ReVanced/smali
1
0
Fork 0
mirror of https://github.com/revanced/smali.git synced 2025-04-30 06:34:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Use the FEATURE_SECURE_PROCESSING feature for loading resource ids

Browse Source 
This fixes a potential security issues reported by ready-research at
https://huntr.dev/bounties/c68f1aed-2922-4ebb-9699-00e0aea1d662
This commit is contained in:
Ben Gruver 2022-03-08 14:02:08 -06:00
parent 81bd303a80
commit 2771eae0a1
1 changed files with 6 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
baksmali/src/main/java/org/jf/baksmali/BaksmaliOptions.java
View File

@ -38,6 +38,7 @@ import org.xml.sax.Attributes;
import org.xml.sax.SAXException;
import org.xml.sax.helpers.DefaultHandler;
import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
@ -84,9 +85,12 @@ public class BaksmaliOptions {
public void loadResourceIds(Map<String, File> resourceFiles) throws SAXException, IOException {
for (Map.Entry<String, File> entry: resourceFiles.entrySet()) {
try {
SAXParser saxp = SAXParserFactory.newInstance().newSAXParser();
SAXParserFactory parserFactory = SAXParserFactory.newInstance();
parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
SAXParser parser = parserFactory.newSAXParser();
final String prefix = entry.getKey();
saxp.parse(entry.getValue(), new DefaultHandler() {
parser.parse(entry.getValue(), new DefaultHandler() {
@Override
public void startElement(String uri, String localName, String qName,
Attributes attr) throws SAXException {