CVE-2015-3269: Apache Flex BlazeDS XXE Vulnerabilty

Amf0Input_readObjectValue.java

/*     */   public Object readObject()
/*     */     throws ClassNotFoundException, IOException
/*     */   {
/*  91 */     int type = in.readByte();
/*     */     
/*  93 */     Object value = readObjectValue(type);
/*  94 */     return value;
/*     */   }
/*     */   
/*     */   protected Object readObjectValue(int type) throws ClassNotFoundException, IOException
/*     */   {
/*  99 */     Object value = null;
/* 100 */     switch (type)
/*     */     {
/*     */     case 0: 
/* 103 */       value = Double.valueOf(readDouble());
/* 104 */       break;
/*     */     
               ...
/*     */     
/*     */     case 15: 
/* 147 */       value = readXml();
/* 148 */       break;
/*     */     
              ....
/*     */   protected Object readXml() throws IOException
/*     */   {
/* 511 */     String xml = readLongUTF();
/*     */     
/* 513 */     if (isDebug) {
/* 514 */       trace.write(xml);
/*     */     }
/* 516 */     return stringToDocument(xml);
/*     */   }
/*     */   

AmfMessageDeserializer_readBody.java

/*     */   public void readBody(MessageBody body, int index)
/*     */     throws ClassNotFoundException, IOException
/*     */   {
/* 158 */     String targetURI = amfIn.readUTF();
/* 159 */     body.setTargetURI(targetURI);
/* 160 */     String responseURI = amfIn.readUTF();
/* 161 */     body.setResponseURI(responseURI);
/*     */     
/* 163 */     amfIn.readInt();
/*     */     
/* 165 */     amfIn.reset();
/*     */     
/*     */ 
/* 168 */     if (isDebug) {
/* 169 */       debugTrace.startMessage(targetURI, responseURI, index);
/*     */     }
/*     */     Object data;
/*     */     try {
/* 173 */       data = readObject();
/*     */     }
/*     */     catch (RecoverableSerializationException ex)
/*     */     {
/* 177 */       ex.setCode("Client.Message.Encoding");
/* 178 */       data = ex;
/*     */     }
/*     */     catch (MessageException ex)
/*     */     {
/* 182 */       ex.setCode("Client.Message.Encoding");
/* 183 */       throw ex;
/*     */     }
/*     */     
/* 186 */     body.setData(data);
/*     */     
/* 188 */     if (isDebug) {
/* 189 */       debugTrace.endMessage();
/*     */     }
/*     */   }
/*     */   
/*     */ 
/*     */ 
/*     */ 
/*     */   public Object readObject()
/*     */     throws ClassNotFoundException, IOException
/*     */   {
/* 199 */     return amfIn.readObject();
/*     */   }
/*     */ }

XMLUtil_stringToDocument.java

/*     */ 
/*     */   public static Document stringToDocument(String xml, boolean nameSpaceAware)
/*     */   {
/* 116 */     ClassUtil.validateCreation(Document.class);
/*     */     
/* 118 */     Document document = null;
/*     */     try
/*     */     {
/* 121 */       if (xml != null)
/*     */       {
/* 123 */         StringReader reader = new StringReader(xml);
/* 124 */         InputSource input = new InputSource(reader);
/* 125 */         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
/* 126 */         factory.setNamespaceAware(nameSpaceAware);
/* 127 */         factory.setValidating(false);
/* 128 */         DocumentBuilder builder = factory.newDocumentBuilder();
/*     */         
/* 130 */         document = builder.parse(input);
/*     */       }
/*     */     }
/*     */     catch (Exception ex)
/*     */     {
/* 135 */       throw new MessageException("Error deserializing XML type " + ex.getMessage());
/*     */     }
/*     */     
/* 138 */     return document;
/*     */   }
/*     */ }