static {
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setValidating(false);
-
+ //this doesn't appear to work, and we still need to limit
+ //entity expansions to 1 in trySetXercesSecurityManager
+ documentBuilderFactory.setExpandEntityReferences(false);
trySetSAXFeature(documentBuilderFactory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
trySetSAXFeature(documentBuilderFactory, POIXMLConstants.FEATURE_LOAD_DTD_GRAMMAR, false);
trySetSAXFeature(documentBuilderFactory, POIXMLConstants.FEATURE_LOAD_EXTERNAL_DTD, false);
try {
Object mgr = Class.forName(securityManagerClassName).newInstance();
Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
- setLimit.invoke(mgr, 4096);
+ setLimit.invoke(mgr, 1);
dbf.setAttribute(POIXMLConstants.PROPERTY_SECURITY_MANAGER, mgr);
// Stop once one can be setup without error
return;
}
// separate old version of Xerces not found => use the builtin way of setting the property
- dbf.setAttribute(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT, 4096);
+ // Note: when entity_expansion_limit==0, there is no limit!
+ dbf.setAttribute(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT, 1);
}
/**
try {
Object mgr = Class.forName(securityManagerClassName).newInstance();
Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
- setLimit.invoke(mgr, 0);
+ setLimit.invoke(mgr, 1);
xmlReader.setProperty(POIXMLConstants.PROPERTY_SECURITY_MANAGER, mgr);
// Stop once one can be setup without error
return;
// separate old version of Xerces not found => use the builtin way of setting the property
try {
- xmlReader.setProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT, 4096);
+ xmlReader.setProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT, 1);
} catch (SAXException e) { // NOSONAR - also catch things like NoClassDefError here
// throttle the log somewhat as it can spam the log otherwise
if(System.currentTimeMillis() > lastLog + TimeUnit.MINUTES.toMillis(5)) {
assertFalse(reader.getFeature(POIXMLConstants.FEATURE_LOAD_EXTERNAL_DTD));
assertEquals(SAXHelper.IGNORING_ENTITY_RESOLVER, reader.getEntityResolver());
assertNotNull(reader.getProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT));
- assertEquals("4096", reader.getProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT));
+ assertEquals("1", reader.getProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT));
assertNotNull(reader.getProperty(POIXMLConstants.PROPERTY_SECURITY_MANAGER));
reader.parse(new InputSource(new ByteArrayInputStream("<xml></xml>".getBytes("UTF-8"))));
import java.util.TimeZone;
import java.util.TreeMap;
-import org.apache.poi.EncryptedDocumentException;
+import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
+import org.apache.commons.compress.archivers.zip.ZipFile;
import org.apache.poi.POIDataSamples;
import org.apache.poi.ooxml.POIXMLDocumentPart;
import org.apache.poi.ooxml.POIXMLDocumentPart.RelationPart;
import org.apache.poi.hssf.HSSFTestDataSamples;
import org.apache.poi.hssf.usermodel.HSSFFormulaEvaluator;
import org.apache.poi.hssf.usermodel.HSSFWorkbook;
+import org.apache.poi.ooxml.util.DocumentHelper;
+import org.apache.poi.ooxml.util.SAXHelper;
import org.apache.poi.openxml4j.exceptions.InvalidFormatException;
import org.apache.poi.openxml4j.exceptions.InvalidOperationException;
import org.apache.poi.openxml4j.exceptions.OpenXML4JException;
import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTDefinedNames;
import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTWorksheet;
import org.openxmlformats.schemas.spreadsheetml.x2006.main.impl.CTFontImpl;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXParseException;
+import org.xml.sax.XMLReader;
public final class TestXSSFBugs extends BaseTestBugzillaIssues {
public TestXSSFBugs() {
wb.close();
}
+ @Test
+ public void test54764WithSAXHelper() throws Exception {
+ File testFile = XSSFTestDataSamples.getSampleFile("54764.xlsx");
+ ZipFile zip = new ZipFile(testFile);
+ ZipArchiveEntry ze = zip.getEntry("xl/sharedStrings.xml");
+ XMLReader reader = SAXHelper.newXMLReader();
+ try {
+ reader.parse(new InputSource(zip.getInputStream(ze)));
+ fail("should have thrown SAXParseException");
+ } catch (SAXParseException e) {
+ assertNotNull(e.getMessage());
+ assertTrue(e.getMessage().contains("more than \"1\" entity"));
+ }
+ }
+
+ @Test
+ public void test54764WithDocumentHelper() throws Exception {
+ File testFile = XSSFTestDataSamples.getSampleFile("54764.xlsx");
+ ZipFile zip = new ZipFile(testFile);
+ ZipArchiveEntry ze = zip.getEntry("xl/sharedStrings.xml");
+ try {
+ DocumentHelper.readDocument(zip.getInputStream(ze));
+ fail("should have thrown SAXParseException");
+ } catch (SAXParseException e) {
+ assertNotNull(e.getMessage());
+ e.printStackTrace();
+ assertTrue(e.getMessage().contains("more than \"1\" entity"));
+ }
+ }
+
/**
* CTDefinedNamesImpl should be included in the smaller
* poi-ooxml-schemas jar
projects / poi.git / commitdiff