Browse Source

防止XXE漏洞

xian 6 years ago
parent
commit
4d94febb03

+ 12 - 5
watero-common-tool/src/main/java/com/iamberry/wechat/tools/GetWxOrderno.java

@@ -16,7 +16,7 @@ import org.jdom.input.SAXBuilder;
 
 public class GetWxOrderno {
 
-    private static final Logger log = Logger.getLogger(GetWxOrderno.class);
+	private static final Logger log = Logger.getLogger(GetWxOrderno.class);
 	/**
 	 * description:获取预支付id
 	 */
@@ -41,7 +41,7 @@ public class GetWxOrderno {
 
 	/**
 	 * description:获取扫码支付连接
-	 * 
+	 *
 	 * @param url
 	 * @param xmlParam
 	 * @return
@@ -66,7 +66,7 @@ public class GetWxOrderno {
 
 	/**
 	 * 解析xml,返回第一级元素键值对。
-	 * 
+	 *
 	 * @param strxml
 	 * @return
 	 * @throws JDOMException
@@ -81,6 +81,13 @@ public class GetWxOrderno {
 		Map<String, String> m = new HashMap<String, String>();
 		InputStream in = string2Inputstream(strxml);
 		SAXBuilder builder = new SAXBuilder();
+
+		// 防止XXE
+		builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+		builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
+		builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+		builder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
 		Document doc = builder.build(in);
 		Element root = doc.getRootElement();
 		List<Element> list = root.getChildren();
@@ -107,7 +114,7 @@ public class GetWxOrderno {
 
 	/**
 	 * 获取子结点的xml
-	 * 
+	 *
 	 * @param children
 	 * @return String
 	 */
@@ -137,4 +144,4 @@ public class GetWxOrderno {
 		return new ByteArrayInputStream(str.getBytes());
 	}
 
-}
+}