rpms / rh-maven35-jackson-databind

Clone
Source Code
GIT

Blame SOURCES/CVE-2020-25649.patch

c7
  1.   7310baa0fe53ef5d63e72216e9d7b98813c28eba
  2.   SOURCES
  3.   CVE-2020-25649.patch
Blob History Raw
7310ba 
https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59
7310ba
7310ba 
diff --git a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
7310ba 
index 78b1a00..121585e 100644
7310ba 
--- a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
7310ba 
+++ b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
7310ba 
@@ -36,6 +36,14 @@ public abstract class DOMDeserializer<T> extends FromStringDeserializer<T>
7310ba 
         } catch(ParserConfigurationException pce) {
7310ba 
             // not much point to do anything; could log but...
7310ba 
         }
7310ba 
+
7310ba 
+        // [databind#2589] add two more settings just in case
7310ba 
+        try {
7310ba 
+            parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
7310ba 
+        } catch (Throwable t) { } // as per previous one, nothing much to do
7310ba 
+        try {
7310ba 
+            parserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
7310ba 
+        } catch (Throwable t) { } // as per previous one, nothing much to do
7310ba 
         DEFAULT_PARSER_FACTORY = parserFactory;
7310ba 
     }
7310ba

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation