Try to limit Xerces from pulling in external system entities. Addressing SIDP-97
authorlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Thu, 27 Dec 2007 08:43:30 +0000 (08:43 +0000)
committerlajoie <lajoie@ab3bd59b-922f-494d-bb5f-6f0a3c29deca>
Thu, 27 Dec 2007 08:43:30 +0000 (08:43 +0000)
git-svn-id: https://subversion.switch.ch/svn/shibboleth/java-idp/trunk@2507 ab3bd59b-922f-494d-bb5f-6f0a3c29deca

resources/conf/internal.xml

index 64f65da..d5cf47f 100644 (file)
         <property name="ignoreElementContentWhitespace" value="true" />
         <property name="namespaceAware" value="true" />
         <property name="builderAttributes">
-            <util:map>
+            <map>
                 <entry>
                     <key>
                         <value>http://apache.org/xml/properties/security-manager</value>
                     </key>
                     <bean id="shibboleth.XercesSecurityManager" class="org.apache.xerces.util.SecurityManager" />
                 </entry>
-            </util:map>
+            </map>
+        </property>
+        <property name="builderFeatures">
+            <map>
+                <entry>
+                    <key>
+                        <value>http://xml.org/sax/features/external-general-entities</value>
+                    </key>
+                    <bean id="shibboleth.ExternalGeneralEntities" class="java.lang.Boolean">
+                        <constructor-arg value="true" />
+                    </bean>
+                </entry>
+                <entry>
+                    <key>
+                        <value>http://xml.org/sax/features/external-parameter-entities</value>
+                    </key>
+                    <bean id="shibboleth.ExternalParameterEntities" class="java.lang.Boolean">
+                        <constructor-arg value="true" />
+                    </bean>
+                </entry>
+            </map>
         </property>
     </bean>