Merge pull request #2236 in CORE/base-third from release/10.0 to feature/10.0

* commit '6ec6da1d2b7d7740f449e8cefd7a44cc039d2d09': DEC-17989 itext XXE安全漏洞修复，参考 930a1c81f8
4 years ago · 8ab7742594
6 changed files with 44 additions and 0 deletions
--- a/fine-itext-old/src/main/java/com/fr/third/com/lowagie/text/SafeEmptyEntityResolver.java
+++ b/fine-itext-old/src/main/java/com/fr/third/com/lowagie/text/SafeEmptyEntityResolver.java
@ -0,0 +1,18 @@
 package com.fr.third.com.lowagie.text;
 import java.io.IOException;
 import java.io.StringReader;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 /**
 * @author Hugh.C
 * @version 1.0
 * Created by Hugh.C on 2021/4/26
 */
 public class SafeEmptyEntityResolver implements EntityResolver {
    public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
        return new InputSource(new StringReader(""));
    }
 }
--- a/fine-itext-old/src/main/java/com/fr/third/com/lowagie/text/pdf/XfaForm.java
+++ b/fine-itext-old/src/main/java/com/fr/third/com/lowagie/text/pdf/XfaForm.java
@ -49,6 +49,7 @@
 package com.fr.third.com.lowagie.text.pdf;
 import com.fr.third.com.lowagie.text.SafeEmptyEntityResolver;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@ -140,6 +141,7 @@ public class XfaForm {
        DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
        fact.setNamespaceAware(true);
        DocumentBuilder db = fact.newDocumentBuilder();
        db.setEntityResolver(new SafeEmptyEntityResolver());
        domDocument = db.parse(new ByteArrayInputStream(bout.toByteArray()));   
        extractNodes();
    }
--- a/fine-itext-old/src/main/java/com/fr/third/com/lowagie/text/xml/xmp/XmpReader.java
+++ b/fine-itext-old/src/main/java/com/fr/third/com/lowagie/text/xml/xmp/XmpReader.java
@ -46,6 +46,7 @@
 */
 package com.fr.third.com.lowagie.text.xml.xmp;
 import com.fr.third.com.lowagie.text.SafeEmptyEntityResolver;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@ -85,6 +86,7 @@ public class XmpReader {
 	        DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
 	        fact.setNamespaceAware(true);
 			DocumentBuilder db = fact.newDocumentBuilder();
 			db.setEntityResolver(new SafeEmptyEntityResolver());
 	        ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
 	        domDocument = db.parse(bais);
 		} catch (ParserConfigurationException e) {
--- a/fine-itext/src/main/java/com/fr/third/v2/lowagie/text/SafeEmptyEntityResolver.java
+++ b/fine-itext/src/main/java/com/fr/third/v2/lowagie/text/SafeEmptyEntityResolver.java
@ -0,0 +1,18 @@
 package com.fr.third.v2.lowagie.text;
 import java.io.IOException;
 import java.io.StringReader;
 import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 /**
 * @author Hugh.C
 * @version 1.0
 * Created by Hugh.C on 2021/4/26
 */
 public class SafeEmptyEntityResolver implements EntityResolver {
    public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
        return new InputSource(new StringReader(""));
    }
 }
--- a/fine-itext/src/main/java/com/fr/third/v2/lowagie/text/pdf/XfaForm.java
+++ b/fine-itext/src/main/java/com/fr/third/v2/lowagie/text/pdf/XfaForm.java
@ -49,6 +49,7 @@
 package com.fr.third.v2.lowagie.text.pdf;
 import com.fr.third.v2.lowagie.text.SafeEmptyEntityResolver;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@ -140,6 +141,7 @@ public class XfaForm {
        DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
        fact.setNamespaceAware(true);
        DocumentBuilder db = fact.newDocumentBuilder();
        db.setEntityResolver(new SafeEmptyEntityResolver());
        domDocument = db.parse(new ByteArrayInputStream(bout.toByteArray()));   
        extractNodes();
    }
--- a/fine-itext/src/main/java/com/fr/third/v2/lowagie/text/xml/xmp/XmpReader.java
+++ b/fine-itext/src/main/java/com/fr/third/v2/lowagie/text/xml/xmp/XmpReader.java
@ -46,6 +46,7 @@
 */
 package com.fr.third.v2.lowagie.text.xml.xmp;
 import com.fr.third.v2.lowagie.text.SafeEmptyEntityResolver;
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
@ -85,6 +86,7 @@ public class XmpReader {
 	        DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
 	        fact.setNamespaceAware(true);
 			DocumentBuilder db = fact.newDocumentBuilder();
 			db.setEntityResolver(new SafeEmptyEntityResolver());
 	        ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
 	        domDocument = db.parse(bais);
 		} catch (ParserConfigurationException e) {