Apply suggestions from Uwe Schindler for more secure xml defaults for #54764 and #56164, for xml parsers which support them
git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1615720 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
parent
c557276cb4
commit
236c3c52a9
@ -20,6 +20,9 @@ package org.apache.poi.util;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.io.StringReader;
|
||||
import java.lang.reflect.Method;
|
||||
|
||||
import javax.xml.XMLConstants;
|
||||
|
||||
import org.dom4j.Document;
|
||||
import org.dom4j.DocumentException;
|
||||
@ -33,19 +36,49 @@ import org.xml.sax.SAXException;
|
||||
* Provides handy methods for working with SAX parsers and readers
|
||||
*/
|
||||
public final class SAXHelper {
|
||||
private static POILogger logger = POILogFactory.getLogger(SAXHelper.class);
|
||||
|
||||
/**
|
||||
* Creates a new SAX Reader, with sensible defaults
|
||||
*/
|
||||
public static SAXReader getSAXReader() {
|
||||
SAXReader xmlReader = new SAXReader();
|
||||
xmlReader.setValidation(false);
|
||||
xmlReader.setEntityResolver(new EntityResolver() {
|
||||
public InputSource resolveEntity(String publicId, String systemId)
|
||||
throws SAXException, IOException {
|
||||
return new InputSource(new StringReader(""));
|
||||
}
|
||||
});
|
||||
trySetSAXFeature(xmlReader, XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
||||
trySetXercesSecurityManager(xmlReader);
|
||||
return xmlReader;
|
||||
}
|
||||
private static void trySetSAXFeature(SAXReader xmlReader, String feature, boolean enabled) {
|
||||
try {
|
||||
xmlReader.setFeature(feature, enabled);
|
||||
} catch (Exception e) {
|
||||
logger.log(POILogger.INFO, "SAX Feature unsupported", feature, e);
|
||||
}
|
||||
}
|
||||
private static void trySetXercesSecurityManager(SAXReader xmlReader) {
|
||||
// Try built-in JVM one first, standalone if not
|
||||
for (String securityManagerClassName : new String[] {
|
||||
"com.sun.org.apache.xerces.internal.util.SecurityManager",
|
||||
"org.apache.xerces.util.SecurityManager"
|
||||
}) {
|
||||
try {
|
||||
Object mgr = Class.forName(securityManagerClassName).newInstance();
|
||||
Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
|
||||
setLimit.invoke(mgr, 4096);
|
||||
xmlReader.setProperty("http://apache.org/xml/properties/security-manager", mgr);
|
||||
// Stop once one can be setup without error
|
||||
return;
|
||||
} catch (Exception e) {
|
||||
logger.log(POILogger.INFO, "SAX Security Manager could not be setup", e);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Parses the given stream via the default (sensible)
|
||||
|
@ -38,6 +38,7 @@ import java.util.List;
|
||||
import org.apache.poi.EncryptedDocumentException;
|
||||
import org.apache.poi.POIDataSamples;
|
||||
import org.apache.poi.POIXMLDocumentPart;
|
||||
import org.apache.poi.POIXMLProperties;
|
||||
import org.apache.poi.hssf.HSSFTestDataSamples;
|
||||
import org.apache.poi.hssf.usermodel.HSSFWorkbook;
|
||||
import org.apache.poi.openxml4j.opc.OPCPackage;
|
||||
@ -1846,6 +1847,24 @@ public final class TestXSSFBugs extends BaseTestBugzillaIssues {
|
||||
assertEquals("A4", cRef.getCellFormula());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void bug54764() throws Exception {
|
||||
OPCPackage pkg = XSSFTestDataSamples.openSamplePackage("54764.xlsx");
|
||||
|
||||
// Check the core properties - will be found but empty, due
|
||||
// to the expansion being too much to be considered valid
|
||||
POIXMLProperties props = new POIXMLProperties(pkg);
|
||||
assertEquals(null, props.getCoreProperties().getTitle());
|
||||
assertEquals(null, props.getCoreProperties().getSubject());
|
||||
assertEquals(null, props.getCoreProperties().getDescription());
|
||||
|
||||
// Now check the spreadsheet itself
|
||||
// TODO Fix then enable
|
||||
// XSSFWorkbook wb = new XSSFWorkbook(pkg);
|
||||
// XSSFSheet s = wb.getSheetAt(0);
|
||||
// TODO Check
|
||||
}
|
||||
|
||||
/**
|
||||
* .xlsb files are not supported, but we should generate a helpful
|
||||
* error message if given one
|
||||
|
BIN
test-data/spreadsheet/54764.xlsx
Normal file
BIN
test-data/spreadsheet/54764.xlsx
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user