diff -up ./common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java.fix ./common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java
--- ./common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java.fix 2011-10-07 18:26:38.000000000 -0400
+++ ./common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java 2011-10-07 18:26:21.000000000 -0400
@@ -16,6 +16,20 @@ public class SAXParsers {
spf = SAXParserFactory.newInstance();
spf.setNamespaceAware(true);
spf.setValidating(false);
+ try {
+ spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ } catch (javax.xml.parsers.ParserConfigurationException e) {
+ // Ignore it
+ } catch (org.xml.sax.SAXException e) {
+ // Ignore it
+ }
+ try {
+ spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ } catch (javax.xml.parsers.ParserConfigurationException e) {
+ // Ignore it
+ } catch (org.xml.sax.SAXException e) {
+ // Ignore it
+ }
}
/** Creates a new instance of {@link XMLReader}.
diff -up ./pom.xml.fix ./pom.xml
--- ./pom.xml.fix 2011-10-07 18:17:04.000000000 -0400
+++ ./pom.xml 2011-10-07 18:18:52.000000000 -0400
@@ -173,6 +173,10 @@
<name>Ken Weiner</name>
<email>kweiner@gmail.com</email>
</contributor>
+ <contributor>
+ <name>Johan Hôgre</name>
+ <email>johan.hagre@home.se</email>
+ </contributor>
</contributors>
<scm>
<connection>scm:svn:scm:svn:https://svn.apache.org/repos/asf/webservices/xmlrpc/tags/XMLRPC_3_0</connection>
diff -up ./src/changes/changes.xml.fix ./src/changes/changes.xml
--- ./src/changes/changes.xml.fix 2011-10-07 18:22:58.000000000 -0400
+++ ./src/changes/changes.xml 2011-10-07 18:22:40.000000000 -0400
@@ -65,6 +65,13 @@
due-to-email="Catalin.Hritcu@gmail.com" issue="XMLRPC-109">
Fixed an invalid FAQ example.
</action>
+ </action>
+ <action dev="jochen" type="fix" due-to="Johan Hôgre"
+ due-to-email="johan.hagre@home.se">
+ Fixed a potential security hole: The client has been able to
+ include server side resources
+ into the request by using external entities.
+ </action>
</release>
<release version="3.0rc1" date="27-Jul-2006">
<action dev="jochen" type="fix" due-to="Alan Burlison"