Apache
/
poi
mirror of https://github.com/apache/poi.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

don't allow SAX parser to accept DTDs 

git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1893075 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
PJ Fanning 2021-09-07 20:59:19 +00:00
parent 0bb651955e
commit bfb86f8a45
2 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFBugs.java
View File

@ -1887,7 +1887,7 @@ public final class TestXSSFBugs extends BaseTestBugzillaIssues {
SAXParseException e = assertThrows(SAXParseException.class,
() -> reader.parse(new InputSource(zip.getInputStream(ze))));
assertNotNull(e.getMessage());
assertTrue(e.getMessage().contains("more than \"1\" entity"));
assertNotEquals(isOldXercesActive(), e.getMessage().contains("DOCTYPE is disallowed when the feature"));
}
}

1
poi/src/main/java/org/apache/poi/util/XMLHelper.java
View File

@ -157,6 +157,7 @@ public final class XMLHelper {
trySet(factory::setFeature, FEATURE_LOAD_DTD_GRAMMAR, false);
trySet(factory::setFeature, FEATURE_LOAD_EXTERNAL_DTD, false);
trySet(factory::setFeature, FEATURE_EXTERNAL_ENTITIES, false);
trySet(factory::setFeature, FEATURE_DISALLOW_DOCTYPE_DECL, true);
return factory;
} catch (RuntimeException | Error re) { // NOSONAR
// this also catches NoClassDefFoundError, which may be due to a local class path issue