• R/O
  • HTTP
  • SSH
  • HTTPS

Pmd2XML: コミット

Pmd2XMLは、3D動画制作ツール、MikuMikuDance(MMD)で用いられるモデルデータファイル(*.pmd)の内容を、XML形式のデータファイルと交換するためのアプリケーションです。


コミットメタ情報

リビジョン6aba259732c9ed45c60ec020832581a242172f93 (tree)
日時2019-07-04 00:45:54
作者Olyutorskii <olyutorskii@user...>
コミッターOlyutorskii

ログメッセージ

Merge topic/xxe into develop

変更サマリ

差分

--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -5,7 +5,7 @@ Pmd2XML 変更履歴
55
66
77 X.XXX.X ()
8- * Prevent XXE vulnerabilities with XML-schema(XSD).
8+ * Prevent XXE vulnerabilities from external resources.
99 * Upgrade ToaGem to 3.122.2
1010
1111 1.202.2 (2019-06-06)
--- a/src/main/java/jp/sfjp/mikutoga/pmd2xml/XmlInputUtil.java
+++ b/src/main/java/jp/sfjp/mikutoga/pmd2xml/XmlInputUtil.java
@@ -14,6 +14,7 @@ import java.io.InputStream;
1414 import java.net.MalformedURLException;
1515 import java.net.URI;
1616 import java.net.URL;
17+import javax.xml.XMLConstants;
1718 import javax.xml.parsers.ParserConfigurationException;
1819 import javax.xml.parsers.SAXParser;
1920 import javax.xml.parsers.SAXParserFactory;
@@ -25,6 +26,8 @@ import jp.sfjp.mikutoga.xml.NoopEntityResolver;
2526 import jp.sfjp.mikutoga.xml.SchemaUtil;
2627 import org.xml.sax.InputSource;
2728 import org.xml.sax.SAXException;
29+import org.xml.sax.SAXNotRecognizedException;
30+import org.xml.sax.SAXNotSupportedException;
2831 import org.xml.sax.XMLReader;
2932
3033 /**
@@ -32,6 +35,16 @@ import org.xml.sax.XMLReader;
3235 */
3336 final class XmlInputUtil {
3437
38+ private static final String F_DISALLOW_DOCTYPE_DECL =
39+ "http://apache.org/xml/features/disallow-doctype-decl";
40+ private static final String F_EXTERNAL_GENERAL_ENTITIES =
41+ "http://xml.org/sax/features/external-general-entities";
42+ private static final String F_EXTERNAL_PARAMETER_ENTITIES =
43+ "http://xml.org/sax/features/external-parameter-entities";
44+ private static final String F_LOAD_EXTERNAL_DTD =
45+ "http://apache.org/xml/features/nonvalidating/load-external-dtd";
46+
47+
3548 /**
3649 * 隠しコンストラクタ。
3750 */
@@ -111,7 +124,20 @@ final class XmlInputUtil {
111124 factory.setNamespaceAware(true);
112125 factory.setValidating(false);
113126 factory.setXIncludeAware(false);
114-// factory.setFeature(name, value);
127+
128+ try{
129+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
130+ factory.setFeature(F_DISALLOW_DOCTYPE_DECL, true);
131+ factory.setFeature(F_EXTERNAL_GENERAL_ENTITIES, false);
132+ factory.setFeature(F_EXTERNAL_PARAMETER_ENTITIES, false);
133+ factory.setFeature(F_LOAD_EXTERNAL_DTD, false);
134+ }catch( ParserConfigurationException
135+ | SAXNotRecognizedException
136+ | SAXNotSupportedException e
137+ ){
138+ assert false;
139+ throw new AssertionError(e);
140+ }
115141
116142 factory.setSchema(schema);
117143
@@ -134,7 +160,13 @@ final class XmlInputUtil {
134160 throw new AssertionError(e);
135161 }
136162
137-// parser.setProperty(name, value);
163+ try{
164+ parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
165+ parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
166+ }catch(SAXNotRecognizedException | SAXNotSupportedException e){
167+ assert false;
168+ throw new AssertionError(e);
169+ }
138170
139171 return parser;
140172 }
旧リポジトリブラウザで表示