Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XXE漏洞 #889

Closed
QiAnXinCodeSafe opened this issue Dec 20, 2018 · 2 comments

Comments

@QiAnXinCodeSafe
Copy link

commented Dec 20, 2018

您好:
我是360代码卫士的工作人员,在我们的开源项目代码检测过程中发现weixin-java-tools项目存在XXE漏洞,详细信息如下:
在BaseWxPayResult.java文件的getXmlDoc方法中:
default
创建了xml解析器,但没有禁用外部实体就直接用于解析xml导致了xxe漏洞

此处是一个xxe盲注,做个简单的复现
在BaseWxPayResultTest.java对xmlStr做个修改
default
日志信息
default
还望及时修复

@binarywang

This comment has been minimized.

Copy link
Member

commented Dec 20, 2018

多谢及时指出,近期准备修复

binarywang added a commit that referenced this issue Dec 20, 2018
@binarywang

This comment has been minimized.

Copy link
Member

commented Dec 21, 2018

3.2.10.B测试版本 已修复

@binarywang binarywang closed this Dec 21, 2018
comeonc added a commit to comeonc/weixin-java-tools that referenced this issue Jan 2, 2019
…nto wechat-develop

* 'develop' of github.com:Wechat-Group/weixin-java-tools: (67 commits)
  发布3.3.1.B测试版本
  Wechat-Group#900 增加新增团购券、现金抵扣券、折扣券、兑换券以及普通优惠券的接口
  Wechat-Group#899 WxCpXmlMessage增加存放xml消息的所有属性值的allFieldsMap属性
  企业微信部门创建接口create返回值改为long类型
  修改totalFee字段类型为Integer
  update contributor list
  Update demo.md
  Update readme.md
  Upgrade org.dom4j:dom4j to version 2.1.1
  Update readme.md
  更改版本号,准备发布最新正式版
  项目更名
  Update readme.md
  Update readme.md
  Update readme.md
  Wechat-Group#888 修复微信支付部分接口请求中签名方法不统一的问题
  增加些注释
  优化代码
  发布3.2.10.B测试版本
  Wechat-Group#889 修复一些潜在的XXE漏洞代码
  ...
comeonc added a commit to comeonc/weixin-java-tools that referenced this issue Jan 2, 2019
…to wechat-master

* 'master' of github.com:Wechat-Group/weixin-java-tools: (91 commits)
  Update contribution.md
  Update readme.md
  Update readme.md
  update contributor list
  Update demo.md
  Update readme.md
  Upgrade org.dom4j:dom4j to version 2.1.1
  Update readme.md
  更改版本号,准备发布最新正式版
  项目更名
  Update readme.md
  Update readme.md
  Update readme.md
  Wechat-Group#888 修复微信支付部分接口请求中签名方法不统一的问题
  增加些注释
  优化代码
  发布3.2.10.B测试版本
  Wechat-Group#889 修复一些潜在的XXE漏洞代码
  Wechat-Group#783 企业微信模块增加群聊相关接口
  Wechat-Group#884 微信公众号模块增加主体变更迁移用户openid的接口
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.