Play Framework Security Advisory

XML External Entities

Date

20 Sep 2013

Description

A vulnerability has been found in Play’s XML processing.

An attacker may use XML external entities to read files from the file system, internal network, or DoS the application.

Impact

Any application that uses either the default any content parsers, or specifically the XML parser, may be vulnerable.

Affected Versions

Workarounds

Change the default SAXParserFactory implementation used by the JDK to be one that disables external entities.

For example, if using the Oracle JDK, add the following class to your application:

package xml;

import org.xml.sax.*;
import javax.xml.parsers.*;

public class SecureSAXParserFactory extends SAXParserFactory {
    private final SAXParserFactory platformDefault = new com.sun.org.apache.xerces.internal.jaxp.SAXParserFactoryImpl();

    public SecureSAXParserFactory() throws SAXNotSupportedException, SAXNotRecognizedException, ParserConfigurationException {
        platformDefault.setFeature("http://xml.org/sax/features/external-general-entities", false);
        platformDefault.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        platformDefault.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
    }

    public SAXParser newSAXParser() throws ParserConfigurationException, SAXException {
        return platformDefault.newSAXParser();
    }

    public void setFeature(String name, boolean value) throws ParserConfigurationException, SAXNotRecognizedException, SAXNotSupportedException {
        platformDefault.setFeature(name, value);
    }

    public boolean getFeature(String name) throws ParserConfigurationException, SAXNotRecognizedException, SAXNotSupportedException {
        return platformDefault.getFeature(name);
    }
}

And then when starting the application in production mode, add the following system property to the command line arguments:

-Djavax.xml.parsers.SAXParserFactory=xml.SecureSAXParserFactory

Fixes

Upgrade to the appropriate version below:

CVSS metrics (more info)

Acknowledgements

Credit for finding this vulnerability goes to the Australia Post Digital Mailbox Security Team and Reginaldo Silva of http://www.ubercomp.com/.