我遇到xml外部实体注入问题。
工作示例:
def xslt = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
"<!DOCTYPE a [\n" +
"<!ENTITY e SYSTEM \"/etc/passwd\"> ]>\n" +
" <xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" version=\"1.0\">\n" +
" <xsl:template match=\"/\">\n" +
"\n" +
" <Row>\n" +
" &e;\n" +
" </Row>\n" +
" </xsl:template>\n" +
" </xsl:stylesheet>"
def input = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
"<Records>\n" +
" <Row>\n" +
" <data>data1</data>\n" +
" </Row>\n" +
"</Records>"
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
StreamSource xsltStream = new StreamSource(new ByteArrayInputStream(xslt.getBytes()))
Transformer transformer = factory.newTransformer(xsltStream);
StreamSource ins = new StreamSource(new ByteArrayInputStream(input.getBytes()))
ByteArrayOutputStream bout = new ByteArrayOutputStream()
StreamResult out = new StreamResult(bout);
transformer.transform(ins, out);
print bout.toString()
结果显示/ etc / passwd文件的内容。 我该怎么做才能避免这个问题?
已设置安全功能,但它无效吗?