@ static DocumentBuilder getBuilder()
             try
             {
                 final DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
-                dbFactory.setFeature( "http://apache.org/xml/features/disallow-doctype-decl", false );
+                dbFactory.setFeature( XMLConstants.FEATURE_SECURE_PROCESSING, true );
+                dbFactory.setFeature( "http://apache.org/xml/features/disallow-doctype-decl", true );
                 dbFactory.setExpandEntityReferences( false );
                 dbFactory.setValidating( false );
                 dbFactory.setXIncludeAware( false );
