1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77
|
From: Markus Koschany <apo@debian.org>
Date: Mon, 2 Aug 2021 07:47:01 +0200
Subject: CVE-2020-11988
Bug-Debian: https://bugs.debian.org/984949
Origin: https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
---
.../java/org/apache/xmlgraphics/xmp/XMPParser.java | 3 +++
.../org/apache/xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++
2 files changed, 22 insertions(+)
diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
index b7c0e5f..4c58a11 100644
--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
@@ -21,6 +21,7 @@ package org.apache.xmlgraphics.xmp;
import java.net.URL;
+import javax.xml.XMLConstants;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
@@ -54,6 +55,8 @@ public final class XMPParser {
*/
public static Metadata parseXMP(Source src) throws TransformerException {
TransformerFactory tFactory = TransformerFactory.newInstance();
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer transformer = tFactory.newTransformer();
XMPHandler handler = createXMPHandler();
SAXResult res = new SAXResult(handler);
diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
index 02c4cf6..5f2ef05 100644
--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
@@ -19,16 +19,21 @@
package org.apache.xmlgraphics.xmp;
+import java.io.StringReader;
import java.net.URL;
import java.util.Calendar;
import java.util.Date;
import java.util.TimeZone;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.stream.StreamSource;
+
import org.junit.Test;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter;
import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema;
@@ -189,4 +194,18 @@ public class XMPParserTestCase {
assertNull(title); //Empty value treated same as not existant
}
+ @Test
+ public void testExternalDTD() {
+ String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\">\n%remote;]>\n"
+ + "<root></root>";
+ StreamSource streamSource = new StreamSource(new StringReader(payload));
+ String msg = "";
+ try {
+ XMPParser.parseXMP(streamSource);
+ } catch (TransformerException e) {
+ msg = e.getMessage();
+ }
+ assertTrue(msg, msg.contains("access is not allowed"));
+ }
}
|