strepsirrhini/office-gobmx
9
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

cid#1608462 XML external entity processing enabled

Browse source 
and

cid#1608334 XML external entity processing enabled
cid#1608302 XML external entity processing enabled
cid#1608234 XML external entity processing enabled
cid#1608094 XML external entity processing enabled
cid#1607973 XML external entity processing enabled
cid#1607890 XML external entity processing enabled
cid#1607706 XML external entity processing enabled
cid#1607366 XML external entity processing enabled
cid#1607026 XML external entity processing enabled
cid#1606764 XML external entity processing enabled

Change-Id: I7894d335f244ed3ddbbe43d9bdbc2818065830f3
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171461
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
This commit is contained in:
Caolán McNamara 2024-08-04 14:57:37 +01:00
parent 2610e15e9d
commit b5e2dc7367
8 changed files with 175 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
reportbuilder/java/org/libreoffice/report/pentaho/output/OfficeDocumentReportTarget.java
View file

@ -1020,6 +1020,7 @@ public abstract class OfficeDocumentReportTarget extends AbstractReportTarget
{
inputStream = getInputRepository().createInputStream("meta.xml");
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
Document document = dBuilder.parse(new InputSource(inputStream));

25
scripting/java/com/sun/star/script/framework/container/XMLParserFactory.java
View file

@ -18,6 +18,8 @@
package com.sun.star.script.framework.container;
import com.sun.star.script.framework.log.LogUtils;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
@ -29,6 +31,7 @@ import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.XMLConstants;
import org.w3c.dom.Document;
@ -60,6 +63,26 @@ public class XMLParserFactory {
public DefaultParser() {
factory = DocumentBuilderFactory.newInstance();
String[] featuresToDisable = {
"http://xml.org/sax/features/external-general-entities",
"http://xml.org/sax/features/external-parameter-entities",
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
};
for (String feature : featuresToDisable) {
try {
factory.setFeature(feature, false);
} catch (ParserConfigurationException e) {
LogUtils.DEBUG(LogUtils.getTrace(e));
}
}
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException e) {
LogUtils.DEBUG(LogUtils.getTrace(e));
}
}
public Document parse(InputStream inputStream) throws IOException {
@ -103,4 +126,4 @@ public class XMLParserFactory {
}
}
}
}
}

30
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/dom/DOMDocument.java
View file

@ -31,6 +31,7 @@ import javax.xml.transform.TransformerFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.dom.DOMSource;
import javax.xml.XMLConstants;
import org.w3c.dom.Node;
import org.w3c.dom.Document;
@ -43,9 +44,34 @@ import org.openoffice.xmerge.util.Debug;
public class DOMDocument
implements org.openoffice.xmerge.Document {
private static DocumentBuilderFactory makeFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
String[] featuresToDisable = {
"http://xml.org/sax/features/external-general-entities",
"http://xml.org/sax/features/external-parameter-entities",
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
};
for (String feature : featuresToDisable) {
try {
factory.setFeature(feature, false);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
}
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
return factory;
}
/** Factory for {@code DocumentBuilder} objects. */
private static DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
private static DocumentBuilderFactory factory = makeFactory();
/** DOM {@code Document} of content.xml. */
private Document contentDoc = null;

4
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/EmbeddedXMLObject.java
View file

@ -193,7 +193,7 @@ public class EmbeddedXMLObject extends EmbeddedObject {
try {
if (builder == null) {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setValidating(false);
builder = factory.newDocumentBuilder();
}
@ -277,4 +277,4 @@ public class EmbeddedXMLObject extends EmbeddedObject {
root.appendChild(objectNode);
}
}
}

32
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/OfficeDocument.java
View file

@ -35,6 +35,7 @@ import java.util.HashMap;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.XMLConstants;
import org.w3c.dom.Node;
import org.w3c.dom.Element;
@ -58,9 +59,34 @@ import org.openoffice.xmerge.util.Debug;
public abstract class OfficeDocument
implements org.openoffice.xmerge.Document, OfficeConstants {
private static DocumentBuilderFactory makeFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
String[] featuresToDisable = {
"http://xml.org/sax/features/external-general-entities",
"http://xml.org/sax/features/external-parameter-entities",
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
};
for (String feature : featuresToDisable) {
try {
factory.setFeature(feature, false);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
}
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
return factory;
}
/** Factory for {@code DocumentBuilder} objects. */
private static DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
private static DocumentBuilderFactory factory = makeFactory();
/** DOM {@code Document} of content.xml. */
private Document contentDoc = null;
@ -642,7 +668,7 @@ public abstract class OfficeDocument
write(os);
} else {
try {
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
DocumentBuilderFactory builderFactory = makeFactory();
DocumentBuilder builder= builderFactory.newDocumentBuilder();
DOMImplementation domImpl = builder.getDOMImplementation();
domImpl.createDocumentType("office:document","-//OpenOffice.org//DTD OfficeDocument 1.0//EN",null);

32
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentDeserializerImpl.java
View file

@ -25,6 +25,7 @@ import java.util.Iterator;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
@ -33,6 +34,7 @@ import javax.xml.transform.URIResolver;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
import javax.xml.XMLConstants;
import org.openoffice.xmerge.ConvertData;
import org.openoffice.xmerge.ConvertException;
@ -57,6 +59,32 @@ public final class DocumentDeserializerImpl
private final ConvertData cd;
private final PluginFactoryImpl pluginFactory;
private static DocumentBuilderFactory makeFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
String[] featuresToDisable = {
"http://xml.org/sax/features/external-general-entities",
"http://xml.org/sax/features/external-parameter-entities",
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
};
for (String feature : featuresToDisable) {
try {
factory.setFeature(feature, false);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
}
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
return factory;
}
/**
* Constructor that assigns the given {@code ConvertData} to this object.
*
@ -93,7 +121,7 @@ public final class DocumentDeserializerImpl
domDoc = docOut.getContentDOM();
baos = transform(domDoc);
sxwDoc.initContentDOM();
DocumentBuilderFactory dFactory = DocumentBuilderFactory.newInstance();
DocumentBuilderFactory dFactory = makeFactory();
dFactory.setNamespaceAware(true);
DocumentBuilder dBuilder = dFactory.newDocumentBuilder();
sxwDoc.setContentDOM(dBuilder.parse(new ByteArrayInputStream(baos.toByteArray())));
@ -135,7 +163,7 @@ public final class DocumentDeserializerImpl
ConverterInfo ci = pluginFactory.getConverterInfo();
ByteArrayOutputStream baos= new ByteArrayOutputStream();
try{
DocumentBuilderFactory dFactory = DocumentBuilderFactory.newInstance();
DocumentBuilderFactory dFactory = makeFactory();
dFactory.setNamespaceAware(true);
DocumentBuilder dBuilder = dFactory.newDocumentBuilder();

35
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentSerializerImpl.java
View file

@ -32,6 +32,7 @@ import org.openoffice.xmerge.ConvertData;
import org.openoffice.xmerge.ConvertException;
import org.openoffice.xmerge.DocumentSerializer;
import org.openoffice.xmerge.converter.dom.DOMDocument;
import org.openoffice.xmerge.util.Debug;
import org.openoffice.xmerge.util.registry.ConverterInfo;
import org.openoffice.xmerge.converter.xml.OfficeConstants;
@ -47,6 +48,9 @@ import javax.xml.transform.Source;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.XMLConstants;
/**
* Xslt implementation of {@code org.openoffice.xmerge.DocumentSerializer}
@ -65,6 +69,32 @@ public final class DocumentSerializerImpl
private final PluginFactoryImpl pluginFactory;
private static DocumentBuilderFactory makeFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
String[] featuresToDisable = {
"http://xml.org/sax/features/external-general-entities",
"http://xml.org/sax/features/external-parameter-entities",
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
};
for (String feature : featuresToDisable) {
try {
factory.setFeature(feature, false);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
}
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
return factory;
}
/**
* Constructor.
*
@ -97,8 +127,7 @@ public final class DocumentSerializerImpl
Node offnode = domDoc.getDocumentElement();
if (!(offnode.getNodeName()).equals("office:document")) {
try {
DocumentBuilderFactory builderFactory = DocumentBuilderFactory
.newInstance();
DocumentBuilderFactory builderFactory = makeFactory();
DocumentBuilder builder = builderFactory.newDocumentBuilder();
DOMImplementation domImpl = builder.getDOMImplementation();
DocumentType docType = domImpl.createDocumentType(
@ -231,7 +260,7 @@ public final class DocumentSerializerImpl
ByteArrayOutputStream baos = new ByteArrayOutputStream();
try {
DocumentBuilderFactory dFactory = DocumentBuilderFactory.newInstance();
DocumentBuilderFactory dFactory = makeFactory();
dFactory.setNamespaceAware(true);
DocumentBuilder dBuilder = dFactory.newDocumentBuilder();

30
xmerge/source/xmerge/java/org/openoffice/xmerge/util/registry/ConverterInfoReader.java
View file

@ -21,9 +21,11 @@ package org.openoffice.xmerge.util.registry;
import java.io.*;
import java.util.*;
import java.util.jar.*;
import org.openoffice.xmerge.util.Debug;
import org.xml.sax.*;
import org.w3c.dom.*;
import javax.xml.parsers.*;
import javax.xml.XMLConstants;
import java.net.URL;
import java.net.JarURLConnection;
@ -49,6 +51,32 @@ public class ConverterInfoReader {
private final Document document;
private final ArrayList<ConverterInfo> converterInfoList;
private static DocumentBuilderFactory makeFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
String[] featuresToDisable = {
"http://xml.org/sax/features/external-general-entities",
"http://xml.org/sax/features/external-parameter-entities",
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
};
for (String feature : featuresToDisable) {
try {
factory.setFeature(feature, false);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
}
try {
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch (ParserConfigurationException e) {
Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
}
return factory;
}
/**
* Constructor.
*
@ -92,7 +120,7 @@ public class ConverterInfoReader {
// Get the DOM builder and build the document.
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
DocumentBuilderFactory builderFactory = makeFactory();
//DTD validation