From effe9463eecb25de2a55f205d03926e1ccd8d773 Mon Sep 17 00:00:00 2001 From: Uwe Schindler Date: Tue, 12 Aug 2014 11:33:02 +0000 Subject: [PATCH] Add some extra safety test to check that external entities are not loaded by xmlbeans git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1617453 13f79535-47bb-0310-9956-ffa450edef68 --- .../xwpf/extractor/TestExternalEntities.java | 47 ++++++++++++++++++ test-data/document/ExternalEntityInText.docx | Bin 0 -> 12756 bytes 2 files changed, 47 insertions(+) create mode 100644 src/ooxml/testcases/org/apache/poi/xwpf/extractor/TestExternalEntities.java create mode 100644 test-data/document/ExternalEntityInText.docx diff --git a/src/ooxml/testcases/org/apache/poi/xwpf/extractor/TestExternalEntities.java b/src/ooxml/testcases/org/apache/poi/xwpf/extractor/TestExternalEntities.java new file mode 100644 index 0000000000..05d6b2f844 --- /dev/null +++ b/src/ooxml/testcases/org/apache/poi/xwpf/extractor/TestExternalEntities.java @@ -0,0 +1,47 @@ +/* ==================================================================== + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +==================================================================== */ + +package org.apache.poi.xwpf.extractor; + +import java.io.IOException; + +import junit.framework.TestCase; + +import org.apache.poi.xwpf.XWPFTestDataSamples; +import org.apache.poi.xwpf.usermodel.XWPFDocument; + +public class TestExternalEntities extends TestCase { + + /** + * Get text out of the simple file + * @throws IOException + */ + public void testFile() throws IOException { + XWPFDocument doc = XWPFTestDataSamples.openSampleDocument("ExternalEntityInText.docx"); + XWPFWordExtractor extractor = new XWPFWordExtractor(doc); + + String text = extractor.getText(); + + assertTrue(text.length() > 0); + + // Check contents, they should not contain the text from POI web site after colon! + assertEquals("Here should not be the POI web site: \"\"", text.trim()); + + extractor.close(); + } + +} diff --git a/test-data/document/ExternalEntityInText.docx b/test-data/document/ExternalEntityInText.docx new file mode 100644 index 0000000000000000000000000000000000000000..0b47852de44e25cfbe931ab1967428b933dcf330 GIT binary patch literal 12756 zcmeHtbyyr*^7i2F7BqNp4+IJB?!n#N-Q6va0E0tt2<|Sy-66QU2Mv5fcJJPMv-^9V z@BiJNXQpeWr>d(@*Qt8D&MPkk0f`BK2EYOU01|+e1O%=<7y!@*4gjD6V8M)R4doqd z?Hn2P?d%xbtgVQ1Ai=1z0HA;TcW-HmL$cjWs4ZmYC<-Uj)Wku>Wwg`q_G=Vxt;asK zO3)E3RUzg0j^$^Y)7aeBuv*5N_J#DiT2?V4DsXd;6?`Ne8<#AoDcilv_iAYxt43SD==@rYYdp3mNhB9g>j%O%}&OUlcNx^4GHwdkX_GY?nx=71Rg!GlgPO+qv7U$hU zj?7UL)yXTLH#P7xNv|Ox76hX09$TyKo z7in%mO+fg$Dj04l>3M^3<4l9yK+)l&1xY8q&RhZD3%H%Fm{Frc4e8b(GBnW`+lInc zoxH0!$IeolrQ!>eeHiU|)m2^B8r?>$DKIT?yEC`sr$-;$Nii}?t4|8fjaK1QhT}3e zuvjc60HKrk|cuE+y&rYla@9 zKOIJ8hI$odCcsKRMwiQ{qGI~*M8|o2$R6>)9aGrinF^SR4uMba$cAcdrEa8lGhAO_ zhc5lRmcu_;zLqcOc`D;yx#=lCOwpMg*kE01z)Nt9jQ@>q9@$Q`ACdM4!(f;7`tRT8x5(CnLcE$M4jdX95JvVsFF@m+B;d zH_U=hnC)d5I`_qu)63=Wh&AAK>=1@IKG|r51qfIu1k#@i@7JlZ?tai;*M!@6x|(`i z8Xr-6*MHJ$rn9ln{C)8=K{+&9@O-cQMNZ2OO6(y;4z9$h0ZZ(ZmCTL^J1wmHX_fYf z>)Q~NgS4~No-{2CM!@2mwkPL39MFLN8H4~(u1qpV6rt5ehqV9&pd0i{5CQa*y=#=^cPE(CfTfd<+hsd+K00;a<&sv8{P~1nAb{GXrpCnMBN2JZgQU4eh&VxE;OY>2EOZ;8hlaNu4R6JK7q&8lPn5O9>Ws;{>;qajM$bFLBR7_K2u zl6^V;&||H=p#qf})@Fib0Wg;=XE!I16f#^8zO3h#z)hnwWKV`%`D0$J%VjtkU7%6R5Sezw#XeF9fUk0cXHlDdelsEJ&}Jg>gHm;T zRbr$Cu7b=&Q8Ab=PCQqEL|{riIHF>sr&ZiGY{US1Arc=;U35Obs=yxy@_bvu!DHQ7 zlX=KoTisM*!^aDUEo0I9=nP>hDjEHNh76r9h1oz#^jj=hl@Y5!gE1QCy-Hv!mqu+> ziHrL&x9`nN8G3Sa9do6!CgKPy;vSngjr{eP=dJWqs5!O>AwPl=Tg)ex=8j1Z~SDCd`mimY;3QdsyS$>QA<%PL+iJTd2sHYd%8Z0m243ch+EPm z&{IhSt-HLD(Tvv}yY5Aj=wPij9K=(I&jmQN-`{WBP~lthkh`t&7rBdYoj$P0_`3?S zs?F=XqGO*m-#MSEEiyT|X=`6oy%`=VQ=WW1l{QJsve4kDWi=(vKt#W4sqfX0$(21m zfwyOb@}_>BpuV$7`;-m`@UB{QLXOqk1X${3oJZk`ZMBK>P8yF}QjE4GW8y3yOM;ED zz4jYdol3t=KYUec2ZfM%vZ#G`;&(1w`1h>X!XdQ~N?6&PW&0E-n@Z!`4IiDH)(9Pm zAHCv48}&7cHzk4vz$j#P5db4- zfunS$P#*)Mp)&2rn~``6v&NiguTsA4wUD0E)%tCPzDmecWxa%sPtzd@m)c@ZP;ZM2 zLum6~;||+8boWU!3e447#Vokf4g3C-DSpM7*`FA_)ojK63?0k0wNZ^;MdWMrbR{R~ z;PI15=DCY(3(WC4K1f=@e@6Fj8R-x7Hs~PFQ~?11K*9YbBRLv7Ihos-I=*D28dXi( zC3Z}o*W=H6d+rhBtFva#5e#)pnCBYO`$RuP;}d0qIN}lsUFUsQNhma~6QD&R-=}b` zHfF|#`dr@&oK0ll4JB%k_ljgh74}3hHENS*p3LqK85t2KK-yF6lX5BoTiQI%r%Hs( ziyX5|#MT5C71uYLD!sHP?R%|g!GiO@;!18&>57`feCr@3jm>7KzqiF$EmIKNvV39QJ?pM(_> zD^GF~JueiSJ{{DCAVXp+t%rTQ%I3~jC7kONBn88Doy=&*7cm2ux17(-_o^*gAyx*f z4aLhu&Res=6QxQVHQ$a&D<`>&@Xog-cVE@$TN4c$^d%15MfYnH+(NPYcp8&hPVGQn zv+oO!OF=XOF*oxngZq05)lFm%&AujDG1MK)=BNseP^%IT?%ym}yy zDu3U~hf|`UA^D5*%9gp(=EAF8H{NofuNMRfB5qo@AO%ST-(z-Ske_w2~8yxi%$h>vI? zj-S@Bn#jzqLj~Bws|JVz)0g*UU>4{GO#-cmjL(XRBV@!P2cwz zraffc4!Mq#>J^0`qejrEYGSpR|BIBToI&KD^o^qKL) zGYD4v2{`_k-Z*Sm%t|l-fF~CKfbvIPcXV>MGXBTp1}ZoL-+|zU?M@p+x97q9D8-!g zvTSP2+;DAcjqGlQah$abm_0Fv1mDjx)euys3j94K1OA7lnerzog8dob!@CQge!34_ z>bFxkeQj?(@`uta&^_ALpT<62wSEsH$BdWV>hg_ieBQY}ZEtPj9vcxNcSJ!XzjG&` zdn{w#zcWgJ(Zr2>43;$p=a}P)4EB#*FhP$zdSG}D@013gt4gD|qtC+4%X@ue!V-bi zs#C(Rv#*CU)U$RgK}l9o_|dCmvZcaBtkR{RnrXy|_>v$XhRl=^n}&KsS`IJ70LzGL z&hipGAmv>w;bzKrm2`373R?wnz_CZ2CNJ!WN34S0U=qAQ&tKL^cz?pKoYiG`%H-c0rFYfaeb+t zGynEfV}kV<^ZRy~T2@zT^Abe^D~V`m+yZZBqdM{O zYY|a3o!SRq5Bj|MW({39x!r7X>X1=C3}``&U&(Gi0;T!Tj9N3IB!~2lIf}+Bvl{oI z!Q9E>pNUG+-FUBalS7>Oq0Q82jr=qYa$9Ya-p3>3t`OkT)zN*{M#N!KPZ^sZ)CzE; z*UM{@aC^2;Z#}LZKLSF+a|?{LNn}-2D;*jeuaZ}Y9s(g%rRL1W6jYQr1u7p*u#_V> zNOJ6ZfB-zP7Pzcm0>jGBxbq%hhk>O~QIX0yrQaFa=m&a=LYfswR89P}#p8BXntLLR z{ijVA$a6~hc{qy*4*#xES)dz++AVAWx<#qt0c`2tZT{cJ=P%>~iZ^5c>tqDh@2FN9 z4tyKkFsP0o-}VCe^-T*X3%8|c{Cj2Pqg6m>368ak&>!pC*nxZ- zR~o+?@D44SY$Yh{8=5V+83E|GkVscPBc5~0iupx(3k#JNIN~~<#H?aB41TL$4vYHy z=I|HLI2=LFsC}76Q`-#V01FD{R0C;wZQ&AYiKMapX}!ViM(7)cEqG)Z(wBVIULe3= zNC>Vtf&;8)7P@&1`$uF#eSxfIgkRHG*8B`V^r%LHFw_aeBh4I3ppa^nuWLWQ9vVsD zydu#w>Z--h+Skprz$Q}~pxiyr#@5ps4 zweVemd3J2x?K!y3!C6weHuC68`&I)>YDpW zdDr)W`sVw`vefiZ{AQAtZhH<~^dHefutYTz9J_p7PFq@BIUH|BxtuJ;HF(4B>!lqASkJ}-WpGAPX9`eC6InB_8hT#F$Zcm{fGK{ zNLDXD4XVFZ?*Rb3zt`Un=1yiJCML#)PX8>$)=En+rFeDN8zy#DNIc7KgzZ><55mzp zmfh*3)__(x(E83Qm>*P$$u*f>2u{D9&|c^r+kR-i|C%akyYjv_{-(cLtKVoRHdf9n z_KiQHhy&lH?}|6i{m_j=Z$g|1%R1|G%I;Hhz34ZGkhjp%Z(oHn%FY(GSK;wg6Nh3aU4MrOLv3dXg`%I?G9f0 zW!ND9!Z2ky*5K3o(kZfv3>FG(QuG5{tIV{|CR@Y0rUNy0d;Oewq0(hSy_pWevtb4> zb1^NSI=ObjS$Y({k(~)p-bv;yF(KDNlaxz-Cc1$-ea$Rfy16?4S1_h?hCQU8v20Y^F>&ARK(&wibv`ik6y)ZPRcn0m0)<*}!J97j(Z@R~j3iGW^$-Nf3BO>6Bwfea?hrW+uUEHvIfG-Ti%;XE z-0>r2ze?|-CmOtOUickj#a(|+3SUZMrj|L1ju&?2R@)=pme}0u;*4Rhn+fovQLj&g zBaF3`@o?3Tns6N6Xgn>f<#}{|NiYO;$^^n@UdWOyDWZa=t``T+cRPI=atxZZ>ikh) zekvnfON&u~?EZ=)Wd_~#UUwqUC_HJjw+1`-*j~4nJM0)N5V+}gUy(3)(=OG#u=V?$ z1IK;#U_K_n-nG+aJPx}z{Cs>6BO43ucet`nrN*zk{AN45pxw==c0OL#` zC}2pS5n0CZBM@)K>sB|MV2R))uk_s%{Rr#RDO5_~T&n;Ep~72$;peSGb6*V8pE4~6 zw&08QtBnnNw&3h6-mMk23PqA$ib;r8=PH&PSJxQ{Gh}!w)0{a9Z0TfpZzn+lI!M48 z=gf&e8%2wLbcr#`b36_6!(A`_Fj16(G~LyPL9^lUr~`&~lh|arWY((rsq!J}3#}Z- zY}3+1k3*XdRa%LtEDFw0<6z#3jmt2slWD6H%Ip@3eUm|>pSC+r;qLV6ep&1dHAaQ^ zF~303anyj7v`byZQW%sMMQ)tw3ZZY+KhS{fBydSvw7~KG)V;{}uZb|tg3Auv`YyRs z!#1AevrjnjK+gH*Y8Na4DslYI&>PD@6Y_@)sQV zz>=`wK$v8ir9{NgPdiUyM-qoqSsjZWj&K3*Lz1~-jM~xuoyl2pv{zLO4%2~)u9uG8 zi*74#+Q?QqEG#Vx&r(qDdP)O4jIN3AHg}v4TnXr}U|v6Wq%~SV&k6vNOcUKdXcV8k zzseK2tVjex`Y;SMhUTW%mGaP)Ey_{%PJcZ|izw2CA@{ql6$CH*!n^qJ=`h?){CP)Q zFWz{;nYr3;V$e%K)dVJ|*3bW*(%^Zf%45kgdw~ND(;*<$8$*D^v|x5fYgM=c`Va{F z2O6LjhzFs8tsZ=|38sx`020{>?D>jdN<#Z?_Sx7hl_H4yt}=#Fwz!1=uj4G6gO? z3ti&UYb$EJ%BuR~dD8`OE-K&uf(8NvU(f)V+76l|#k8920cxp!4?Y;4XbW1_--H9k zmF2kg9{f&H%fPAWVmC5=BX>JcX(i*|L5pBN!nCbE@NIS@quK(Y0sI%gDGO~rM(D+3 zC>wH~i&hMiB^pqvh~fPw!66sg<#l1MwTMUDwTk)B!0Wo zzxZWet6$&-?7dxjG5MyDdIc7qll!fJGgs)p3`@6OVcSCX^Egn2p}!1A*#EcLw->*g zeHpqJe~W}FUi|9EG_eJ_I7|lPH%yb0XAbgLm@Nu)#XozS@mbP9gJxuH_kvy^!{|_u zm0$LyNcU;Fd>>X!J;CysM-!)qK62Q37J6v+ zYspRGgm%bXr*$Qz*YK#9mvtHwdw(ry05>`bTImQTZcu}C6>z}JN5fyT2m}K&YW-qn!-P-a9bKA1YsSN zzE4$|BV{JPg<941=hIcsCsbqsL4ge^<95Q#WF0lu+BnI925&Eum{D!W2;TQ9+=(^YW%B$ zfB@DXSis55*xH!!*C+E!yX{DQ?4{k-hBE(5ymxZ{nS4ngz3bDliRC1A?NYYbVm>{4 zqM5jpVlEX^O&=IUh;uhGZN(CDcO5u=h1AWQ(P4#i$5Zfo#VYB=s|09HNTH9BBHpLx zo1R-Y;^zmop(M32c4?^CZ;vmM60FzFdcKjTvL81G>SWt!!ii11Qovr%Z|w;8w!Y~` zDbFD!T0_;;driSzXbzJ$<`U6s1UW+0*k$rAz!d{KG_2c@hd##83DHMLqcl-chgq1s zsth)G&E<73xkOxR^VQOqHJ*)dvsV)hj4cKbZeD8GaYpgCY;`fH){EnP$%H6pLN=P1 z6a+eK#|e+sk&EBx)ctw^O%zgAt(Kcb?E$!#s+-EwSw%6*j+|0Y(PR#mft6U3$SAMfhtD9R_23`E67;1@y;+bN_F#_n@>=A8q64BI z_a-GpnN!a5f1V?D=BT;<+`W!{Zt*cs=W%zw*!ujjKu#{>F^y}o^oKl~O4*9fbMNXH zU+t5}-SU#DZpwLh#PiRBF`tKPDOOa~iHK3)SKY_+gI=I5@AGA-DYP4{s1Oz}F^Oy` z@OHkbTkutKRKzF&%BE}eE6A`y>@u^|EZA@z#HVJS@o^5EFj9!}=xf-ONC6S)j>AhB zymcScF-~T;7PKI|Ge71{u4)exqbUd4^w5tHOiew2K>B_L75aw6I{E^kC09n*eiV%zC z)Gp#VO55DW>l;D%c^4z~V@NHGB}VlI23oA1mV&KF^$cUYk$qbiC5|v7xl6CGdv>_I z8Anfh7oJulFYB(o&J$V`^-;|#aiwpT9Bv40R=wn4zj(K0x$(t6oI*y7HNZr7$!Boc z```hg&Xnkk_XN6S49Tralh5T~QSQM~J6Bq*5Z+9YJHD4G#g$qcrvgT|L1m0~L$J%D zq;FTf)5|}ICvLM~Y;@;N!*PrFVNnvOe4|gDz>x6<+KwY`s7gKt48y z$_4?)S%siK!BkO*a5JQAT>-FgSJiVh>dYuMZ$?h`LnBBU%-8guU9ydfTZC?rC!O3Uqw*@o`c^;r_^78puoHLU!^B$`;zYD6z|{L)Lmkpi8vV9INj8_0 z@=SpRr)uU=lU6$As8|a#GlkhIFkKcXp8zPvBU;+l7jAugyMo9#YLQ{ z6oilZWis2b7)AZ|E!G@k;(<;5nsT~g_DNlF@TWu7A?;)r1(FUsUp@)wS6wQ3`H;gi#?(q&%;AQ>|43+fY2bcXN zS9mj`OSEjoWjdYvHHX0=r?m)#V_%&;2v^HEJYua6#RJk+XIxusTGx`i+t=JEm}5M0 z9?>ENoeD(5hl7=#BYD#d9?_Q2NXI zQq*{-Bm^@m^jh;8H(g`>LK10}Q$4ZbIcdN>z}&?Jf7qx?+M-m>cCnaP$76^*B{s#k z@t$9|6(TZsyvRhS1U}$PXK<0ySH{DI=wk8|rdM)cT(vL?B~KRyDNBezQ}Lq5#9}G| zjhghud`!)(`VI?@R0ClG*mD!(WKx(>!xj(;NxFueToKWY^ys6bokM;W;wCe)Bq$|sn~W=vJ> z=!Ghrw+kiZ=ilj-%z{2SeM5O_#j1uM%zD4)|i(^n+Y--B=sAZRpzY6SPir-DB$=oO%5CB+&XwCyJ~VYb`hXLex@zy6^dW>V-Ip zTU6BD>)gHmRspALOdrlS8C?kewjLiYY-9=uMt7aYM<-QJiZl8?SW0eK$%cQJUw-yT zYTeNZLgCf=f&8Ch430cBz#kN2F;D;i1^^aZQwX%u4`QI`D!bbmJ8J)v4FwKj?SU4R z{v( z%${6D3hCO%IS5|U(Zj{$l%V-lBukTTQ??(48Nz4zaM{jW27s|4Z(gy!2Ij!bD8!~S zv6kOHt<|E^kA!^v+g7%=bR?c zjMU2wJ(cNp@;=H`b@c6Z9KmPv^&0nba<=QF)Js)xQseTWJkANh6vAf#WW+=Cvr}q| zWsKuhWvXxP$O*hIu0(j7#rt`6^CibFfv8k@O44ml0rnsE8dOe%)w&*r+7*t%T?4k* z@RZJVy5Pc}nW99SFi6K+AXc>=OdYL^V$>&%q+6WDAG)7&j+X-piw*HOVR)&`RE3wq z-p15;j-H?tAAb^<-5B9ma=HZ(GXA|f5XIxwUxMOM7Bn#tKr{Crh2f84@V^=R-#k_S zdF@dNOOg-*h#{v?tNQ)k982(|lM5^2*{-CA5J4$NV6Mo+d5dkWxx`KKOFBDOyF+rb zz(C+McL5LdSAF%Fta+fG*s7(Qb$uj^yn4T8YJe${*l2~hjqNNWPkdrFPZV=W&PH{J z068zI32Q~JR&alta#I|E1e{WA{4oA?R7q1?-_-|*)Rg>1btH4sQ~ugMHFn)uWNi*S zA9$0~`Jr&Eei(h*1qK5eD~WFo(H7L#ba+-wV-)G}2Bq-qYvwsK*TT=bkukw^aM^I- zW0zjeX%HGZC{7DG?tNdmUz4cQVS9T%2nAL%n(_V%L4kqOgAnE)tcSl-(tnSM-wEpS zQh(R}J5%_t+6ACl_b=@~c*8I1e81rBf8uzO|5KkBw5J1=+kazx!UJ9o0YLotR{)7c zIu)Y2F)-XOZ1Mzu+5hh0?`*wa27Z0?g4UXTo#JoYz2EhJCw={?-v-J$zx4k~0sCG3 zcT&lp>gh;-sQ-&%^1JfyD`I~t6M~vz|2X$A<=@uFez)^`H|