diff --git a/CVE-2022-2414.patch b/CVE-2022-2414.patch new file mode 100644 index 0000000000000000000000000000000000000000..ad9d7d648938c277adf9f25320527f13ee4fa10a --- /dev/null +++ b/CVE-2022-2414.patch @@ -0,0 +1,948 @@ +From 765d359d51249e5cf0af5994ba54a40550aa5b83 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 20 Jul 2022 16:20:35 +0800 +Subject: [PATCH] Disable access to external entities when parsing XML This + reduces the vulnerability of XML parsers to XXE (XML external entity) + injection. + +The best way to prevent XXE is to stop using XML altogether, which we do +plan to do. Until that happens I consider it worthwhile to tighten the +security here though. +--- + .../main/java/com/netscape/certsrv/account/Account.java | 4 ++++ + .../java/com/netscape/certsrv/base/PKIException.java | 4 ++++ + .../main/java/com/netscape/certsrv/base/RESTMessage.java | 5 +++++ + .../main/java/com/netscape/certsrv/cert/CertData.java | 4 ++++ + .../java/com/netscape/certsrv/cert/CertDataInfo.java | 4 ++++ + .../java/com/netscape/certsrv/cert/CertDataInfos.java | 6 +++++- + .../com/netscape/certsrv/cert/CertEnrollmentRequest.java | 4 ++++ + .../java/com/netscape/certsrv/cert/CertRequestInfo.java | 4 ++++ + .../java/com/netscape/certsrv/cert/CertRequestInfos.java | 4 ++++ + .../com/netscape/certsrv/cert/CertRetrievalRequest.java | 4 ++++ + .../com/netscape/certsrv/cert/CertRevokeRequest.java | 4 ++++ + .../com/netscape/certsrv/cert/CertSearchRequest.java | 4 ++++ + .../netscape/certsrv/key/AsymKeyGenerationRequest.java | 1 + + .../com/netscape/certsrv/key/KeyArchivalRequest.java | 1 + + .../java/com/netscape/certsrv/key/KeyRequestInfo.java | 4 ++++ + .../netscape/certsrv/key/KeyRequestInfoCollection.java | 4 ++++ + .../netscape/certsrv/key/SymKeyGenerationRequest.java | 1 + + .../com/netscape/certsrv/profile/PolicyConstraint.java | 4 ++++ + .../netscape/certsrv/profile/PolicyConstraintValue.java | 4 ++++ + .../java/com/netscape/certsrv/profile/PolicyDefault.java | 4 ++++ + .../com/netscape/certsrv/profile/ProfileAttribute.java | 4 ++++ + .../java/com/netscape/certsrv/profile/ProfileData.java | 6 +++++- + .../com/netscape/certsrv/profile/ProfileDataInfo.java | 4 ++++ + .../com/netscape/certsrv/profile/ProfileDataInfos.java | 4 ++++ + .../java/com/netscape/certsrv/profile/ProfileInput.java | 4 ++++ + .../java/com/netscape/certsrv/profile/ProfileOutput.java | 4 ++++ + .../com/netscape/certsrv/profile/ProfileParameter.java | 6 +++++- + .../com/netscape/certsrv/request/CMSRequestInfo.java | 4 ++++ + base/common/src/main/java/org/dogtagpki/common/Info.java | 4 ++++ + .../cms/servlet/csadmin/SecurityDomainProcessor.java | 7 ++++++- + .../main/java/com/netscape/cmscore/apps/ServerXml.java | 1 + + .../main/java/com/netscape/cmsutil/xml/XMLObject.java | 9 +++++++++ + 32 files changed, 127 insertions(+), 4 deletions(-) + +diff --git a/base/common/src/main/java/com/netscape/certsrv/account/Account.java b/base/common/src/main/java/com/netscape/certsrv/account/Account.java +index 7447bfa..3e6ce75 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/account/Account.java ++++ b/base/common/src/main/java/com/netscape/certsrv/account/Account.java +@@ -23,6 +23,7 @@ import java.io.StringWriter; + import java.util.Collection; + import java.util.TreeSet; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -209,6 +210,8 @@ public class Account extends RESTMessage { + document.appendChild(accountElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -224,6 +227,7 @@ public class Account extends RESTMessage { + public static Account fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java b/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java +index f4876f8..cca6a92 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java ++++ b/base/common/src/main/java/com/netscape/certsrv/base/PKIException.java +@@ -21,6 +21,7 @@ import java.io.StringReader; + import java.io.StringWriter; + + import javax.ws.rs.core.Response; ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -158,6 +159,8 @@ public class PKIException extends RuntimeException { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -173,6 +176,7 @@ public class PKIException extends RuntimeException { + public static Data fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java b/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java +index a62a1ae..3bb0985 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java ++++ b/base/common/src/main/java/com/netscape/certsrv/base/RESTMessage.java +@@ -10,6 +10,7 @@ import java.util.List; + import java.util.Map; + + import javax.ws.rs.core.MultivaluedMap; ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -317,7 +318,10 @@ public class RESTMessage implements JSONSerializer { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ + Transformer transformer = transformerFactory.newTransformer(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); + +@@ -332,6 +336,7 @@ public class RESTMessage implements JSONSerializer { + public static RESTMessage fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java +index 2a47c3c..822468c 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertData.java +@@ -23,6 +23,7 @@ import java.security.Principal; + import java.security.cert.X509Certificate; + import java.util.Date; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -475,6 +476,8 @@ public class CertData implements JSONSerializer { + document.appendChild(infoElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -490,6 +493,7 @@ public class CertData implements JSONSerializer { + public static CertData fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java +index 847e32b..ee8e448 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfo.java +@@ -24,6 +24,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Date; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -513,6 +514,8 @@ public class CertDataInfo implements JSONSerializer { + document.appendChild(infoElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -528,6 +531,7 @@ public class CertDataInfo implements JSONSerializer { + public static CertDataInfo fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java +index 8554da4..0c7223f 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertDataInfos.java +@@ -20,6 +20,7 @@ package com.netscape.certsrv.cert; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -74,7 +75,9 @@ public class CertDataInfos extends DataCollection { + toDOM(document); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); +- Transformer transformer = transformerFactory.newTransformer(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); ++ Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); + +@@ -118,6 +121,7 @@ public class CertDataInfos extends DataCollection { + public static CertDataInfos fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java +index 88de02e..af2091c 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertEnrollmentRequest.java +@@ -28,6 +28,7 @@ import java.util.Collection; + import java.util.HashMap; + + import javax.ws.rs.core.MultivaluedMap; ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -514,6 +515,8 @@ public class CertEnrollmentRequest extends RESTMessage { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -527,6 +530,7 @@ public class CertEnrollmentRequest extends RESTMessage { + + public static CertEnrollmentRequest fromXML(String xml) throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java +index 79bff39..8fdc0bd 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfo.java +@@ -21,6 +21,7 @@ package com.netscape.certsrv.cert; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -246,6 +247,8 @@ public class CertRequestInfo extends CMSRequestInfo { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -261,6 +264,7 @@ public class CertRequestInfo extends CMSRequestInfo { + public static CertRequestInfo fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java +index 8365e33..5ab0a77 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRequestInfos.java +@@ -21,6 +21,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Collection; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -108,6 +109,8 @@ public class CertRequestInfos extends DataCollection implements + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -152,6 +155,7 @@ public class CertRequestInfos extends DataCollection implements + public static CertRequestInfos fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java +index db16917..27e13d7 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRetrievalRequest.java +@@ -25,6 +25,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Objects; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -119,6 +120,8 @@ public class CertRetrievalRequest implements JSONSerializer { + public String toXML() throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + +@@ -141,6 +144,7 @@ public class CertRetrievalRequest implements JSONSerializer { + public static CertRetrievalRequest fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java +index 5f0a9f4..d8582c9 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertRevokeRequest.java +@@ -22,6 +22,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Date; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -219,6 +220,7 @@ public class CertRevokeRequest implements JSONSerializer { + public String toXML() throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + +@@ -226,6 +228,8 @@ public class CertRevokeRequest implements JSONSerializer { + document.appendChild(requestElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +diff --git a/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java b/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java +index 1d178b6..5cec911 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/cert/CertSearchRequest.java +@@ -25,6 +25,7 @@ import java.io.StringWriter; + import java.util.Objects; + + import javax.ws.rs.core.MultivaluedMap; ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -1079,6 +1080,8 @@ public class CertSearchRequest implements JSONSerializer { + document.appendChild(rootElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "") + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -1094,6 +1097,7 @@ public class CertSearchRequest implements JSONSerializer { + public static CertSearchRequest fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java +index 05303b2..157a04b 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/key/AsymKeyGenerationRequest.java +@@ -114,6 +114,7 @@ public class AsymKeyGenerationRequest extends KeyGenerationRequest { + public static AsymKeyGenerationRequest fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java +index 3152e88..cc866a6 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyArchivalRequest.java +@@ -256,6 +256,7 @@ public class KeyArchivalRequest extends RESTMessage { + public static KeyArchivalRequest fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java +index 8970a70..a5b0bb1 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java ++++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfo.java +@@ -21,6 +21,7 @@ package com.netscape.certsrv.key; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -132,6 +133,7 @@ public class KeyRequestInfo extends CMSRequestInfo { + public String toXML() throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + +@@ -139,6 +141,8 @@ public class KeyRequestInfo extends CMSRequestInfo { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +diff --git a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java +index c471f69..5575620 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java ++++ b/base/common/src/main/java/com/netscape/certsrv/key/KeyRequestInfoCollection.java +@@ -21,6 +21,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Collection; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -92,6 +93,7 @@ public class KeyRequestInfoCollection extends DataCollection imp + public String toXML() throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + +@@ -99,6 +101,8 @@ public class KeyRequestInfoCollection extends DataCollection imp + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +diff --git a/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java b/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java +index f86bba2..9fc4da6 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java ++++ b/base/common/src/main/java/com/netscape/certsrv/key/SymKeyGenerationRequest.java +@@ -103,6 +103,7 @@ public class SymKeyGenerationRequest extends KeyGenerationRequest { + public static SymKeyGenerationRequest fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java +index 763eaae..4723f17 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraint.java +@@ -22,6 +22,7 @@ import java.io.StringWriter; + import java.util.ArrayList; + import java.util.List; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -221,6 +222,7 @@ public class PolicyConstraint implements JSONSerializer { + + public String toXML() throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + +@@ -228,6 +230,8 @@ public class PolicyConstraint implements JSONSerializer { + document.appendChild(accountElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java +index be84f08..cc803fd 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyConstraintValue.java +@@ -20,6 +20,7 @@ package com.netscape.certsrv.profile; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -162,6 +163,7 @@ public class PolicyConstraintValue implements JSONSerializer { + + public String toXML() throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + +@@ -169,6 +171,8 @@ public class PolicyConstraintValue implements JSONSerializer { + document.appendChild(pcvElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java +index 49e2598..6434763 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/PolicyDefault.java +@@ -22,6 +22,7 @@ import java.io.StringWriter; + import java.util.ArrayList; + import java.util.List; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -224,6 +225,7 @@ public class PolicyDefault implements JSONSerializer { + + public String toXML() throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + +@@ -231,6 +233,8 @@ public class PolicyDefault implements JSONSerializer { + document.appendChild(pdElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java +index 0e43db8..94901bb 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileAttribute.java +@@ -20,6 +20,7 @@ package com.netscape.certsrv.profile; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -173,6 +174,7 @@ public class ProfileAttribute implements JSONSerializer { + + public String toXML() throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + +@@ -180,6 +182,8 @@ public class ProfileAttribute implements JSONSerializer { + document.appendChild(accountElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java +index f80c0d5..4def4ac 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileData.java +@@ -31,6 +31,7 @@ import java.util.Map.Entry; + import java.util.Objects; + import java.util.Vector; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -547,6 +548,7 @@ public class ProfileData implements JSONSerializer { + + public String toXML() throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + +@@ -554,6 +556,8 @@ public class ProfileData implements JSONSerializer { + document.appendChild(pdElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -574,4 +578,4 @@ public class ProfileData implements JSONSerializer { + Element profileDataElement = document.getDocumentElement(); + return fromDOM(profileDataElement); + } +-} +\ No newline at end of file ++} +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java +index 8f1744e..6629761 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfo.java +@@ -21,6 +21,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Objects; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -170,6 +171,7 @@ public class ProfileDataInfo implements JSONSerializer { + + public String toXML() throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + +@@ -177,6 +179,8 @@ public class ProfileDataInfo implements JSONSerializer { + document.appendChild(profileParameterElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java +index 7225c83..6bfd0f9 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileDataInfos.java +@@ -20,6 +20,7 @@ package com.netscape.certsrv.profile; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -67,6 +68,7 @@ public class ProfileDataInfos extends DataCollection { + public String toXML() throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + +@@ -74,6 +76,8 @@ public class ProfileDataInfos extends DataCollection { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java +index 303785d..db0f2cd 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileInput.java +@@ -23,6 +23,7 @@ import java.util.ArrayList; + import java.util.Collection; + import java.util.List; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -347,6 +348,7 @@ public class ProfileInput implements JSONSerializer { + + public String toXML() throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.newDocument(); + +@@ -354,6 +356,8 @@ public class ProfileInput implements JSONSerializer { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java +index b2442c7..1c9d392 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileOutput.java +@@ -22,6 +22,7 @@ import java.io.StringWriter; + import java.util.ArrayList; + import java.util.List; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -234,6 +235,8 @@ public class ProfileOutput implements JSONSerializer { + document.appendChild(pdElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -248,6 +251,7 @@ public class ProfileOutput implements JSONSerializer { + + public static ProfileOutput fromXML(String xml) throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java +index 55e07b4..559a24c 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java ++++ b/base/common/src/main/java/com/netscape/certsrv/profile/ProfileParameter.java +@@ -21,6 +21,7 @@ import java.io.StringReader; + import java.io.StringWriter; + import java.util.Objects; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -128,6 +129,8 @@ public class ProfileParameter implements JSONSerializer { + document.appendChild(profileParameterElement); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -142,6 +145,7 @@ public class ProfileParameter implements JSONSerializer { + + public static ProfileParameter fromXML(String xml) throws Exception { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +@@ -149,4 +153,4 @@ public class ProfileParameter implements JSONSerializer { + return fromDOM(profileParameterElement); + } + +-} +\ No newline at end of file ++} +diff --git a/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java b/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java +index b6c2fa4..299690c 100644 +--- a/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java ++++ b/base/common/src/main/java/com/netscape/certsrv/request/CMSRequestInfo.java +@@ -20,6 +20,7 @@ package com.netscape.certsrv.request; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -229,6 +230,8 @@ public class CMSRequestInfo implements JSONSerializer { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -244,6 +247,7 @@ public class CMSRequestInfo implements JSONSerializer { + public static CMSRequestInfo fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/common/src/main/java/org/dogtagpki/common/Info.java b/base/common/src/main/java/org/dogtagpki/common/Info.java +index 0929ada..c9f7ff7 100644 +--- a/base/common/src/main/java/org/dogtagpki/common/Info.java ++++ b/base/common/src/main/java/org/dogtagpki/common/Info.java +@@ -21,6 +21,7 @@ package org.dogtagpki.common; + import java.io.StringReader; + import java.io.StringWriter; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.transform.OutputKeys; +@@ -183,6 +184,8 @@ public class Info extends RESTMessage { + document.appendChild(element); + + TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = transformerFactory.newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); +@@ -198,6 +201,7 @@ public class Info extends RESTMessage { + public static Info fromXML(String xml) throws Exception { + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(new InputSource(new StringReader(xml))); + +diff --git a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java +index bdd485e..601b62f 100644 +--- a/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java ++++ b/base/server/src/main/java/com/netscape/cms/servlet/csadmin/SecurityDomainProcessor.java +@@ -24,6 +24,7 @@ import java.util.Enumeration; + import java.util.Locale; + import java.util.Vector; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.ParserConfigurationException; + import javax.xml.transform.OutputKeys; + import javax.xml.transform.Transformer; +@@ -697,7 +698,11 @@ public class SecurityDomainProcessor extends Processor { + XMLObject xmlObject = convertDomainInfoToXMLObject(before); + Document document = xmlObject.getDocument(); + +- Transformer transformer = TransformerFactory.newInstance().newTransformer(); ++ TransformerFactory transformerFactory = TransformerFactory.newInstance(); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); ++ Transformer transformer = transformerFactory.newTransformer(); ++ Transformer transformer = TransformerFactory.newInstance().newTransformer(); + transformer.setOutputProperty(OutputKeys.INDENT, "yes"); + transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "4"); + +diff --git a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java +index 2a02d72..61b4d66 100644 +--- a/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java ++++ b/base/server/src/main/java/com/netscape/cmscore/apps/ServerXml.java +@@ -41,6 +41,7 @@ public class ServerXml { + ServerXml serverXml = new ServerXml(); + + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder builder = factory.newDocumentBuilder(); + Document document = builder.parse(filename); + +diff --git a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java +index 81fdbf4..17d5884 100644 +--- a/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java ++++ b/base/util/src/main/java/com/netscape/cmsutil/xml/XMLObject.java +@@ -25,6 +25,7 @@ import java.io.OutputStream; + import java.io.StringWriter; + import java.util.Vector; + ++import javax.xml.XMLConstants; + import javax.xml.parsers.DocumentBuilder; + import javax.xml.parsers.DocumentBuilderFactory; + import javax.xml.parsers.ParserConfigurationException; +@@ -56,6 +57,7 @@ public class XMLObject { + public XMLObject(InputStream s) + throws SAXException, IOException, ParserConfigurationException { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder docBuilder = factory.newDocumentBuilder(); + mDoc = docBuilder.parse(s); + } +@@ -63,6 +65,7 @@ public class XMLObject { + public XMLObject(File f) + throws SAXException, IOException, ParserConfigurationException { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); ++ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + DocumentBuilder docBuilder = factory.newDocumentBuilder(); + mDoc = docBuilder.parse(f); + } +@@ -159,6 +162,8 @@ public class XMLObject { + public byte[] toByteArray() throws TransformerConfigurationException, TransformerException { + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + TransformerFactory tranFactory = TransformerFactory.newInstance(); ++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer aTransformer = tranFactory.newTransformer(); + Source src = new DOMSource(mDoc); + Result dest = new StreamResult(bos); +@@ -169,6 +174,8 @@ public class XMLObject { + public void output(OutputStream os) + throws TransformerConfigurationException, TransformerException { + TransformerFactory tranFactory = TransformerFactory.newInstance(); ++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer aTransformer = tranFactory.newTransformer(); + Source src = new DOMSource(mDoc); + Result dest = new StreamResult(os); +@@ -177,6 +184,8 @@ public class XMLObject { + + public String toXMLString() throws TransformerConfigurationException, TransformerException { + TransformerFactory tranFactory = TransformerFactory.newInstance(); ++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); ++ tranFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); + Transformer transformer = tranFactory.newTransformer(); + Source src = new DOMSource(mDoc); + StreamResult dest = new StreamResult(new StringWriter()); +-- +2.33.0 + diff --git a/pki-core.spec b/pki-core.spec index 8553839a719a87dd390fb0624828482e8c517440..9f4a5bad2e896e61b7b2754d2c50b2e2ecc5d949 100644 --- a/pki-core.spec +++ b/pki-core.spec @@ -8,12 +8,14 @@ Name: pki-core Version: 11.0.0 -Release: 1 +Release: 2 Summary: The PKI Core Package License: GPLv2 and LGPLv2 URL: http://www.dogtagpki.org/ Source0: https://github.com/dogtagpki/pki/archive/v%{version}/pki-v%{version}.tar.gz Source1: https://github.com/cpuguy83/go-md2man/archive/v1.0.10.tar.gz +Patch0001: CVE-2022-2414.patch + BuildRequires: git make cmake >= 2.8.9-1 gcc-c++ zip java-latest-openjdk-devel java-latest-openjdk-headless BuildRequires: ldapjdk >= 4.21.0 apache-commons-cli apache-commons-codec apache-commons-io BuildRequires: apache-commons-lang jakarta-commons-httpclient glassfish-jaxb-api slf4j @@ -441,6 +443,9 @@ fi %endif %changelog +* Wed Jul 20 2022 qz_cx - 11.0.0-2 +- DESC: fix CVE-2022-2414 + * Thu Jun 16 2022 liyanan - 11.0.0-1 - Update to 11.0.0