From commits-return-11540-archive-asf-public=cust-asf.ponee.io@poi.apache.org Wed Aug 15 21:20:15 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 58360180626 for ; Wed, 15 Aug 2018 21:20:14 +0200 (CEST) Received: (qmail 67142 invoked by uid 500); 15 Aug 2018 19:20:13 -0000 Mailing-List: contact commits-help@poi.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@poi.apache.org Delivered-To: mailing list commits@poi.apache.org Received: (qmail 67130 invoked by uid 99); 15 Aug 2018 19:20:13 -0000 Received: from Unknown (HELO svn01-us-west.apache.org) (209.188.14.144) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Aug 2018 19:20:13 +0000 Received: from svn01-us-west.apache.org (localhost [127.0.0.1]) by svn01-us-west.apache.org (ASF Mail Server at svn01-us-west.apache.org) with ESMTP id BB88C3A2717 for ; Wed, 15 Aug 2018 19:20:12 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1838135 - in /poi/trunk/src/ooxml: java/org/apache/poi/ooxml/util/ testcases/org/apache/poi/ooxml/util/ testcases/org/apache/poi/xssf/usermodel/ Date: Wed, 15 Aug 2018 19:20:12 -0000 To: commits@poi.apache.org From: tallison@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20180815192012.BB88C3A2717@svn01-us-west.apache.org> Author: tallison Date: Wed Aug 15 19:20:11 2018 New Revision: 1838135 URL: http://svn.apache.org/viewvc?rev=1838135&view=rev Log: entity_expansion Modified: poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFBugs.java Modified: poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java?rev=1838135&r1=1838134&r2=1838135&view=diff ============================================================================== --- poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java (original) +++ poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/DocumentHelper.java Wed Aug 15 19:20:11 2018 @@ -99,7 +99,9 @@ public final class DocumentHelper { static { documentBuilderFactory.setNamespaceAware(true); documentBuilderFactory.setValidating(false); - + //this doesn't appear to work, and we still need to limit + //entity expansions to 1 in trySetXercesSecurityManager + documentBuilderFactory.setExpandEntityReferences(false); trySetSAXFeature(documentBuilderFactory, XMLConstants.FEATURE_SECURE_PROCESSING, true); trySetSAXFeature(documentBuilderFactory, POIXMLConstants.FEATURE_LOAD_DTD_GRAMMAR, false); trySetSAXFeature(documentBuilderFactory, POIXMLConstants.FEATURE_LOAD_EXTERNAL_DTD, false); @@ -125,7 +127,7 @@ public final class DocumentHelper { try { Object mgr = Class.forName(securityManagerClassName).newInstance(); Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE); - setLimit.invoke(mgr, 4096); + setLimit.invoke(mgr, 1); dbf.setAttribute(POIXMLConstants.PROPERTY_SECURITY_MANAGER, mgr); // Stop once one can be setup without error return; @@ -137,7 +139,8 @@ public final class DocumentHelper { } // separate old version of Xerces not found => use the builtin way of setting the property - dbf.setAttribute(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT, 4096); + // Note: when entity_expansion_limit==0, there is no limit! + dbf.setAttribute(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT, 1); } /** Modified: poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java?rev=1838135&r1=1838134&r2=1838135&view=diff ============================================================================== --- poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java (original) +++ poi/trunk/src/ooxml/java/org/apache/poi/ooxml/util/SAXHelper.java Wed Aug 15 19:20:11 2018 @@ -113,7 +113,7 @@ public final class SAXHelper { try { Object mgr = Class.forName(securityManagerClassName).newInstance(); Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE); - setLimit.invoke(mgr, 0); + setLimit.invoke(mgr, 1); xmlReader.setProperty(POIXMLConstants.PROPERTY_SECURITY_MANAGER, mgr); // Stop once one can be setup without error return; @@ -130,7 +130,7 @@ public final class SAXHelper { // separate old version of Xerces not found => use the builtin way of setting the property try { - xmlReader.setProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT, 4096); + xmlReader.setProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT, 1); } catch (SAXException e) { // NOSONAR - also catch things like NoClassDefError here // throttle the log somewhat as it can spam the log otherwise if(System.currentTimeMillis() > lastLog + TimeUnit.MINUTES.toMillis(5)) { Modified: poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java?rev=1838135&r1=1838134&r2=1838135&view=diff ============================================================================== --- poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java (original) +++ poi/trunk/src/ooxml/testcases/org/apache/poi/ooxml/util/TestSAXHelper.java Wed Aug 15 19:20:11 2018 @@ -36,7 +36,7 @@ public class TestSAXHelper { assertFalse(reader.getFeature(POIXMLConstants.FEATURE_LOAD_EXTERNAL_DTD)); assertEquals(SAXHelper.IGNORING_ENTITY_RESOLVER, reader.getEntityResolver()); assertNotNull(reader.getProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT)); - assertEquals("4096", reader.getProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT)); + assertEquals("1", reader.getProperty(POIXMLConstants.PROPERTY_ENTITY_EXPANSION_LIMIT)); assertNotNull(reader.getProperty(POIXMLConstants.PROPERTY_SECURITY_MANAGER)); reader.parse(new InputSource(new ByteArrayInputStream("".getBytes("UTF-8")))); Modified: poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFBugs.java URL: http://svn.apache.org/viewvc/poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFBugs.java?rev=1838135&r1=1838134&r2=1838135&view=diff ============================================================================== --- poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFBugs.java (original) +++ poi/trunk/src/ooxml/testcases/org/apache/poi/xssf/usermodel/TestXSSFBugs.java Wed Aug 15 19:20:11 2018 @@ -44,7 +44,8 @@ import java.util.Set; import java.util.TimeZone; import java.util.TreeMap; -import org.apache.poi.EncryptedDocumentException; +import org.apache.commons.compress.archivers.zip.ZipArchiveEntry; +import org.apache.commons.compress.archivers.zip.ZipFile; import org.apache.poi.POIDataSamples; import org.apache.poi.ooxml.POIXMLDocumentPart; import org.apache.poi.ooxml.POIXMLDocumentPart.RelationPart; @@ -55,6 +56,8 @@ import org.apache.poi.hssf.HSSFITestData import org.apache.poi.hssf.HSSFTestDataSamples; import org.apache.poi.hssf.usermodel.HSSFFormulaEvaluator; import org.apache.poi.hssf.usermodel.HSSFWorkbook; +import org.apache.poi.ooxml.util.DocumentHelper; +import org.apache.poi.ooxml.util.SAXHelper; import org.apache.poi.openxml4j.exceptions.InvalidFormatException; import org.apache.poi.openxml4j.exceptions.InvalidOperationException; import org.apache.poi.openxml4j.exceptions.OpenXML4JException; @@ -104,6 +107,9 @@ import org.openxmlformats.schemas.spread import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTDefinedNames; import org.openxmlformats.schemas.spreadsheetml.x2006.main.CTWorksheet; import org.openxmlformats.schemas.spreadsheetml.x2006.main.impl.CTFontImpl; +import org.xml.sax.InputSource; +import org.xml.sax.SAXParseException; +import org.xml.sax.XMLReader; public final class TestXSSFBugs extends BaseTestBugzillaIssues { public TestXSSFBugs() { @@ -1915,6 +1921,36 @@ public final class TestXSSFBugs extends wb.close(); } + @Test + public void test54764WithSAXHelper() throws Exception { + File testFile = XSSFTestDataSamples.getSampleFile("54764.xlsx"); + ZipFile zip = new ZipFile(testFile); + ZipArchiveEntry ze = zip.getEntry("xl/sharedStrings.xml"); + XMLReader reader = SAXHelper.newXMLReader(); + try { + reader.parse(new InputSource(zip.getInputStream(ze))); + fail("should have thrown SAXParseException"); + } catch (SAXParseException e) { + assertNotNull(e.getMessage()); + assertTrue(e.getMessage().contains("more than \"1\" entity")); + } + } + + @Test + public void test54764WithDocumentHelper() throws Exception { + File testFile = XSSFTestDataSamples.getSampleFile("54764.xlsx"); + ZipFile zip = new ZipFile(testFile); + ZipArchiveEntry ze = zip.getEntry("xl/sharedStrings.xml"); + try { + DocumentHelper.readDocument(zip.getInputStream(ze)); + fail("should have thrown SAXParseException"); + } catch (SAXParseException e) { + assertNotNull(e.getMessage()); + e.printStackTrace(); + assertTrue(e.getMessage().contains("more than \"1\" entity")); + } + } + /** * CTDefinedNamesImpl should be included in the smaller * poi-ooxml-schemas jar --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscribe@poi.apache.org For additional commands, e-mail: commits-help@poi.apache.org