packages/dom4j
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dom4j/backport-Disable-downloading-external-resources-with-2.patch
lingsheng e08632136f Fix CVE-2020-10683
2020-06-19 15:50:08 +08:00

31 lines
1.4 KiB
Diff
Raw Permalink Blame History

From 1707bf3d898a8ada3b213acb0e3b38f16eaae73d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20Jirs=C3=A1k?= <filip@jirsak.org>
Date: Sat, 11 Apr 2020 19:27:36 +0200
Subject: [PATCH] #28 Disable downloading external resources with
DocumentHelper.parseText() helper.
(cherry picked from commit 8f6a7f6001d679176c1079ac65871d4e493360db)
---
src/main/java/org/dom4j/DocumentHelper.java | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/main/java/org/dom4j/DocumentHelper.java b/src/main/java/org/dom4j/DocumentHelper.java
index a3a69dca..6ceed9a3 100644
--- a/src/main/java/org/dom4j/DocumentHelper.java
+++ b/src/main/java/org/dom4j/DocumentHelper.java
@@ -270,6 +270,14 @@ public static void sort(List<Node> list, String expression, boolean distinct) {
*/
public static Document parseText(String text) throws DocumentException {
SAXReader reader = new SAXReader();
+ try {
+ reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ } catch (SAXException e) {
+ //Parse with external resources downloading allowed.
+ }
+
String encoding = getEncoding(text);
InputSource source = new InputSource(new StringReader(text));
Reference in New Issue View Git Blame Copy Permalink