Apply suggestions from Uwe Schindler for more secure xml defaults for #54764 and #56164, for xml parsers which support them

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1615720 13f79535-47bb-0310-9956-ffa450edef68
2014-08-04 18:17:26 +00:00 · 2014-08-04 18:17:26 +00:00 · 236c3c52a9
parent c557276cb4
commit 236c3c52a9
3 changed files with 53 additions and 1 deletions
--- a/src/ooxml/java/org/apache/poi/util/SAXHelper.java
+++ b/src/ooxml/java/org/apache/poi/util/SAXHelper.java
@ -20,6 +20,9 @@ package org.apache.poi.util;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.StringReader;
+import java.lang.reflect.Method;
+
+import javax.xml.XMLConstants;

 import org.dom4j.Document;
 import org.dom4j.DocumentException;
@ -33,20 +36,50 @@ import org.xml.sax.SAXException;
 * Provides handy methods for working with SAX parsers and readers
 */
 public final class SAXHelper {
+    private static POILogger logger = POILogFactory.getLogger(SAXHelper.class);
+            
    /**
     * Creates a new SAX Reader, with sensible defaults
     */
    public static SAXReader getSAXReader() {
        SAXReader xmlReader = new SAXReader();
+        xmlReader.setValidation(false);
        xmlReader.setEntityResolver(new EntityResolver() {
            public InputSource resolveEntity(String publicId, String systemId)
                    throws SAXException, IOException {
                return new InputSource(new StringReader(""));
            }
        });
+        trySetSAXFeature(xmlReader, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        trySetXercesSecurityManager(xmlReader);
        return xmlReader;
    }
-    
+    private static void trySetSAXFeature(SAXReader xmlReader, String feature, boolean enabled) {
+        try {
+            xmlReader.setFeature(feature, enabled);
+        } catch (Exception e) {
+            logger.log(POILogger.INFO, "SAX Feature unsupported", feature, e);
+        }
+    }
+    private static void trySetXercesSecurityManager(SAXReader xmlReader) {
+        // Try built-in JVM one first, standalone if not
+        for (String securityManagerClassName : new String[] {
+                "com.sun.org.apache.xerces.internal.util.SecurityManager",
+                "org.apache.xerces.util.SecurityManager"
+        }) {
+            try {
+                Object mgr = Class.forName(securityManagerClassName).newInstance();
+                Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
+                setLimit.invoke(mgr, 4096);
+                xmlReader.setProperty("http://apache.org/xml/properties/security-manager", mgr);
+                // Stop once one can be setup without error
+                return;
+            } catch (Exception e) {
+                logger.log(POILogger.INFO, "SAX Security Manager could not be setup", e);
+            }
+        }
+    }
+
    /**
     * Parses the given stream via the default (sensible)
     * SAX Reader
--- a/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFBugs.java
+++ b/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFBugs.java
@ -38,6 +38,7 @@ import java.util.List;
 import org.apache.poi.EncryptedDocumentException;
 import org.apache.poi.POIDataSamples;
 import org.apache.poi.POIXMLDocumentPart;
+import org.apache.poi.POIXMLProperties;
 import org.apache.poi.hssf.HSSFTestDataSamples;
 import org.apache.poi.hssf.usermodel.HSSFWorkbook;
 import org.apache.poi.openxml4j.opc.OPCPackage;
@ -1846,6 +1847,24 @@ public final class TestXSSFBugs extends BaseTestBugzillaIssues {
        assertEquals("A4", cRef.getCellFormula());
    }
    
+    @Test
+    public void bug54764() throws Exception {
+        OPCPackage pkg = XSSFTestDataSamples.openSamplePackage("54764.xlsx");
+        
+        // Check the core properties - will be found but empty, due
+        //  to the expansion being too much to be considered valid
+        POIXMLProperties props = new POIXMLProperties(pkg);
+        assertEquals(null, props.getCoreProperties().getTitle());
+        assertEquals(null, props.getCoreProperties().getSubject());
+        assertEquals(null, props.getCoreProperties().getDescription());
+        
+        // Now check the spreadsheet itself
+        // TODO Fix then enable
+//        XSSFWorkbook wb = new XSSFWorkbook(pkg);
+//        XSSFSheet s = wb.getSheetAt(0);
+        // TODO Check
+    }
+    
    /**
     * .xlsb files are not supported, but we should generate a helpful
     *  error message if given one
--- a/test-data/spreadsheet/54764.xlsx
+++ b/test-data/spreadsheet/54764.xlsx