Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: 8.7, 8.4.3
Affects Version/s: 7.7, 8.4
Component/s: OData, Query Engine
Labels:
None

Bugzilla References:
https://bugzilla.redhat.com/show_bug.cgi?id=1085557, https://bugzilla.redhat.com/show_bug.cgi?id=1085554, https://bugzilla.redhat.com/show_bug.cgi?id=1085555, https://bugzilla.redhat.com/show_bug.cgi?id=1085556

Description

if applications that expose RESTEasy XML endpoints, add the following snippet to their web.xml file to disable entity expansion in RESTEasy:

<context-param>
<param-name>resteasy.document.expand.entity.references</param-name>
<param-value>false</param-value>
</context-param>

Note that this <context-param> setting has precedence over <init-param>, and will override a contrary setting in an <init-param> element.

However this is not sufficient for OData as OData4j is responsible for parsing the Atom feed. StaxXMLFactoryProvider2 simply creates XMLInputFactories without any options, thus they will perform external entity resolving by default. An issue will need to be opened against OData4j.

For SQL/XML, the XMLType input factory needs to disable external entity resolving (via experimentation just setting the relevant property doesn't always work, so like other projects we'll set an XMLResolver, which does work).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

org.odata4j.stax2.staximpl.StaxXMLFactoryProvider2.diff
0.6 kB
2014/04/08 1:45 PM

Issue Links

is cloned by

TEIID-2927 Guard against external entity resolving in OData Atom Feed

Closed

Activity

People

Assignee:: Steven Hawkins

Reporter:: Van Halbert (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2014/03/31 10:44 AM

Updated:: 2021/10/24 5:59 AM

Resolved:: 2014/07/11 11:40 AM