TogaGemは、3D動画制作ツール、MikuMikuDance(MMD)で用いられる各種データファイルを読み書きするためのJavaライブラリです。
旧TogaParserライブラリの資産は、TogaGemライブラリに吸収されました。
リビジョン | 31fcfbd43a616c8926c93c655a0bc67d1f3e3cca (tree) |
---|---|
日時 | 2019-06-29 00:30:08 |
作者 | Olyutorskii <olyutorskii@user...> |
コミッター | Olyutorskii |
Secured internal XML reading.
@@ -14,6 +14,7 @@ import java.util.Collections; | ||
14 | 14 | import java.util.Comparator; |
15 | 15 | import java.util.LinkedList; |
16 | 16 | import java.util.List; |
17 | +import javax.xml.XMLConstants; | |
17 | 18 | import javax.xml.parsers.DocumentBuilder; |
18 | 19 | import javax.xml.parsers.DocumentBuilderFactory; |
19 | 20 | import javax.xml.parsers.ParserConfigurationException; |
@@ -43,6 +44,15 @@ class I18nAlias { | ||
43 | 44 | public static final Comparator<I18nAlias> ORDER_COMPARATOR = |
44 | 45 | new OrderComparator(); |
45 | 46 | |
47 | + private static final String F_DISALLOW_DOCTYPE_DECL = | |
48 | + "http://apache.org/xml/features/disallow-doctype-decl"; | |
49 | + private static final String F_EXTERNAL_GENERAL_ENTITIES = | |
50 | + "http://xml.org/sax/features/external-general-entities"; | |
51 | + private static final String F_EXTERNAL_PARAMETER_ENTITIES = | |
52 | + "http://xml.org/sax/features/external-parameter-entities"; | |
53 | + private static final String F_LOAD_EXTERNAL_DTD = | |
54 | + "http://apache.org/xml/features/nonvalidating/load-external-dtd"; | |
55 | + | |
46 | 56 | |
47 | 57 | private int orderNo; |
48 | 58 |
@@ -110,6 +120,20 @@ class I18nAlias { | ||
110 | 120 | DocumentBuilderFactory factory; |
111 | 121 | factory = DocumentBuilderFactory.newInstance(); |
112 | 122 | |
123 | + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); | |
124 | + factory.setFeature(F_EXTERNAL_GENERAL_ENTITIES, false); | |
125 | + factory.setFeature(F_EXTERNAL_PARAMETER_ENTITIES, false); | |
126 | + factory.setFeature(F_LOAD_EXTERNAL_DTD, false); | |
127 | + | |
128 | + // unsafe but we use DOCTYPE | |
129 | + factory.setFeature(F_DISALLOW_DOCTYPE_DECL, false); | |
130 | + | |
131 | + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); | |
132 | + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); | |
133 | + | |
134 | + factory.setXIncludeAware(false); | |
135 | + factory.setExpandEntityReferences(false); | |
136 | + | |
113 | 137 | DocumentBuilder builder = factory.newDocumentBuilder(); |
114 | 138 | Document doc = builder.parse(is); |
115 | 139 |