#158 #159 XML 解析 XXE漏洞处理

Author: liyi

changelog.txt

@@ -2,13 +2,15 @@ WEIXIN-POPULAR CHANGELOG
 ===========================
 https://github.com/liyiorg/weixin-popular
 
-Changes in version 2.8.21 (2018-07-?)
+Changes in version 2.8.21 (2018-07-06)
 -------------------------------------
 * 退款申请接口添加 refund_desc 退款原因字段
 * 升级依赖emoji-java 版本到 4.0.0
 * 升级依赖fastjson 版本到 1.2.47
 * #156 JsUtil.generateConfigJson 规范JSON数据格式
 * #157 统一下单添加H5 场景支持
+* #158 #159 XML 解析 XXE漏洞处理
+
 
 Changes in version 2.8.20 (2018-05-28)
 -------------------------------------

src/main/java/com/qq/weixin/mp/aes/XMLParse.java

@@ -35,6 +35,15 @@ public static Object[] extract(String xmltext) throws AesException     {
 		Object[] result = new Object[3];
 		try {
 			DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+			
+			/*
+			 * 避免 XXE 攻击
+			 * @since 2.8.21 
+			 */
+			dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			dbf.setXIncludeAware(false);
+			dbf.setExpandEntityReferences(false);
+			
 			DocumentBuilder db = dbf.newDocumentBuilder();
 			StringReader sr = new StringReader(xmltext);
 			InputSource is = new InputSource(sr);

src/main/java/weixin/popular/util/XMLConverUtil.java

@@ -140,6 +140,15 @@ public static Map<String,String> convertToMap(String xml){
 		Map<String, String> map = new LinkedHashMap<String,String>();
 		try {
 			DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+			
+			/*
+			 * 避免 XXE 攻击
+			 * @since 2.8.21 
+			 */
+			dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			dbf.setXIncludeAware(false);
+			dbf.setExpandEntityReferences(false);
+			
 			DocumentBuilder db = dbf.newDocumentBuilder();
 			StringReader sr = new StringReader(xml);
 			InputSource is = new InputSource(sr);
@@ -162,4 +171,5 @@ public static Map<String,String> convertToMap(String xml){
 		}
 		return map;
 	}
+	
 }