search

liyiorg / weixin-popular

微信SDK JAVA (公众平台、开放平台、 商户平台、 服务商平台)
Apache License 2.0
2.5k stars 1.06k forks source link

XMLConverUtil 的jaxb存在XXE漏洞 #171

Closed jxs-xx closed 5 years ago

jxs-xx commented 5 years ago

XMLConverUtil 的convertToObject代码里依然存在XXE漏洞 jaxb需要添加一下处理代码

    JAXBContext jaxbContext = JAXBContext.newInstance(clazz);
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xif.setProperty(XMLInputFactory.SUPPORT_DTD, true);
XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(xml));

Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
return (T)unmarshaller.unmarshal(xsr);
liyiorg commented 5 years ago

@jxs-xx dev 开发分支上已做修改 ,预计8月中旬发布新版本。