1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
Description: Fixes CVE-2016-2175: XML External Entity vulnerability
Origin: backport, https://svn.apache.org/r1739564
--- a/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java
+++ b/jempbox/src/main/java/org/apache/jempbox/impl/XMLUtil.java
@@ -71,6 +71,12 @@
try
{
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
+ builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ builderFactory.setXIncludeAware(false);
+ builderFactory.setExpandEntityReferences(false);
DocumentBuilder builder = builderFactory.newDocumentBuilder();
return builder.parse( is );
}
--- a/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/interactive/form/PDXFA.java
+++ b/pdfbox/src/main/java/org/apache/pdfbox/pdmodel/interactive/form/PDXFA.java
@@ -148,6 +148,12 @@
public Document getDocument() throws ParserConfigurationException, SAXException, IOException
{
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ factory.setXIncludeAware(false);
+ factory.setExpandEntityReferences(false);
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
Document xfaDocument = builder.parse(new ByteArrayInputStream(this.getBytes()));
--- a/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java
+++ b/pdfbox/src/main/java/org/apache/pdfbox/util/XMLUtil.java
@@ -56,6 +56,12 @@
try
{
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
+ builderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ builderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ builderFactory.setXIncludeAware(false);
+ builderFactory.setExpandEntityReferences(false);
DocumentBuilder builder = builderFactory.newDocumentBuilder();
return builder.parse( is );
}
--- a/xmpbox/src/main/java/org/apache/xmpbox/xml/DomXmpParser.java
+++ b/xmpbox/src/main/java/org/apache/xmpbox/xml/DomXmpParser.java
@@ -67,7 +67,6 @@
public class DomXmpParser
{
-
private DocumentBuilder dBuilder;
private NamespaceFinder nsFinder;
@@ -79,6 +78,12 @@
try
{
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
+ dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ dbFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ dbFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ dbFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ dbFactory.setXIncludeAware(false);
+ dbFactory.setExpandEntityReferences(false);
dbFactory.setNamespaceAware(true);
dBuilder = dbFactory.newDocumentBuilder();
nsFinder = new NamespaceFinder();
@@ -87,7 +92,6 @@
{
throw new XmpParsingException(ErrorType.Configuration, "Failed to initilalize", e);
}
-
}
public boolean isStrictParsing()
|
