From 6b83fe4a004f86c175f5f45d148393f41a702c8c Mon Sep 17 00:00:00 2001
From: Ashutosh Gupta <ashutosh.gupta@st.niituniversity.in>
Date: Wed, 5 Jan 2022 21:21:14 +0530
Subject: [PATCH] HDFS-16410. Insecure Xml parsing in OfflineEditsXmlLoader
 (#3854)

Contributed by Ashutosh Gupta
---
 .../hdfs/tools/offlineEditsViewer/OfflineEditsXmlLoader.java  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/offlineEditsViewer/OfflineEditsXmlLoader.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/offlineEditsViewer/OfflineEditsXmlLoader.java
index 7238c58cb5..fc5f30e883 100644
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/offlineEditsViewer/OfflineEditsXmlLoader.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/tools/offlineEditsViewer/OfflineEditsXmlLoader.java
@@ -86,6 +86,10 @@ public OfflineEditsXmlLoader(OfflineEditsVisitor visitor,
   public void loadEdits() throws IOException {
     try {
       XMLReader xr = XMLReaderFactory.createXMLReader();
+      xr.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+      xr.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+      xr.setFeature("http://xml.org/sax/features/external-general-entities", false);
+      xr.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
       xr.setContentHandler(this);
       xr.setErrorHandler(this);
       xr.setDTDHandler(null);