From bfb86f8a455f6e009c0ec2db83159b8dba37a0e7 Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Tue, 7 Sep 2021 20:59:19 +0000 Subject: [PATCH] don't allow SAX parser to accept DTDs git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1893075 13f79535-47bb-0310-9956-ffa450edef68 --- .../test/java/org/apache/poi/xssf/usermodel/TestXSSFBugs.java | 2 +- poi/src/main/java/org/apache/poi/util/XMLHelper.java | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFBugs.java b/poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFBugs.java index cb736d599e..29bbde1239 100644 --- a/poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFBugs.java +++ b/poi-ooxml/src/test/java/org/apache/poi/xssf/usermodel/TestXSSFBugs.java @@ -1887,7 +1887,7 @@ public final class TestXSSFBugs extends BaseTestBugzillaIssues { SAXParseException e = assertThrows(SAXParseException.class, () -> reader.parse(new InputSource(zip.getInputStream(ze)))); assertNotNull(e.getMessage()); - assertTrue(e.getMessage().contains("more than \"1\" entity")); + assertNotEquals(isOldXercesActive(), e.getMessage().contains("DOCTYPE is disallowed when the feature")); } } diff --git a/poi/src/main/java/org/apache/poi/util/XMLHelper.java b/poi/src/main/java/org/apache/poi/util/XMLHelper.java index e27c976d28..87a481b04c 100644 --- a/poi/src/main/java/org/apache/poi/util/XMLHelper.java +++ b/poi/src/main/java/org/apache/poi/util/XMLHelper.java @@ -157,6 +157,7 @@ public final class XMLHelper { trySet(factory::setFeature, FEATURE_LOAD_DTD_GRAMMAR, false); trySet(factory::setFeature, FEATURE_LOAD_EXTERNAL_DTD, false); trySet(factory::setFeature, FEATURE_EXTERNAL_ENTITIES, false); + trySet(factory::setFeature, FEATURE_DISALLOW_DOCTYPE_DECL, true); return factory; } catch (RuntimeException | Error re) { // NOSONAR // this also catches NoClassDefFoundError, which may be due to a local class path issue