You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@poi.apache.org by ta...@apache.org on 2018/08/15 19:20:12 UTC
svn commit: r1838135 - in /poi/trunk/src/ooxml:
java/org/apache/poi/ooxml/util/ testcases/org/apache/poi/ooxml/util/
testcases/org/apache/poi/xssf/usermodel/
Author: tallison
Date: Wed Aug 15 19:20:11 2018
New Revision: 1838135
URL: http://svn.apache.org/viewvc?rev=1838135&view=rev
Log:
entity_expansion
Modified:
poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java
poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java
poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java
poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFBugs.java
Modified: poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java?rev=1838135&r1=1838134&r2=1838135&view=diff
==============================================================================
--- poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java (original)
+++ poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java Wed Aug 15 19:20:11 2018
@@ -99,7 +99,9 @@ public final class DocumentHelper {
static {
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setValidating(false);
-
+ //this doesn't appear to work, and we still need to limit
+ //entity expansions to 1 in trySetXercesSecurityManager
+ documentBuilderFactory.setExpandEntityReferences(false);
trySetSAXFeature(documentBuilderFactory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
trySetSAXFeature(documentBuilderFactory, POIXMLConstants.FEATURE_LOAD_DTD_GRAMMAR, false);
trySetSAXFeature(documentBuilderFactory, POIXMLConstants.FEATURE_LOAD_EXTERNAL_DTD, false);
@@ -125,7 +127,7 @@ public final class DocumentHelper {
try {
Object mgr = Class.forName(securityManagerClassName).newInstance();
Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
- setLimit.invoke(mgr, 4096);
+ setLimit.invoke(mgr, 1);
dbf.setAttribute(POIXMLConstants.PROPERTY_SECURITY_MANAGER, mgr);
// Stop once one can be setup without error
return;
@@ -137,7 +139,8 @@ public final class DocumentHelper {
}
// separate old version of Xerces not found => use the builtin way of setting the property
- dbf.setAttribute(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT, 4096);
+ // Note: when entity_expansion_limit==0, there is no limit!
+ dbf.setAttribute(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT, 1);
}
/**
Modified: poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java?rev=1838135&r1=1838134&r2=1838135&view=diff
==============================================================================
--- poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java (original)
+++ poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java Wed Aug 15 19:20:11 2018
@@ -113,7 +113,7 @@ public final class SAXHelper {
try {
Object mgr = Class.forName(securityManagerClassName).newInstance();
Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
- setLimit.invoke(mgr, 0);
+ setLimit.invoke(mgr, 1);
xmlReader.setProperty(POIXMLConstants.PROPERTY_SECURITY_MANAGER, mgr);
// Stop once one can be setup without error
return;
@@ -130,7 +130,7 @@ public final class SAXHelper {
// separate old version of Xerces not found => use the builtin way of setting the property
try {
- xmlReader.setProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT, 4096);
+ xmlReader.setProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT, 1);
} catch (SAXException e) { // NOSONAR - also catch things like NoClassDefError here
// throttle the log somewhat as it can spam the log otherwise
if(System.currentTimeMillis() > lastLog + TimeUnit.MINUTES.toMillis(5)) {
Modified: poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java?rev=1838135&r1=1838134&r2=1838135&view=diff
==============================================================================
--- poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java (original)
+++ poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java Wed Aug 15 19:20:11 2018
@@ -36,7 +36,7 @@ public class TestSAXHelper {
assertFalse(reader.getFeature(POIXMLConstants.FEATURE_LOAD_EXTERNAL_DTD));
assertEquals(SAXHelper.IGNORING_ENTITY_RESOLVER, reader.getEntityResolver());
assertNotNull(reader.getProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT));
- assertEquals("4096", reader.getProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT));
+ assertEquals("1", reader.getProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT));
assertNotNull(reader.getProperty(POIXMLConstants.PROPERTY_SECURITY_MANAGER));
reader.parse(new InputSource(new ByteArrayInputStream("<xml></xml>".getBytes("UTF-8"))));
Modified: poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFBugs.java
URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFBugs.java?rev=1838135&r1=1838134&r2=1838135&view=diff
==============================================================================
--- poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFBugs.java (original)
+++ poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFBugs.java Wed Aug 15 19:20:11 2018
@@ -44,7 +44,8 @@ import java.util.Set;
import java.util.TimeZone;
import java.util.TreeMap;
-import org.apache.poi.EncryptedDocumentException;
+import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
+import org.apache.commons.compress.archivers.zip.ZipFile;
import org.apache.poi.POIDataSamples;
import org.apache.poi.ooxml.POIXMLDocumentPart;
import org.apache.poi.ooxml.POIXMLDocumentPart.RelationPart;
@@ -55,6 +56,8 @@ import org.apache.poi.hssf.HSSFITestData
import org.apache.poi.hssf.HSSFTestDataSamples;
import org.apache.poi.hssf.usermodel.HSSFFormulaEvaluator;
import org.apache.poi.hssf.usermodel.HSSFWorkbook;
+import org.apache.poi.ooxml.util.DocumentHelper;
+import org.apache.poi.ooxml.util.SAXHelper;
import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
import org.apache.poi.openxml4j.exceptions.InvalidOperationException;
import org.apache.poi.openxml4j.exceptions.OpenXML4JException;
@@ -104,6 +107,9 @@ import org.openxmlformats.schemas.spread
import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTDefinedNames;
import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTWorksheet;
import org.openxmlformats.schemas.spreadsheetml.x2006.main.impl.CTFontImpl;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXParseException;
+import org.xml.sax.XMLReader;
public final class TestXSSFBugs extends BaseTestBugzillaIssues {
public TestXSSFBugs() {
@@ -1915,6 +1921,36 @@ public final class TestXSSFBugs extends
wb.close();
}
+ @Test
+ public void test54764WithSAXHelper() throws Exception {
+ File testFile = XSSFTestDataSamples.getSampleFile("54764.xlsx");
+ ZipFile zip = new ZipFile(testFile);
+ ZipArchiveEntry ze = zip.getEntry("xl/sharedStrings.xml");
+ XMLReader reader = SAXHelper.newXMLReader();
+ try {
+ reader.parse(new InputSource(zip.getInputStream(ze)));
+ fail("should have thrown SAXParseException");
+ } catch (SAXParseException e) {
+ assertNotNull(e.getMessage());
+ assertTrue(e.getMessage().contains("more than \"1\" entity"));
+ }
+ }
+
+ @Test
+ public void test54764WithDocumentHelper() throws Exception {
+ File testFile = XSSFTestDataSamples.getSampleFile("54764.xlsx");
+ ZipFile zip = new ZipFile(testFile);
+ ZipArchiveEntry ze = zip.getEntry("xl/sharedStrings.xml");
+ try {
+ DocumentHelper.readDocument(zip.getInputStream(ze));
+ fail("should have thrown SAXParseException");
+ } catch (SAXParseException e) {
+ assertNotNull(e.getMessage());
+ e.printStackTrace();
+ assertTrue(e.getMessage().contains("more than \"1\" entity"));
+ }
+ }
+
/**
* CTDefinedNamesImpl should be included in the smaller
* poi-ooxml-schemas jar
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org
For additional commands, e-mail: commits-help@poi.apache.org