Skip to content
Permalink
Browse files Browse the repository at this point in the history
XXE injection security vulnerability
Fix #287
  • Loading branch information
Paco Avila committed May 20, 2021
1 parent 70ccc75 commit ce1d823
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 1 deletion.
Expand Up @@ -69,8 +69,10 @@ public String extractText(InputStream stream, String type, String encoding) thro
saxParserFactory.setValidating(false);
SAXParser saxParser = saxParserFactory.newSAXParser();
XMLReader xmlReader = saxParser.getXMLReader();
xmlReader.setFeature("http://xml.org/sax/features/validation", false);
xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
xmlReader.setFeature("http://xml.org/sax/features/validation", false);

ZipInputStream zis = new ZipInputStream(stream);
ZipEntry ze = zis.getNextEntry();
Expand Down
4 changes: 4 additions & 0 deletions src/main/java/com/openkm/extractor/XMLTextExtractor.java
Expand Up @@ -81,6 +81,10 @@ public String extractText(InputStream stream, String type, String encoding) thro
SAXParserFactory factory = SAXParserFactory.newInstance();
SAXParser parser = factory.newSAXParser();
XMLReader reader = parser.getXMLReader();
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
reader.setFeature("http://xml.org/sax/features/validation", false);
reader.setContentHandler(handler);
reader.setErrorHandler(handler);

Expand Down

0 comments on commit ce1d823

Please sign in to comment.