Merge pull request #875 from rasika/fix-1624

Adding additional validations to improve stability of the product
revert-dabc3590
Rasika Perera 7 years ago committed by GitHub
commit fe085b4e68
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -60,6 +60,7 @@
org.osgi.service.component, org.osgi.service.component,
org.apache.commons.logging, org.apache.commons.logging,
javax.xml, javax.xml,
javax.xml.stream,
javax.xml.bind.*, javax.xml.bind.*,
javax.sql, javax.sql,
javax.xml.parsers; version=0.0.0, javax.xml.parsers; version=0.0.0,

@ -47,6 +47,9 @@ import javax.xml.bind.JAXBContext;
import javax.xml.bind.JAXBException; import javax.xml.bind.JAXBException;
import javax.xml.bind.Marshaller; import javax.xml.bind.Marshaller;
import javax.xml.bind.Unmarshaller; import javax.xml.bind.Unmarshaller;
import javax.xml.stream.XMLInputFactory;
import javax.xml.stream.XMLStreamException;
import javax.xml.stream.XMLStreamReader;
import java.io.StringReader; import java.io.StringReader;
import java.io.StringWriter; import java.io.StringWriter;
import java.nio.charset.Charset; import java.nio.charset.Charset;
@ -128,17 +131,21 @@ public class AndroidDeviceManager implements DeviceManager {
MobileDeviceTypes.MOBILE_DEVICE_TYPE_ANDROID); MobileDeviceTypes.MOBILE_DEVICE_TYPE_ANDROID);
resource = MobileDeviceManagementUtil.getRegistryResource(androidRegPath); resource = MobileDeviceManagementUtil.getRegistryResource(androidRegPath);
if (resource != null) { if (resource != null) {
JAXBContext context = JAXBContext.newInstance(PlatformConfiguration.class); XMLInputFactory factory = XMLInputFactory.newFactory();
Unmarshaller unmarshaller = context.createUnmarshaller(); factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
return (PlatformConfiguration) unmarshaller.unmarshal( factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
XMLStreamReader reader = factory.createXMLStreamReader(
new StringReader(new String((byte[]) resource.getContent(), Charset. new StringReader(new String((byte[]) resource.getContent(), Charset.
forName(AndroidPluginConstants.MobilePluginConstants.CHARSET_UTF8)))); forName(AndroidPluginConstants.MobilePluginConstants.CHARSET_UTF8))));
JAXBContext context = JAXBContext.newInstance(PlatformConfiguration.class);
Unmarshaller unmarshaller = context.createUnmarshaller();
return (PlatformConfiguration) unmarshaller.unmarshal(reader);
} }
return null; return null;
} catch (AndroidDeviceMgtPluginException e) { } catch (AndroidDeviceMgtPluginException e) {
throw new DeviceManagementException( throw new DeviceManagementException(
"Error occurred while retrieving the Registry instance : " + e.getMessage(), e); "Error occurred while retrieving the Registry instance : " + e.getMessage(), e);
} catch (JAXBException e) { } catch (JAXBException | XMLStreamException e) {
throw new DeviceManagementException( throw new DeviceManagementException(
"Error occurred while parsing the Android configuration : " + e.getMessage(), e); "Error occurred while parsing the Android configuration : " + e.getMessage(), e);
} catch (RegistryException e) { } catch (RegistryException e) {

@ -68,6 +68,7 @@ public class MobileDeviceManagementUtil {
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder docBuilder = factory.newDocumentBuilder(); DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);
} catch (Exception e) { } catch (Exception e) {

@ -231,6 +231,7 @@ public class EnrollmentServiceImpl implements EnrollmentService {
DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
domFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); domFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
domFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder; DocumentBuilder builder;
builder = domFactory.newDocumentBuilder(); builder = domFactory.newDocumentBuilder();

@ -239,6 +239,8 @@ public class CertificateEnrollmentServiceImpl implements CertificateEnrollmentSe
DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
domFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); domFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
domFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = domFactory.newDocumentBuilder(); DocumentBuilder builder = domFactory.newDocumentBuilder();
Document document = builder.parse(wapProvisioningFilePath); Document document = builder.parse(wapProvisioningFilePath);
NodeList wapParm = document.getElementsByTagName(PluginConstants.CertificateEnrolment.PARM); NodeList wapParm = document.getElementsByTagName(PluginConstants.CertificateEnrolment.PARM);

@ -68,6 +68,7 @@ public class MobileDeviceManagementUtil {
factory.setNamespaceAware(true); factory.setNamespaceAware(true);
try { try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder docBuilder = factory.newDocumentBuilder(); DocumentBuilder docBuilder = factory.newDocumentBuilder();
return docBuilder.parse(file); return docBuilder.parse(file);
} catch (Exception e) { } catch (Exception e) {

Loading…
Cancel
Save