Prevent XXE-vulnerability

DEV-1863
itext · Aug 1, 2017 · ac55909 · ac55909
1 parent ea25cb0
commit ac55909
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/src/main/java/com/itextpdf/rups/model/XfaFile.java b/src/main/java/com/itextpdf/rups/model/XfaFile.java
@@ -47,6 +47,7 @@
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
+import java.io.StringReader;
 
 import org.dom4j.Document;
 import org.dom4j.DocumentException;
@@ -55,6 +56,9 @@
 import org.dom4j.io.XMLWriter;
 
 import com.itextpdf.rups.io.OutputStreamResource;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
 
 /** Class that deals with the XFA file that can be inside a PDF file. */
 public class XfaFile implements OutputStreamResource {
@@ -76,6 +80,7 @@ public XfaFile(OutputStreamResource resource) throws IOException, DocumentExcept
 		resource.writeTo(baos);
 		ByteArrayInputStream bais = new ByteArrayInputStream(baos.toByteArray());
 		SAXReader reader = new SAXReader();
+		reader.setEntityResolver(new SafeEmptyEntityResolver());
 		xfaDocument = reader.read(bais);
 	}
 
@@ -98,4 +103,10 @@ public void writeTo(OutputStream os) throws IOException {
         XMLWriter writer = new XMLWriter(os, format);
         writer.write(xfaDocument);
 	}
+
+	private static class SafeEmptyEntityResolver implements EntityResolver {
+		public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+			return new InputSource(new StringReader(""));
+		}
+	}
 }