Steven Hawkins created TEIID-2927:
-------------------------------------
Summary: Guard against external entity resolving in OData Atom Feed
Key: TEIID-2927
URL:
https://issues.jboss.org/browse/TEIID-2927
Project: Teiid
Issue Type: Bug
Components: OData, Query Engine
Affects Versions: 7.7, 8.4
Reporter: Van Halbert
Assignee: Steven Hawkins
Priority: Critical
Fix For: 8.7
if applications that expose RESTEasy XML endpoints, add the following snippet to their
web.xml file to disable entity expansion in RESTEasy:
<context-param>
<param-name>resteasy.document.expand.entity.references</param-name>
<param-value>false</param-value>
</context-param>
Note that this <context-param> setting has precedence over <init-param>, and
will override a contrary setting in an <init-param> element.
However this is not sufficient for OData as OData4j is responsible for parsing the Atom
feed. StaxXMLFactoryProvider2 simply creates XMLInputFactories without any options, thus
they will perform external entity resolving by default. An issue will need to be opened
against OData4j.
For SQL/XML, the XMLType input factory needs to disable external entity resolving (via
experimentation just setting the relevant property doesn't always work, so like other
projects we'll set an XMLResolver, which does work).
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:
http://www.atlassian.com/software/jira