java 针对 XML 外部实体注入的强化修复
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/38247243/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Fortify fix for XML External Entity Injection
提问by veera
When I do scan using fortify tool, I got some issues under "XML External Entity Injection".
当我使用强化工具进行扫描时,我在“XML 外部实体注入”下遇到了一些问题。
TransformerFactory trfactory = TransformerFactory.newInstance();
This is the place where it is showing error. I have given the below fix as suggested by fortify
这是它显示错误的地方。我已经按照 fortify 的建议进行了以下修复
trfactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
trfactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
but still the issues are not fixed. How to fix this issue?
但问题仍未解决。如何解决这个问题?
回答by Kondal Kolipaka
TransformerFactory trfactory = TransformerFactory.newInstance();
trfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
trfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
This would be sufficient.
这样就足够了。
回答by Prathamesh Ketgale
Sometime it will not work if java version is not compatible.
如果 java 版本不兼容,有时它将无法工作。
if (javaVersion > 1.6) {
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
}
else {
if (javaVersion > 1.5) {
dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-general-entities", false);
dbf.setFeature("http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities", false);
}
else {
dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-general-entities", false);
dbf.setFeature("http://xerces.apache.org/xerces-j/features.html#external-parameter-entities", false);
}
}
It worked for me :-)
它对我有用:-)
回答by Ben Wong
You can also try:
你也可以试试:
TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
Transformer transformer = transformerFactoryImpl.newTransformer();
transformer.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
回答by veera
I tried with "Xalan" implementation class instead of TransformerFactory.newInstance().It worked for me and fortify issue got fixed
我尝试使用“Xalan”实现类而不是 TransformerFactory.newInstance()。它对我有用并且强化问题得到了解决
TransformerFactoryImpl transformerFactoryImpl = new TransformerFactoryImpl();
Transformer transformer = transformerFactoryImpl.newTransformer();
回答by Abhishek Das
Add this line. It worked for me.
添加这一行。它对我有用。
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
