• R/O
  • HTTP
  • SSH
  • HTTPS

TogaGem: Commit

TogaGemは、3D動画制作ツール、MikuMikuDance(MMD)で用いられる各種データファイルを読み書きするためのJavaライブラリです。
旧TogaParserライブラリの資産は、TogaGemライブラリに吸収されました。


Commit MetaInfo

Revision31fcfbd43a616c8926c93c655a0bc67d1f3e3cca (tree)
Zeit2019-06-29 00:30:08
AutorOlyutorskii <olyutorskii@user...>
CommiterOlyutorskii

Log Message

Secured internal XML reading.

Ändern Zusammenfassung

Diff

--- a/src/main/java/jp/sfjp/mikutoga/typical/I18nAlias.java
+++ b/src/main/java/jp/sfjp/mikutoga/typical/I18nAlias.java
@@ -14,6 +14,7 @@ import java.util.Collections;
1414 import java.util.Comparator;
1515 import java.util.LinkedList;
1616 import java.util.List;
17+import javax.xml.XMLConstants;
1718 import javax.xml.parsers.DocumentBuilder;
1819 import javax.xml.parsers.DocumentBuilderFactory;
1920 import javax.xml.parsers.ParserConfigurationException;
@@ -43,6 +44,15 @@ class I18nAlias {
4344 public static final Comparator<I18nAlias> ORDER_COMPARATOR =
4445 new OrderComparator();
4546
47+ private static final String F_DISALLOW_DOCTYPE_DECL =
48+ "http://apache.org/xml/features/disallow-doctype-decl";
49+ private static final String F_EXTERNAL_GENERAL_ENTITIES =
50+ "http://xml.org/sax/features/external-general-entities";
51+ private static final String F_EXTERNAL_PARAMETER_ENTITIES =
52+ "http://xml.org/sax/features/external-parameter-entities";
53+ private static final String F_LOAD_EXTERNAL_DTD =
54+ "http://apache.org/xml/features/nonvalidating/load-external-dtd";
55+
4656
4757 private int orderNo;
4858
@@ -110,6 +120,20 @@ class I18nAlias {
110120 DocumentBuilderFactory factory;
111121 factory = DocumentBuilderFactory.newInstance();
112122
123+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
124+ factory.setFeature(F_EXTERNAL_GENERAL_ENTITIES, false);
125+ factory.setFeature(F_EXTERNAL_PARAMETER_ENTITIES, false);
126+ factory.setFeature(F_LOAD_EXTERNAL_DTD, false);
127+
128+ // unsafe but we use DOCTYPE
129+ factory.setFeature(F_DISALLOW_DOCTYPE_DECL, false);
130+
131+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
132+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
133+
134+ factory.setXIncludeAware(false);
135+ factory.setExpandEntityReferences(false);
136+
113137 DocumentBuilder builder = factory.newDocumentBuilder();
114138 Document doc = builder.parse(is);
115139
Show on old repository browser