78 lines
3.1 KiB
Diff
78 lines
3.1 KiB
Diff
From 57393912eb87b994c7fed39ddf30fb778a275183 Mon Sep 17 00:00:00 2001
|
|
From: Simon Steiner <ssteiner@apache.org>
|
|
Date: Tue, 2 Jun 2020 13:18:41 +0000
|
|
Subject: [PATCH] XGC-122: Dont load DTDs in XMP
|
|
|
|
git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/commons/trunk@1878394 13f79535-47bb-0310-9956-ffa450edef68
|
|
---
|
|
.../org/apache/xmlgraphics/xmp/XMPParser.java | 3 +++
|
|
.../xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++
|
|
2 files changed, 22 insertions(+)
|
|
|
|
diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
|
|
index 5e7d8b6..e907e89 100644
|
|
--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
|
|
+++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
|
|
@@ -21,6 +21,7 @@
|
|
|
|
import java.net.URL;
|
|
|
|
+import javax.xml.XMLConstants;
|
|
import javax.xml.transform.Source;
|
|
import javax.xml.transform.Transformer;
|
|
import javax.xml.transform.TransformerException;
|
|
@@ -54,6 +55,8 @@ public static Metadata parseXMP(URL url) throws TransformerException {
|
|
*/
|
|
public static Metadata parseXMP(Source src) throws TransformerException {
|
|
TransformerFactory tFactory = TransformerFactory.newInstance();
|
|
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
|
|
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
|
|
Transformer transformer = tFactory.newTransformer();
|
|
XMPHandler handler = createXMPHandler();
|
|
SAXResult res = new SAXResult(handler);
|
|
diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
|
|
index 6519de6..3250d08 100644
|
|
--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
|
|
+++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
|
|
@@ -19,16 +19,21 @@
|
|
|
|
package org.apache.xmlgraphics.xmp;
|
|
|
|
+import java.io.StringReader;
|
|
import java.net.URL;
|
|
import java.util.Calendar;
|
|
import java.util.Date;
|
|
import java.util.TimeZone;
|
|
|
|
+import javax.xml.transform.TransformerException;
|
|
+import javax.xml.transform.stream.StreamSource;
|
|
+
|
|
import org.junit.Test;
|
|
|
|
import static org.junit.Assert.assertEquals;
|
|
import static org.junit.Assert.assertNotNull;
|
|
import static org.junit.Assert.assertNull;
|
|
+import static org.junit.Assert.assertTrue;
|
|
|
|
import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter;
|
|
import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema;
|
|
@@ -189,4 +194,18 @@ public void testParseEmptyValues() throws Exception {
|
|
assertNull(title); //Empty value treated same as not existant
|
|
}
|
|
|
|
+ @Test
|
|
+ public void testExternalDTD() {
|
|
+ String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
|
|
+ + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\">\n%remote;]>\n"
|
|
+ + "<root></root>";
|
|
+ StreamSource streamSource = new StreamSource(new StringReader(payload));
|
|
+ String msg = "";
|
|
+ try {
|
|
+ XMPParser.parseXMP(streamSource);
|
|
+ } catch (TransformerException e) {
|
|
+ msg = e.getMessage();
|
|
+ }
|
|
+ assertTrue(msg, msg.contains("access is not allowed"));
|
|
+ }
|
|
}
|