reportbuilder/java/org/libreoffice/report/pentaho/output/OfficeDocumentReportTarget.java
| 1
scripting/java/com/sun/star/script/framework/container/XMLParserFactory.java
| 25 ++++++-
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/dom/DOMDocument.java
| 30 ++++++++
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/EmbeddedXMLObject.java
| 4 -
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/OfficeDocument.java
| 32 ++++++++-
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentDeserializerImpl.java
| 32 ++++++++-
xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentSerializerImpl.java
| 35 +++++++++-
xmerge/source/xmerge/java/org/openoffice/xmerge/util/registry/ConverterInfoReader.java
| 30 ++++++++
8 files changed, 175 insertions(+), 14 deletions(-)
New commits:
commit b5e2dc736700b5b626006e16a9726e9be391f34d
Author: Caolán McNamara <[email protected]>
AuthorDate: Sun Aug 4 14:57:37 2024 +0100
Commit: Caolán McNamara <[email protected]>
CommitDate: Sun Aug 4 20:05:02 2024 +0200
cid#1608462 XML external entity processing enabled
and
cid#1608334 XML external entity processing enabled
cid#1608302 XML external entity processing enabled
cid#1608234 XML external entity processing enabled
cid#1608094 XML external entity processing enabled
cid#1607973 XML external entity processing enabled
cid#1607890 XML external entity processing enabled
cid#1607706 XML external entity processing enabled
cid#1607366 XML external entity processing enabled
cid#1607026 XML external entity processing enabled
cid#1606764 XML external entity processing enabled
Change-Id: I7894d335f244ed3ddbbe43d9bdbc2818065830f3
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/171461
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <[email protected]>
diff --git
a/reportbuilder/java/org/libreoffice/report/pentaho/output/OfficeDocumentReportTarget.java
b/reportbuilder/java/org/libreoffice/report/pentaho/output/OfficeDocumentReportTarget.java
index b73b5781b3a3..7d69f3b5887c 100644
---
a/reportbuilder/java/org/libreoffice/report/pentaho/output/OfficeDocumentReportTarget.java
+++
b/reportbuilder/java/org/libreoffice/report/pentaho/output/OfficeDocumentReportTarget.java
@@ -1020,6 +1020,7 @@ public abstract class OfficeDocumentReportTarget extends
AbstractReportTarget
{
inputStream =
getInputRepository().createInputStream("meta.xml");
DocumentBuilderFactory dbFactory =
DocumentBuilderFactory.newInstance();
+
dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
Document document = dBuilder.parse(new
InputSource(inputStream));
diff --git
a/scripting/java/com/sun/star/script/framework/container/XMLParserFactory.java
b/scripting/java/com/sun/star/script/framework/container/XMLParserFactory.java
index 02c9e6c34244..dec4fc440415 100644
---
a/scripting/java/com/sun/star/script/framework/container/XMLParserFactory.java
+++
b/scripting/java/com/sun/star/script/framework/container/XMLParserFactory.java
@@ -18,6 +18,8 @@
package com.sun.star.script.framework.container;
+import com.sun.star.script.framework.log.LogUtils;
+
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
@@ -29,6 +31,7 @@ import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
+import javax.xml.XMLConstants;
import org.w3c.dom.Document;
@@ -60,6 +63,26 @@ public class XMLParserFactory {
public DefaultParser() {
factory = DocumentBuilderFactory.newInstance();
+
+ String[] featuresToDisable = {
+ "http://xml.org/sax/features/external-general-entities";,
+ "http://xml.org/sax/features/external-parameter-entities";,
+
"http://apache.org/xml/features/nonvalidating/load-external-dtd";
+ };
+
+ for (String feature : featuresToDisable) {
+ try {
+ factory.setFeature(feature, false);
+ } catch (ParserConfigurationException e) {
+ LogUtils.DEBUG(LogUtils.getTrace(e));
+ }
+ }
+
+ try {
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
true);
+ } catch (ParserConfigurationException e) {
+ LogUtils.DEBUG(LogUtils.getTrace(e));
+ }
}
public Document parse(InputStream inputStream) throws IOException {
@@ -103,4 +126,4 @@ public class XMLParserFactory {
}
}
}
-}
\ No newline at end of file
+}
diff --git
a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/dom/DOMDocument.java
b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/dom/DOMDocument.java
index fc21398383c6..5877b99d3de9 100644
---
a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/dom/DOMDocument.java
+++
b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/dom/DOMDocument.java
@@ -31,6 +31,7 @@ import javax.xml.transform.TransformerFactory;
import javax.xml.transform.Transformer;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.dom.DOMSource;
+import javax.xml.XMLConstants;
import org.w3c.dom.Node;
import org.w3c.dom.Document;
@@ -43,9 +44,34 @@ import org.openoffice.xmerge.util.Debug;
public class DOMDocument
implements org.openoffice.xmerge.Document {
+ private static DocumentBuilderFactory makeFactory() {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+
+ String[] featuresToDisable = {
+ "http://xml.org/sax/features/external-general-entities";,
+ "http://xml.org/sax/features/external-parameter-entities";,
+ "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+ };
+
+ for (String feature : featuresToDisable) {
+ try {
+ factory.setFeature(feature, false);
+ } catch (ParserConfigurationException e) {
+ Debug.log(Debug.ERROR, "Exception when calling setFeature: ",
e);
+ }
+ }
+
+ try {
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException e) {
+ Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
+ }
+
+ return factory;
+ }
+
/** Factory for {@code DocumentBuilder} objects. */
- private static DocumentBuilderFactory factory =
- DocumentBuilderFactory.newInstance();
+ private static DocumentBuilderFactory factory = makeFactory();
/** DOM {@code Document} of content.xml. */
private Document contentDoc = null;
diff --git
a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/EmbeddedXMLObject.java
b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/EmbeddedXMLObject.java
index b081d6fa13aa..8f8ac1bf7cf7 100644
---
a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/EmbeddedXMLObject.java
+++
b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/EmbeddedXMLObject.java
@@ -193,7 +193,7 @@ public class EmbeddedXMLObject extends EmbeddedObject {
try {
if (builder == null) {
DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
-
+
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
factory.setValidating(false);
builder = factory.newDocumentBuilder();
}
@@ -277,4 +277,4 @@ public class EmbeddedXMLObject extends EmbeddedObject {
root.appendChild(objectNode);
}
-}
\ No newline at end of file
+}
diff --git
a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/OfficeDocument.java
b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/OfficeDocument.java
index 7fb3efe2b853..49695e173da3 100644
---
a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/OfficeDocument.java
+++
b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/OfficeDocument.java
@@ -35,6 +35,7 @@ import java.util.HashMap;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.XMLConstants;
import org.w3c.dom.Node;
import org.w3c.dom.Element;
@@ -58,9 +59,34 @@ import org.openoffice.xmerge.util.Debug;
public abstract class OfficeDocument
implements org.openoffice.xmerge.Document, OfficeConstants {
+ private static DocumentBuilderFactory makeFactory() {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+
+ String[] featuresToDisable = {
+ "http://xml.org/sax/features/external-general-entities";,
+ "http://xml.org/sax/features/external-parameter-entities";,
+ "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+ };
+
+ for (String feature : featuresToDisable) {
+ try {
+ factory.setFeature(feature, false);
+ } catch (ParserConfigurationException e) {
+ Debug.log(Debug.ERROR, "Exception when calling setFeature: ",
e);
+ }
+ }
+
+ try {
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException e) {
+ Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
+ }
+
+ return factory;
+ }
+
/** Factory for {@code DocumentBuilder} objects. */
- private static DocumentBuilderFactory factory =
- DocumentBuilderFactory.newInstance();
+ private static DocumentBuilderFactory factory = makeFactory();
/** DOM {@code Document} of content.xml. */
private Document contentDoc = null;
@@ -642,7 +668,7 @@ public abstract class OfficeDocument
write(os);
} else {
try {
- DocumentBuilderFactory builderFactory =
DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory builderFactory = makeFactory();
DocumentBuilder builder= builderFactory.newDocumentBuilder();
DOMImplementation domImpl = builder.getDOMImplementation();
domImpl.createDocumentType("office:document","-//OpenOffice.org//DTD
OfficeDocument 1.0//EN",null);
diff --git
a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentDeserializerImpl.java
b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentDeserializerImpl.java
index c8eb43fdfd8b..d88d1f35c10b 100644
---
a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentDeserializerImpl.java
+++
b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentDeserializerImpl.java
@@ -25,6 +25,7 @@ import java.util.Iterator;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
@@ -33,6 +34,7 @@ import javax.xml.transform.URIResolver;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
+import javax.xml.XMLConstants;
import org.openoffice.xmerge.ConvertData;
import org.openoffice.xmerge.ConvertException;
@@ -57,6 +59,32 @@ public final class DocumentDeserializerImpl
private final ConvertData cd;
private final PluginFactoryImpl pluginFactory;
+ private static DocumentBuilderFactory makeFactory() {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+
+ String[] featuresToDisable = {
+ "http://xml.org/sax/features/external-general-entities";,
+ "http://xml.org/sax/features/external-parameter-entities";,
+ "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+ };
+
+ for (String feature : featuresToDisable) {
+ try {
+ factory.setFeature(feature, false);
+ } catch (ParserConfigurationException e) {
+ Debug.log(Debug.ERROR, "Exception when calling setFeature: ",
e);
+ }
+ }
+
+ try {
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException e) {
+ Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
+ }
+
+ return factory;
+ }
+
/**
* Constructor that assigns the given {@code ConvertData} to this object.
*
@@ -93,7 +121,7 @@ public final class DocumentDeserializerImpl
domDoc = docOut.getContentDOM();
baos = transform(domDoc);
sxwDoc.initContentDOM();
- DocumentBuilderFactory dFactory =
DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory dFactory = makeFactory();
dFactory.setNamespaceAware(true);
DocumentBuilder dBuilder = dFactory.newDocumentBuilder();
sxwDoc.setContentDOM(dBuilder.parse(new
ByteArrayInputStream(baos.toByteArray())));
@@ -135,7 +163,7 @@ public final class DocumentDeserializerImpl
ConverterInfo ci = pluginFactory.getConverterInfo();
ByteArrayOutputStream baos= new ByteArrayOutputStream();
try{
- DocumentBuilderFactory dFactory =
DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory dFactory = makeFactory();
dFactory.setNamespaceAware(true);
DocumentBuilder dBuilder = dFactory.newDocumentBuilder();
diff --git
a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentSerializerImpl.java
b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentSerializerImpl.java
index 0d1e8d7ba4d8..4d7e42b655fa 100644
---
a/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentSerializerImpl.java
+++
b/xmerge/source/xmerge/java/org/openoffice/xmerge/converter/xml/xslt/DocumentSerializerImpl.java
@@ -32,6 +32,7 @@ import org.openoffice.xmerge.ConvertData;
import org.openoffice.xmerge.ConvertException;
import org.openoffice.xmerge.DocumentSerializer;
import org.openoffice.xmerge.converter.dom.DOMDocument;
+import org.openoffice.xmerge.util.Debug;
import org.openoffice.xmerge.util.registry.ConverterInfo;
import org.openoffice.xmerge.converter.xml.OfficeConstants;
@@ -47,6 +48,9 @@ import javax.xml.transform.Source;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import javax.xml.XMLConstants;
/**
* Xslt implementation of {@code org.openoffice.xmerge.DocumentSerializer}
@@ -65,6 +69,32 @@ public final class DocumentSerializerImpl
private final PluginFactoryImpl pluginFactory;
+ private static DocumentBuilderFactory makeFactory() {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+
+ String[] featuresToDisable = {
+ "http://xml.org/sax/features/external-general-entities";,
+ "http://xml.org/sax/features/external-parameter-entities";,
+ "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+ };
+
+ for (String feature : featuresToDisable) {
+ try {
+ factory.setFeature(feature, false);
+ } catch (ParserConfigurationException e) {
+ Debug.log(Debug.ERROR, "Exception when calling setFeature: ",
e);
+ }
+ }
+
+ try {
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException e) {
+ Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
+ }
+
+ return factory;
+ }
+
/**
* Constructor.
*
@@ -97,8 +127,7 @@ public final class DocumentSerializerImpl
Node offnode = domDoc.getDocumentElement();
if (!(offnode.getNodeName()).equals("office:document")) {
try {
- DocumentBuilderFactory builderFactory = DocumentBuilderFactory
- .newInstance();
+ DocumentBuilderFactory builderFactory = makeFactory();
DocumentBuilder builder = builderFactory.newDocumentBuilder();
DOMImplementation domImpl = builder.getDOMImplementation();
DocumentType docType = domImpl.createDocumentType(
@@ -231,7 +260,7 @@ public final class DocumentSerializerImpl
ByteArrayOutputStream baos = new ByteArrayOutputStream();
try {
- DocumentBuilderFactory dFactory =
DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory dFactory = makeFactory();
dFactory.setNamespaceAware(true);
DocumentBuilder dBuilder = dFactory.newDocumentBuilder();
diff --git
a/xmerge/source/xmerge/java/org/openoffice/xmerge/util/registry/ConverterInfoReader.java
b/xmerge/source/xmerge/java/org/openoffice/xmerge/util/registry/ConverterInfoReader.java
index 21831a69173f..baf71820bd51 100644
---
a/xmerge/source/xmerge/java/org/openoffice/xmerge/util/registry/ConverterInfoReader.java
+++
b/xmerge/source/xmerge/java/org/openoffice/xmerge/util/registry/ConverterInfoReader.java
@@ -21,9 +21,11 @@ package org.openoffice.xmerge.util.registry;
import java.io.*;
import java.util.*;
import java.util.jar.*;
+import org.openoffice.xmerge.util.Debug;
import org.xml.sax.*;
import org.w3c.dom.*;
import javax.xml.parsers.*;
+import javax.xml.XMLConstants;
import java.net.URL;
import java.net.JarURLConnection;
@@ -49,6 +51,32 @@ public class ConverterInfoReader {
private final Document document;
private final ArrayList<ConverterInfo> converterInfoList;
+ private static DocumentBuilderFactory makeFactory() {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+
+ String[] featuresToDisable = {
+ "http://xml.org/sax/features/external-general-entities";,
+ "http://xml.org/sax/features/external-parameter-entities";,
+ "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+ };
+
+ for (String feature : featuresToDisable) {
+ try {
+ factory.setFeature(feature, false);
+ } catch (ParserConfigurationException e) {
+ Debug.log(Debug.ERROR, "Exception when calling setFeature: ",
e);
+ }
+ }
+
+ try {
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException e) {
+ Debug.log(Debug.ERROR, "Exception when calling setFeature: ", e);
+ }
+
+ return factory;
+ }
+
/**
* Constructor.
*
@@ -92,7 +120,7 @@ public class ConverterInfoReader {
// Get the DOM builder and build the document.
- DocumentBuilderFactory builderFactory =
DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory builderFactory = makeFactory();
//DTD validation
