Apply suggestions from Uwe Schindler for more secure xml defaults for #54764 and #56164, for xml parsers which support them

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1615720 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Nick Burch 2014-08-04 18:17:26 +00:00
parent c557276cb4
commit 236c3c52a9
3 changed files with 53 additions and 1 deletions

View File

@ -20,6 +20,9 @@ package org.apache.poi.util;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringReader;
import java.lang.reflect.Method;
import javax.xml.XMLConstants;
import org.dom4j.Document;
import org.dom4j.DocumentException;
@ -33,19 +36,49 @@ import org.xml.sax.SAXException;
* Provides handy methods for working with SAX parsers and readers
*/
public final class SAXHelper {
private static POILogger logger = POILogFactory.getLogger(SAXHelper.class);
/**
* Creates a new SAX Reader, with sensible defaults
*/
public static SAXReader getSAXReader() {
SAXReader xmlReader = new SAXReader();
xmlReader.setValidation(false);
xmlReader.setEntityResolver(new EntityResolver() {
public InputSource resolveEntity(String publicId, String systemId)
throws SAXException, IOException {
return new InputSource(new StringReader(""));
}
});
trySetSAXFeature(xmlReader, XMLConstants.FEATURE_SECURE_PROCESSING, true);
trySetXercesSecurityManager(xmlReader);
return xmlReader;
}
private static void trySetSAXFeature(SAXReader xmlReader, String feature, boolean enabled) {
try {
xmlReader.setFeature(feature, enabled);
} catch (Exception e) {
logger.log(POILogger.INFO, "SAX Feature unsupported", feature, e);
}
}
private static void trySetXercesSecurityManager(SAXReader xmlReader) {
// Try built-in JVM one first, standalone if not
for (String securityManagerClassName : new String[] {
"com.sun.org.apache.xerces.internal.util.SecurityManager",
"org.apache.xerces.util.SecurityManager"
}) {
try {
Object mgr = Class.forName(securityManagerClassName).newInstance();
Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
setLimit.invoke(mgr, 4096);
xmlReader.setProperty("http://apache.org/xml/properties/security-manager", mgr);
// Stop once one can be setup without error
return;
} catch (Exception e) {
logger.log(POILogger.INFO, "SAX Security Manager could not be setup", e);
}
}
}
/**
* Parses the given stream via the default (sensible)

View File

@ -38,6 +38,7 @@ import java.util.List;
import org.apache.poi.EncryptedDocumentException;
import org.apache.poi.POIDataSamples;
import org.apache.poi.POIXMLDocumentPart;
import org.apache.poi.POIXMLProperties;
import org.apache.poi.hssf.HSSFTestDataSamples;
import org.apache.poi.hssf.usermodel.HSSFWorkbook;
import org.apache.poi.openxml4j.opc.OPCPackage;
@ -1846,6 +1847,24 @@ public final class TestXSSFBugs extends BaseTestBugzillaIssues {
assertEquals("A4", cRef.getCellFormula());
}
@Test
public void bug54764() throws Exception {
OPCPackage pkg = XSSFTestDataSamples.openSamplePackage("54764.xlsx");
// Check the core properties - will be found but empty, due
// to the expansion being too much to be considered valid
POIXMLProperties props = new POIXMLProperties(pkg);
assertEquals(null, props.getCoreProperties().getTitle());
assertEquals(null, props.getCoreProperties().getSubject());
assertEquals(null, props.getCoreProperties().getDescription());
// Now check the spreadsheet itself
// TODO Fix then enable
// XSSFWorkbook wb = new XSSFWorkbook(pkg);
// XSSFSheet s = wb.getSheetAt(0);
// TODO Check
}
/**
* .xlsb files are not supported, but we should generate a helpful
* error message if given one

Binary file not shown.