Commit 16f51ef1 authored by Evan Ward's avatar Evan Ward Committed by Luc Maisonobe
Browse files

Disable external XML resources for TDM files

External XML resources can be a security risk if the source of the XML document
is not trusted. Also added a test case.

Part of fixing #368
parent e46684b3
......@@ -35,6 +35,7 @@ import org.orekit.time.AbsoluteDate;
import org.orekit.time.TimeScalesFactory;
import org.orekit.utils.IERSConventions;
import org.xml.sax.Attributes;
import org.xml.sax.InputSource;
import org.xml.sax.Locator;
import org.xml.sax.SAXException;
import org.xml.sax.helpers.DefaultHandler;
......@@ -1010,6 +1011,12 @@ public class TDMParser extends DefaultHandler {
public InputSource resolveEntity(final String publicId, final String systemId) {
// disable external entities
return new InputSource();
/** Parse a line in an observation data block.
* @exception OrekitException if error in parsing dates or in conversion of number from String
......@@ -23,6 +23,10 @@
<release version="9.0.1" date="2017-11-01"
description="Version 9.0.1 is a patch release of Orekit.
It fixes security issus 368.">
<action dev="evan" type="fix">
Disabled XML external resources when parsing rapid XML TDM files.
Part of issue #368.
<action dev="evan" type="fix">
Disabled XML external resources when parsing rapid XML EOP files.
Part of issue #368.
......@@ -18,10 +18,12 @@ package org.orekit.files.ccsds;
import java.util.ArrayList;
import java.util.List;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
......@@ -50,6 +52,27 @@ public class TDMParserTest {
public void testParseTdmExternalResourceIssue368() throws OrekitException {
// setup
TDMParser parser = new TDMParser().withFileFormat(TDMFileFormat.XML);
String name = "/ccsds/XML/TDM-external-doctype.xml";
InputStream in = TDMParserTest.class.getResourceAsStream(name);
try {
// action
parser.parse(in, name);
// verify"Expected Exception");
} catch (OrekitException e) {
// Malformed URL exception indicates external resource was disabled
// file not found exception indicates parser tried to load the resource
public void testParseTdmKeyValueExample2() throws OrekitException, IOException {
// Example 2 of [1]
<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "file:./not-a-real-file.xml">
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment