packages/xmlgraphics-commons
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
xmlgraphics-commons/CVE-2020-11988.patch
starlet-dx e0c4e9227b Fix CVE-2020-11988 
(cherry picked from commit 1a0e583e01f087e43298b7d9714fcaebd8da43a2)
2022-04-24 15:29:16 +08:00

78 lines
3.1 KiB
Diff
Raw Permalink Blame History

From 57393912eb87b994c7fed39ddf30fb778a275183 Mon Sep 17 00:00:00 2001
From: Simon Steiner <ssteiner@apache.org>
Date: Tue, 2 Jun 2020 13:18:41 +0000
Subject: [PATCH] XGC-122: Dont load DTDs in XMP
git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/commons/trunk@1878394 13f79535-47bb-0310-9956-ffa450edef68
---
.../org/apache/xmlgraphics/xmp/XMPParser.java | 3 +++
.../xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
index 5e7d8b6..e907e89 100644
--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
@@ -21,6 +21,7 @@
import java.net.URL;
+import javax.xml.XMLConstants;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
@@ -54,6 +55,8 @@ public static Metadata parseXMP(URL url) throws TransformerException {
*/
public static Metadata parseXMP(Source src) throws TransformerException {
TransformerFactory tFactory = TransformerFactory.newInstance();
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = tFactory.newTransformer();
XMPHandler handler = createXMPHandler();
SAXResult res = new SAXResult(handler);
diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
index 6519de6..3250d08 100644
--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
@@ -19,16 +19,21 @@
package org.apache.xmlgraphics.xmp;
+import java.io.StringReader;
import java.net.URL;
import java.util.Calendar;
import java.util.Date;
import java.util.TimeZone;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.stream.StreamSource;
+
import org.junit.Test;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter;
import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema;
@@ -189,4 +194,18 @@ public void testParseEmptyValues() throws Exception {
assertNull(title); //Empty value treated same as not existant
}
+ @Test
+ public void testExternalDTD() {
+ String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\">\n%remote;]>\n"
+ + "<root></root>";
+ StreamSource streamSource = new StreamSource(new StringReader(payload));
+ String msg = "";
+ try {
+ XMPParser.parseXMP(streamSource);
+ } catch (TransformerException e) {
+ msg = e.getMessage();
+ }
+ assertTrue(msg, msg.contains("access is not allowed"));
+ }
}
Reference in New Issue View Git Blame Copy Permalink