#158 #159 XML 解析 XXE漏洞处理

changelog.txt

@@ -2,13 +2,15 @@ WEIXIN-POPULAR CHANGELOG
 ===========================
 https://github.com/liyiorg/weixin-popular
 
-Changes in version 2.8.21 (2018-07-?)
+Changes in version 2.8.21 (2018-07-06)
 -------------------------------------
 * 退款申请接口添加 refund_desc 退款原因字段
 * 升级依赖emoji-java 版本到 4.0.0
 * 升级依赖fastjson 版本到 1.2.47
 * #156 JsUtil.generateConfigJson 规范JSON数据格式
 * #157 统一下单添加H5 场景支持
+* #158 #159 XML 解析 XXE漏洞处理
+
 
 Changes in version 2.8.20 (2018-05-28)
 -------------------------------------

src/main/java/com/qq/weixin/mp/aes/XMLParse.java

@@ -35,6 +35,15 @@ public static Object[] extract(String xmltext) throws AesException {
  Object[] result = new Object[3];
  try {
  DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+ /*
+ * 避免 XXE 攻击
+ * @since 2.8.21 
+ */
+ dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ dbf.setXIncludeAware(false);
+ dbf.setExpandEntityReferences(false);
+
  DocumentBuilder db = dbf.newDocumentBuilder();
  StringReader sr = new StringReader(xmltext);
  InputSource is = new InputSource(sr);

src/main/java/weixin/popular/util/XMLConverUtil.java

@@ -140,6 +140,15 @@ public static Map<String,String> convertToMap(String xml){
  Map<String, String> map = new LinkedHashMap<String,String>();
  try {
  DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+
+ /*
+ * 避免 XXE 攻击
+ * @since 2.8.21 
+ */
+ dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ dbf.setXIncludeAware(false);
+ dbf.setExpandEntityReferences(false);
+
  DocumentBuilder db = dbf.newDocumentBuilder();
  StringReader sr = new StringReader(xml);
  InputSource is = new InputSource(sr);
@@ -162,4 +171,5 @@ public static Map<String,String> convertToMap(String xml){
  }
  return map;
  }
+
 }