From 4bb1538af052f0ff078e1bdae49f97f3d44c4972 Mon Sep 17 00:00:00 2001 From: yinyongkang Date: Fri, 15 Jul 2022 09:58:07 +0800 Subject: [PATCH] fix CVE-2022-2414 --- ...o-external-entities-when-parsing-XML.patch | 928 ++++++++++++++++++ pki-core.spec | 11 +- 2 files changed, 938 insertions(+), 1 deletion(-) create mode 100644 0001-Disable-access-to-external-entities-when-parsing-XML.patch diff --git a/0001-Disable-access-to-external-entities-when-parsing-XML.patch b/0001-Disable-access-to-external-entities-when-parsing-XML.patch new file mode 100644 index 0000000..7ab85e7 --- /dev/null +++ b/0001-Disable-access-to-external-entities-when-parsing-XML.patch @@ -0,0 +1,928 @@ +From b176837c317216185930a09e6eae916a39bbbe5e Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Fri, 15 Jul 2022 09:36:00 +0800 +Subject: [PATCH] Disable access to external entities when parsing XML + +This reduces the vulnerability of XML parsers to XXE (XML external +entity) injection. + +The best way to prevent XXE is to stop using XML altogether, which we do +plan to do. Until that happens I consider it worthwhile to tighten the +security here though. +--- + .../main/java/com/netscape/certsrv/account/Account.java | 4 ++++ + .../java/com/netscape/certsrv/base/PKIException.java | 4 ++++ + .../main/java/com/netscape/certsrv/base/RESTMessage.java | 4 ++++ + .../main/java/com/netscape/certsrv/cert/CertData.java | 4 ++++ + .../java/com/netscape/certsrv/cert/CertDataInfo.java | 4 ++++ + .../java/com/netscape/certsrv/cert/CertDataInfos.java | 4 ++++ + .../com/netscape/certsrv/cert/CertEnrollmentRequest.java | 4 ++++ + .../java/com/netscape/certsrv/cert/CertRequestInfo.java | 4 ++++ + .../java/com/netscape/certsrv/cert/CertRequestInfos.java | 4 ++++ + .../com/netscape/certsrv/cert/CertRetrievalRequest.java | 4 ++++ + .../com/netscape/certsrv/cert/CertRevokeRequest.java | 4 ++++ + .../com/netscape/certsrv/cert/CertSearchRequest.java | 4 ++++ + .../netscape/certsrv/key/AsymKeyGenerationRequest.java | 1 + + .../com/netscape/certsrv/key/KeyArchivalRequest.java | 1 + + .../java/com/netscape/certsrv/key/KeyRequestInfo.java | 4 ++++ + .../netscape/certsrv/key/KeyRequestInfoCollection.java | 4 ++++ + .../netscape/certsrv/key/SymKeyGenerationRequest.java | 1 + + .../com/netscape/certsrv/profile/PolicyConstraint.java | 4 ++++ + .../netscape/certsrv/profile/PolicyConstraintValue.java | 4 ++++ + .../java/com/netscape/certsrv/profile/PolicyDefault.java | 4 ++++ + .../com/netscape/certsrv/profile/ProfileAttribute.java | 4 ++++ + .../java/com/netscape/certsrv/profile/ProfileData.java | 4 ++++ + .../com/netscape/certsrv/profile/ProfileDataInfo.java | 4 ++++ + .../com/netscape/certsrv/profile/ProfileDataInfos.java | 4 ++++ + .../java/com/netscape/certsrv/profile/ProfileInput.java | 4 ++++ + .../java/com/netscape/certsrv/profile/ProfileOutput.java | 4 ++++ + .../com/netscape/certsrv/profile/ProfileParameter.java | 4 ++++ + .../com/netscape/certsrv/request/CMSRequestInfo.java | 4 ++++ + base/common/src/main/java/org/dogtagpki/common/Info.java | 4 ++++ + .../cms/servlet/csadmin/SecurityDomainProcessor.java | 6 +++++- + .../main/java/com/netscape/cmscore/apps/ServerXml.java | 1 + + .../main/java/com/netscape/cmsutil/xml/XMLObject.java | 9 +++++++++ + 32 files changed, 122 insertions(+), 1 deletion(-) + +diff --git a/base/common/src/main/java/com/netscape/certsrv/account/Account.java b/base/common/src/main/java/com/netscape/certsrv/account/Account.java +index 7447bfa..6aaca9c 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/account/Account.java ++++ b/base/common/src/main/java/com/netscape/certsrv/account/Account.java +@@ -23,6 +23,7 @@ import java.io.StringWriter; + import java.util.Collection; + import java.util.TreeSet; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -209,6 +210,8 @@ public class Account extends RESTMessage { + document.appendChild(accountElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET,""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -224,6 +227,7 @@ public class Account extends RESTMessage { + public static Account fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java b/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java +index f4876f8..6ea5c3d 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java ++++ b/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java +@@ -21,6 +21,7 @@ import java.io.StringReader; + import java.io.StringWriter; + + import javax.ws.rs.core.Response; ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -158,6 +159,8 @@ public class PKIException extends RuntimeException { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -173,6 +176,7 @@ public class PKIException extends RuntimeException { + public static Data fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java b/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java +index a62a1ae..e8bc5eb 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java ++++ b/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java +@@ -10,6 +10,7 @@ import java.util.List; + import java.util.Map; + + import javax.ws.rs.core.MultivaluedMap; ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -317,11 +318,14 @@ public class RESTMessage implements JSONSerializer { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); + + DOMSource domSource = new DOMSource(document); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + StringWriter sw = new StringWriter(); + StreamResult streamResult = new StreamResult(sw); + transformer.transform(domSource, streamResult); +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java +index 2a47c3c..a3a19e7 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java +@@ -23,6 +23,7 @@ import java.security.Principal; + import java.security.cert.X509Certificate; + import java.util.Date; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -475,6 +476,8 @@ public class CertData implements JSONSerializer { + document.appendChild(infoElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -490,6 +493,7 @@ public class CertData implements JSONSerializer { + public static CertData fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java +index 847e32b..516fac9 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java +@@ -24,6 +24,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Date; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -513,6 +514,8 @@ public class CertDataInfo implements JSONSerializer { + document.appendChild(infoElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -528,6 +531,7 @@ public class CertDataInfo implements JSONSerializer { + public static CertDataInfo fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java +index 8554da4..2262739 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java +@@ -20,6 +20,7 @@ package com.netscape.certsrv.cert; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -74,6 +75,8 @@ public class CertDataInfos extends DataCollection { + toDOM(document); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -118,6 +121,7 @@ public class CertDataInfos extends DataCollection { + public static CertDataInfos fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java +index 88de02e..f48fa56 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java +@@ -28,6 +28,7 @@ import java.util.Collection; + import java.util.HashMap; + + import javax.ws.rs.core.MultivaluedMap; ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -514,6 +515,8 @@ public class CertEnrollmentRequest extends RESTMessage { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -527,6 +530,7 @@ public class CertEnrollmentRequest extends RESTMessage { + + public static CertEnrollmentRequest fromXML(String xml) throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java +index 79bff39..b7aa718 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java +@@ -21,6 +21,7 @@ package com.netscape.certsrv.cert; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -246,6 +247,8 @@ public class CertRequestInfo extends CMSRequestInfo { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -261,6 +264,7 @@ public class CertRequestInfo extends CMSRequestInfo { + public static CertRequestInfo fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java +index 8365e33..4720bc4 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java +@@ -21,6 +21,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Collection; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -108,6 +109,8 @@ public class CertRequestInfos extends DataCollection implements + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -152,6 +155,7 @@ public class CertRequestInfos extends DataCollection implements + public static CertRequestInfos fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java +index db16917..bde7e99 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java +@@ -25,6 +25,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Objects; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -126,6 +127,8 @@ public class CertRetrievalRequest implements JSONSerializer { + document.appendChild(requestElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -141,6 +144,7 @@ public class CertRetrievalRequest implements JSONSerializer { + public static CertRetrievalRequest fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java +index 5f0a9f4..709db38 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java +@@ -22,6 +22,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Date; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -226,6 +227,8 @@ public class CertRevokeRequest implements JSONSerializer { + document.appendChild(requestElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -241,6 +244,7 @@ public class CertRevokeRequest implements JSONSerializer { + public static CertRevokeRequest fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java +index 1d178b6..67da3c1 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java +@@ -25,6 +25,7 @@ import java.io.StringWriter; + import java.util.Objects; + + import javax.ws.rs.core.MultivaluedMap; ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -1079,6 +1080,8 @@ public class CertSearchRequest implements JSONSerializer { + document.appendChild(rootElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -1094,6 +1097,7 @@ public class CertSearchRequest implements JSONSerializer { + public static CertSearchRequest fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java +index 05303b2..fc1fe0f 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java +@@ -114,6 +114,7 @@ public class AsymKeyGenerationRequest extends KeyGenerationRequest { + public static AsymKeyGenerationRequest fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java +index 3152e88..462f228 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java +@@ -256,6 +256,7 @@ public class KeyArchivalRequest extends RESTMessage { + public static KeyArchivalRequest fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java +index 8970a70..dca3f01 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java ++++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java +@@ -21,6 +21,7 @@ package com.netscape.certsrv.key; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -139,6 +140,8 @@ public class KeyRequestInfo extends CMSRequestInfo { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -154,6 +157,7 @@ public class KeyRequestInfo extends CMSRequestInfo { + public static KeyRequestInfo fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java +index c471f69..6cc9840 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java ++++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java +@@ -21,6 +21,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Collection; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -99,6 +100,8 @@ public class KeyRequestInfoCollection extends DataCollection imp + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -143,6 +146,7 @@ public class KeyRequestInfoCollection extends DataCollection imp + public static KeyRequestInfoCollection fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java +index f86bba2..e7542f6 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java +@@ -103,6 +103,7 @@ public class SymKeyGenerationRequest extends KeyGenerationRequest { + public static SymKeyGenerationRequest fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java +index 763eaae..5d43bf1 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java +@@ -22,6 +22,7 @@ import java.io.StringWriter; + import java.util.ArrayList; + import java.util.List; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -228,6 +229,8 @@ public class PolicyConstraint implements JSONSerializer { + document.appendChild(accountElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -242,6 +245,7 @@ public class PolicyConstraint implements JSONSerializer { + + public static PolicyConstraint fromXML(String xml) throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java +index be84f08..9986837 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java +@@ -20,6 +20,7 @@ package com.netscape.certsrv.profile; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -169,6 +170,8 @@ public class PolicyConstraintValue implements JSONSerializer { + document.appendChild(pcvElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -183,6 +186,7 @@ public class PolicyConstraintValue implements JSONSerializer { + + public static PolicyConstraintValue fromXML(String xml) throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java +index 49e2598..b4602c6 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java +@@ -22,6 +22,7 @@ import java.io.StringWriter; + import java.util.ArrayList; + import java.util.List; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -231,6 +232,8 @@ public class PolicyDefault implements JSONSerializer { + document.appendChild(pdElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -245,6 +248,7 @@ public class PolicyDefault implements JSONSerializer { + + public static PolicyDefault fromXML(String xml) throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java +index 0e43db8..7abd149 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java +@@ -20,6 +20,7 @@ package com.netscape.certsrv.profile; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -180,6 +181,8 @@ public class ProfileAttribute implements JSONSerializer { + document.appendChild(accountElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -193,6 +196,7 @@ public class ProfileAttribute implements JSONSerializer { + + public static ProfileAttribute fromXML(String xml) throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java +index f80c0d5..450b832 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java +@@ -31,6 +31,7 @@ import java.util.Map.Entry; + import java.util.Objects; + import java.util.Vector; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -554,6 +555,8 @@ public class ProfileData implements JSONSerializer { + document.appendChild(pdElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -568,6 +571,7 @@ public class ProfileData implements JSONSerializer { + + public static ProfileData fromXML(String xml) throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java +index 8f1744e..a67d697 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java +@@ -21,6 +21,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Objects; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -177,6 +178,8 @@ public class ProfileDataInfo implements JSONSerializer { + document.appendChild(profileParameterElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -191,6 +194,7 @@ public class ProfileDataInfo implements JSONSerializer { + + public static ProfileDataInfo fromXML(String xml) throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java +index 7225c83..8975bc6 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java +@@ -20,6 +20,7 @@ package com.netscape.certsrv.profile; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -74,6 +75,8 @@ public class ProfileDataInfos extends DataCollection { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -118,6 +121,7 @@ public class ProfileDataInfos extends DataCollection { + public static ProfileDataInfos fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java +index 303785d..aac8f0d 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java +@@ -23,6 +23,7 @@ import java.util.ArrayList; + import java.util.Collection; + import java.util.List; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -354,6 +355,8 @@ public class ProfileInput implements JSONSerializer { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -367,6 +370,7 @@ public class ProfileInput implements JSONSerializer { + + public static ProfileInput fromXML(String xml) throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java +index b2442c7..c85bfed 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java +@@ -22,6 +22,7 @@ import java.io.StringWriter; + import java.util.ArrayList; + import java.util.List; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -234,6 +235,8 @@ public class ProfileOutput implements JSONSerializer { + document.appendChild(pdElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -248,6 +251,7 @@ public class ProfileOutput implements JSONSerializer { + + public static ProfileOutput fromXML(String xml) throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java +index 55e07b4..b6a007f 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java +@@ -21,6 +21,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Objects; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -128,6 +129,8 @@ public class ProfileParameter implements JSONSerializer { + document.appendChild(profileParameterElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -142,6 +145,7 @@ public class ProfileParameter implements JSONSerializer { + + public static ProfileParameter fromXML(String xml) throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java +index b6c2fa4..661355a 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java ++++ b/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java +@@ -20,6 +20,7 @@ package com.netscape.certsrv.request; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -229,6 +230,8 @@ public class CMSRequestInfo implements JSONSerializer { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -244,6 +247,7 @@ public class CMSRequestInfo implements JSONSerializer { + public static CMSRequestInfo fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/org/dogtagpki/common/Info.java b/base/common/src/main/java/org/dogtagpki/common/Info.java +index 0929ada..3d1b693 100644 +--- a/base/common/src/main/java/org/dogtagpki/common/Info.java ++++ b/base/common/src/main/java/org/dogtagpki/common/Info.java +@@ -21,6 +21,7 @@ package org.dogtagpki.common; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -183,6 +184,8 @@ public class Info extends RESTMessage { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -198,6 +201,7 @@ public class Info extends RESTMessage { + public static Info fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java +index bdd485e..07fae1a 100644 +--- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java ++++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java +@@ -24,6 +24,7 @@ import java.util.Enumeration; + import java.util.Locale; + import java.util.Vector; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.ParserConfigurationException; + import javax.xml.transform.OutputKeys; + import javax.xml.transform.Transformer; +@@ -697,7 +698,10 @@ public class SecurityDomainProcessor extends Processor { + XMLObject xmlObject = convertDomainInfoToXMLObject(before); + Document document = xmlObject.getDocument(); + +- Transformer transformer = TransformerFactory.newInstance().newTransformer(); ++ TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); ++ Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); + +diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java +index 2a02d72..d9ac572 100644 +--- a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java ++++ b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java +@@ -41,6 +41,7 @@ public class ServerXml { + ServerXml serverXml = new ServerXml(); + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(filename); + +diff --git a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java +index 81fdbf4..1043bcb 100644 +--- a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java ++++ b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java +@@ -25,6 +25,7 @@ import java.io.OutputStream; + import java.io.StringWriter; + import java.util.Vector; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.parsers.ParserConfigurationException; +@@ -56,6 +57,7 @@ public class XMLObject { + public XMLObject(InputStream s) + throws SAXException, IOException, ParserConfigurationException { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder docBuilder = factory.newDocumentBuilder(); + mDoc = docBuilder.parse(s); + } +@@ -63,6 +65,7 @@ public class XMLObject { + public XMLObject(File f) + throws SAXException, IOException, ParserConfigurationException { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder docBuilder = factory.newDocumentBuilder(); + mDoc = docBuilder.parse(f); + } +@@ -159,6 +162,8 @@ public class XMLObject { + public byte[] toByteArray() throws TransformerConfigurationException, TransformerException { + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + TransformerFactory tranFactory = TransformerFactory.newInstance(); ++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer aTransformer = tranFactory.newTransformer(); + Source src = new DOMSource(mDoc); + Result dest = new StreamResult(bos); +@@ -169,6 +174,8 @@ public class XMLObject { + public void output(OutputStream os) + throws TransformerConfigurationException, TransformerException { + TransformerFactory tranFactory = TransformerFactory.newInstance(); ++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer aTransformer = tranFactory.newTransformer(); + Source src = new DOMSource(mDoc); + Result dest = new StreamResult(os); +@@ -177,6 +184,8 @@ public class XMLObject { + + public String toXMLString() throws TransformerConfigurationException, TransformerException { + TransformerFactory tranFactory = TransformerFactory.newInstance(); ++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = tranFactory.newTransformer(); + Source src = new DOMSource(mDoc); + StreamResult dest = new StreamResult(new StringWriter()); +-- +2.33.0 + diff --git a/pki-core.spec b/pki-core.spec index 8553839..5e940b6 100644 --- a/pki-core.spec +++ b/pki-core.spec @@ -8,12 +8,15 @@ Name: pki-core Version: 11.0.0 -Release: 1 +Release: 2 Summary: The PKI Core Package License: GPLv2 and LGPLv2 URL: http://www.dogtagpki.org/ Source0: https://github.com/dogtagpki/pki/archive/v%{version}/pki-v%{version}.tar.gz Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz + +Patch0001: 0001-Disable-access-to-external-entities-when-parsing-XML.patch + BuildRequires: git make cmake >= 2.8.9-1 gcc-c++ zip java-latest-openjdk-devel java-latest-openjdk-headless BuildRequires: ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io BuildRequires: apache-commons-lang jakarta-commons-httpclient glassfish-jaxb-api slf4j @@ -441,6 +444,12 @@ fi %endif %changelog +* Fri Jul 15 2022 yinyongkang - 11.0.0-2 +- Type:CVE +- ID:CVE-2022-2414 +- SUG:NA +- DESC:Fix CVE-2022-2414 + * Thu Jun 16 2022 liyanan - 11.0.0-1 - Update to 11.0.0 -- Gitee