From b5e2dc736700b5b626006e16a9726e9be391f34d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= Date: Sun, 4 Aug 2024 14:57:37 +0100 Subject: [PATCH] cid#1608462 XML external entity processing enabled MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit and cid#1608334 XML external entity processing enabled cid#1608302 XML external entity processing enabled cid#1608234 XML external entity processing enabled cid#1608094 XML external entity processing enabled cid#1607973 XML external entity processing enabled cid#1607890 XML external entity processing enabled cid#1607706 XML external entity processing enabled cid#1607366 XML external entity processing enabled cid#1607026 XML external entity processing enabled cid#1606764 XML external entity processing enabled Change-Id: I7894d335f244ed3ddbbe43d9bdbc2818065830f3 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171461 Tested-by: Jenkins Reviewed-by: Caolán McNamara --- .../output/OfficeDocumentReportTarget.java | 1 + .../framework/container/XMLParserFactory.java | 25 ++++++++++++- .../xmerge/converter/dom/DOMDocument.java | 30 ++++++++++++++-- .../converter/xml/EmbeddedXMLObject.java | 4 +-- .../xmerge/converter/xml/OfficeDocument.java | 32 +++++++++++++++-- .../xml/xslt/DocumentDeserializerImpl.java | 32 +++++++++++++++-- .../xml/xslt/DocumentSerializerImpl.java | 35 +++++++++++++++++-- .../util/registry/ConverterInfoReader.java | 30 +++++++++++++++- 8 files changed, 175 insertions(+), 14 deletions(-) diff --git a/reportbuilder/java/org/libreoffice/report/pentaho/output/OfficeDocumentReportTarget.java b/reportbuilder/java/org/libreoffice/report/pentaho/output/OfficeDocumentReportTarget.java index b73b5781b3a3..7d69f3b5887c 100644 --- a/reportbuilder/java/org/libreoffice/report/pentaho/output/OfficeDocumentReportTarget.java +++ b/reportbuilder/java/org/libreoffice/report/pentaho/output/OfficeDocumentReportTarget.java @@ -1020,6 +1020,7 @@ public abstract class OfficeDocumentReportTarget extends AbstractReportTarget { inputStream = getInputRepository().createInputStream("meta.xml"); DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance(); + dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); DocumentBuilder dBuilder = dbFactory.newDocumentBuilder(); Document document = dBuilder.parse(new InputSource(inputStream)); diff --git a/scripting/java/com/sun/star/script/framework/container/XMLParserFactory.java b/scripting/java/com/sun/star/script/framework/container/XMLParserFactory.java index 02c9e6c34244..dec4fc440415 100644 --- a/scripting/java/com/sun/star/script/framework/container/XMLParserFactory.java +++ b/scripting/java/com/sun/star/script/framework/container/XMLParserFactory.java @@ -18,6 +18,8 @@ package com.sun.star.script.framework.container; +import com.sun.star.script.framework.log.LogUtils; + import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; @@ -29,6 +31,7 @@ import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; +import javax.xml.XMLConstants; import org.w3c.dom.Document; @@ -60,6 +63,26 @@ public class XMLParserFactory { public DefaultParser() { factory = DocumentBuilderFactory.newInstance(); + + String[] featuresToDisable = { + "http://xml.org/sax/features/external-general-entities", + "http://xml.org/sax/features/external-parameter-entities", + "http://apache.org/xml/features/nonvalidating/load-external-dtd" + }; + + for (String feature : featuresToDisable) { + try { + factory.setFeature(feature, false); + } catch (ParserConfigurationException e) { + LogUtils.DEBUG(LogUtils.getTrace(e)); + } + } + + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + LogUtils.DEBUG(LogUtils.getTrace(e)); + } } public Document parse(InputStream inputStream) throws IOException { @@ -103,4 +126,4 @@ public class XMLParserFactory { } } } -} \ No newline at end of file +} diff --git a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/dom/DOMDocument.java b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/dom/DOMDocument.java index fc21398383c6..5877b99d3de9 100644 --- a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/dom/DOMDocument.java +++ b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/dom/DOMDocument.java @@ -31,6 +31,7 @@ import javax.xml.transform.TransformerFactory; import javax.xml.transform.Transformer; import javax.xml.transform.stream.StreamResult; import javax.xml.transform.dom.DOMSource; +import javax.xml.XMLConstants; import org.w3c.dom.Node; import org.w3c.dom.Document; @@ -43,9 +44,34 @@ import org.openoffice.xmerge.util.Debug; public class DOMDocument implements org.openoffice.xmerge.Document { + private static DocumentBuilderFactory makeFactory() { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + + String[] featuresToDisable = { + "http://xml.org/sax/features/external-general-entities", + "http://xml.org/sax/features/external-parameter-entities", + "http://apache.org/xml/features/nonvalidating/load-external-dtd" + }; + + for (String feature : featuresToDisable) { + try { + factory.setFeature(feature, false); + } catch (ParserConfigurationException e) { + Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e); + } + } + + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e); + } + + return factory; + } + /** Factory for {@code DocumentBuilder} objects. */ - private static DocumentBuilderFactory factory = - DocumentBuilderFactory.newInstance(); + private static DocumentBuilderFactory factory = makeFactory(); /** DOM {@code Document} of content.xml. */ private Document contentDoc = null; diff --git a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/EmbeddedXMLObject.java b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/EmbeddedXMLObject.java index b081d6fa13aa..8f8ac1bf7cf7 100644 --- a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/EmbeddedXMLObject.java +++ b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/EmbeddedXMLObject.java @@ -193,7 +193,7 @@ public class EmbeddedXMLObject extends EmbeddedObject { try { if (builder == null) { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setValidating(false); builder = factory.newDocumentBuilder(); } @@ -277,4 +277,4 @@ public class EmbeddedXMLObject extends EmbeddedObject { root.appendChild(objectNode); } -} \ No newline at end of file +} diff --git a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/OfficeDocument.java b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/OfficeDocument.java index 7fb3efe2b853..49695e173da3 100644 --- a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/OfficeDocument.java +++ b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/OfficeDocument.java @@ -35,6 +35,7 @@ import java.util.HashMap; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.ParserConfigurationException; +import javax.xml.XMLConstants; import org.w3c.dom.Node; import org.w3c.dom.Element; @@ -58,9 +59,34 @@ import org.openoffice.xmerge.util.Debug; public abstract class OfficeDocument implements org.openoffice.xmerge.Document, OfficeConstants { + private static DocumentBuilderFactory makeFactory() { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + + String[] featuresToDisable = { + "http://xml.org/sax/features/external-general-entities", + "http://xml.org/sax/features/external-parameter-entities", + "http://apache.org/xml/features/nonvalidating/load-external-dtd" + }; + + for (String feature : featuresToDisable) { + try { + factory.setFeature(feature, false); + } catch (ParserConfigurationException e) { + Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e); + } + } + + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e); + } + + return factory; + } + /** Factory for {@code DocumentBuilder} objects. */ - private static DocumentBuilderFactory factory = - DocumentBuilderFactory.newInstance(); + private static DocumentBuilderFactory factory = makeFactory(); /** DOM {@code Document} of content.xml. */ private Document contentDoc = null; @@ -642,7 +668,7 @@ public abstract class OfficeDocument write(os); } else { try { - DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory builderFactory = makeFactory(); DocumentBuilder builder= builderFactory.newDocumentBuilder(); DOMImplementation domImpl = builder.getDOMImplementation(); domImpl.createDocumentType("office:document","-//OpenOffice.org//DTD OfficeDocument 1.0//EN",null); diff --git a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentDeserializerImpl.java b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentDeserializerImpl.java index c8eb43fdfd8b..d88d1f35c10b 100644 --- a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentDeserializerImpl.java +++ b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentDeserializerImpl.java @@ -25,6 +25,7 @@ import java.util.Iterator; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.Source; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerException; @@ -33,6 +34,7 @@ import javax.xml.transform.URIResolver; import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamSource; +import javax.xml.XMLConstants; import org.openoffice.xmerge.ConvertData; import org.openoffice.xmerge.ConvertException; @@ -57,6 +59,32 @@ public final class DocumentDeserializerImpl private final ConvertData cd; private final PluginFactoryImpl pluginFactory; + private static DocumentBuilderFactory makeFactory() { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + + String[] featuresToDisable = { + "http://xml.org/sax/features/external-general-entities", + "http://xml.org/sax/features/external-parameter-entities", + "http://apache.org/xml/features/nonvalidating/load-external-dtd" + }; + + for (String feature : featuresToDisable) { + try { + factory.setFeature(feature, false); + } catch (ParserConfigurationException e) { + Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e); + } + } + + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e); + } + + return factory; + } + /** * Constructor that assigns the given {@code ConvertData} to this object. * @@ -93,7 +121,7 @@ public final class DocumentDeserializerImpl domDoc = docOut.getContentDOM(); baos = transform(domDoc); sxwDoc.initContentDOM(); - DocumentBuilderFactory dFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory dFactory = makeFactory(); dFactory.setNamespaceAware(true); DocumentBuilder dBuilder = dFactory.newDocumentBuilder(); sxwDoc.setContentDOM(dBuilder.parse(new ByteArrayInputStream(baos.toByteArray()))); @@ -135,7 +163,7 @@ public final class DocumentDeserializerImpl ConverterInfo ci = pluginFactory.getConverterInfo(); ByteArrayOutputStream baos= new ByteArrayOutputStream(); try{ - DocumentBuilderFactory dFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory dFactory = makeFactory(); dFactory.setNamespaceAware(true); DocumentBuilder dBuilder = dFactory.newDocumentBuilder(); diff --git a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentSerializerImpl.java b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentSerializerImpl.java index 0d1e8d7ba4d8..4d7e42b655fa 100644 --- a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentSerializerImpl.java +++ b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentSerializerImpl.java @@ -32,6 +32,7 @@ import org.openoffice.xmerge.ConvertData; import org.openoffice.xmerge.ConvertException; import org.openoffice.xmerge.DocumentSerializer; import org.openoffice.xmerge.converter.dom.DOMDocument; +import org.openoffice.xmerge.util.Debug; import org.openoffice.xmerge.util.registry.ConverterInfo; import org.openoffice.xmerge.converter.xml.OfficeConstants; @@ -47,6 +48,9 @@ import javax.xml.transform.Source; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; + +import javax.xml.XMLConstants; /** * Xslt implementation of {@code org.openoffice.xmerge.DocumentSerializer} @@ -65,6 +69,32 @@ public final class DocumentSerializerImpl private final PluginFactoryImpl pluginFactory; + private static DocumentBuilderFactory makeFactory() { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + + String[] featuresToDisable = { + "http://xml.org/sax/features/external-general-entities", + "http://xml.org/sax/features/external-parameter-entities", + "http://apache.org/xml/features/nonvalidating/load-external-dtd" + }; + + for (String feature : featuresToDisable) { + try { + factory.setFeature(feature, false); + } catch (ParserConfigurationException e) { + Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e); + } + } + + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e); + } + + return factory; + } + /** * Constructor. * @@ -97,8 +127,7 @@ public final class DocumentSerializerImpl Node offnode = domDoc.getDocumentElement(); if (!(offnode.getNodeName()).equals("office:document")) { try { - DocumentBuilderFactory builderFactory = DocumentBuilderFactory - .newInstance(); + DocumentBuilderFactory builderFactory = makeFactory(); DocumentBuilder builder = builderFactory.newDocumentBuilder(); DOMImplementation domImpl = builder.getDOMImplementation(); DocumentType docType = domImpl.createDocumentType( @@ -231,7 +260,7 @@ public final class DocumentSerializerImpl ByteArrayOutputStream baos = new ByteArrayOutputStream(); try { - DocumentBuilderFactory dFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory dFactory = makeFactory(); dFactory.setNamespaceAware(true); DocumentBuilder dBuilder = dFactory.newDocumentBuilder(); diff --git a/xmerge/source/xmerge/java/org/openoffice/xmerge/util/registry/ConverterInfoReader.java b/xmerge/source/xmerge/java/org/openoffice/xmerge/util/registry/ConverterInfoReader.java index 21831a69173f..baf71820bd51 100644 --- a/xmerge/source/xmerge/java/org/openoffice/xmerge/util/registry/ConverterInfoReader.java +++ b/xmerge/source/xmerge/java/org/openoffice/xmerge/util/registry/ConverterInfoReader.java @@ -21,9 +21,11 @@ package org.openoffice.xmerge.util.registry; import java.io.*; import java.util.*; import java.util.jar.*; +import org.openoffice.xmerge.util.Debug; import org.xml.sax.*; import org.w3c.dom.*; import javax.xml.parsers.*; +import javax.xml.XMLConstants; import java.net.URL; import java.net.JarURLConnection; @@ -49,6 +51,32 @@ public class ConverterInfoReader { private final Document document; private final ArrayList converterInfoList; + private static DocumentBuilderFactory makeFactory() { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + + String[] featuresToDisable = { + "http://xml.org/sax/features/external-general-entities", + "http://xml.org/sax/features/external-parameter-entities", + "http://apache.org/xml/features/nonvalidating/load-external-dtd" + }; + + for (String feature : featuresToDisable) { + try { + factory.setFeature(feature, false); + } catch (ParserConfigurationException e) { + Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e); + } + } + + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e); + } + + return factory; + } + /** * Constructor. * @@ -92,7 +120,7 @@ public class ConverterInfoReader { // Get the DOM builder and build the document. - DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory builderFactory = makeFactory(); //DTD validation