From 2a786afd3fef5554321d919481aeac8ed362ce99 Mon Sep 17 00:00:00 2001
From: Looly <loolly@aliyun.com>
Date: Fri, 16 Jun 2023 20:23:06 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8DCVE-2023-3276=E6=BC=8F?=
 =?UTF-8?q?=E6=B4=9E=EF=BC=8CXmlUtil.readBySax=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 CHANGELOG.md                                  |  3 ++-
 .../java/cn/hutool/core/util/XmlUtil.java     | 20 +++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index accaa09bb1..31c3332b24 100755
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,7 +19,8 @@
 * 【extra 】      修复Sftp中exists方法父目录不存在时报错（issue#I7CSQ9@Gitee）
 * 【extra 】      修复xml转json再转bean失败问题（issue#3139@Github）
 * 【poi   】      修复RowUtil传入参数错误问题（issue#3139@Github）
-* 【poi   】      修复XmlUtil.xmlToBean空节点转换失败问题（issue#3136@Github）
+* 【core  】      修复XmlUtil.xmlToBean空节点转换失败问题（issue#3136@Github）
+* 【core  】      修复CVE-2023-3276漏洞，XmlUtil.readBySax问题（issue#I7DX8W@Gitee）
 
 -------------------------------------------------------------------------------------------------------------
 # 5.8.19(2023-05-27)
diff --git a/hutool-core/src/main/java/cn/hutool/core/util/XmlUtil.java b/hutool-core/src/main/java/cn/hutool/core/util/XmlUtil.java
index 0d1d04bfda..6ca34838ff 100755
--- a/hutool-core/src/main/java/cn/hutool/core/util/XmlUtil.java
+++ b/hutool-core/src/main/java/cn/hutool/core/util/XmlUtil.java
@@ -293,6 +293,16 @@ public static void readBySax(InputSource source, ContentHandler contentHandler)
 			factory = SAXParserFactory.newInstance();
 			factory.setValidating(false);
 			factory.setNamespaceAware(namespaceAware);
+
+			// https://blog.spoock.com/2018/10/23/java-xxe/
+			try{
+				factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+				factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+				factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+				factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+			} catch (final Exception ignore){
+				// ignore
+			}
 		}
 		// 2.从解析工厂获取解析器
 		final SAXParser parse;
@@ -306,6 +316,16 @@ public static void readBySax(InputSource source, ContentHandler contentHandler)
 
 			// 3.得到解读器
 			reader = parse.getXMLReader();
+			// 防止XEE攻击，见：https://www.jianshu.com/p/1a857905b22c
+			// https://blog.spoock.com/2018/10/23/java-xxe/
+			reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+			//  忽略外部DTD
+			reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd",false);
+			// 不包括外部一般实体。
+			reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
+			// 不包含外部参数实体或外部DTD子集。
+			reader.setFeature("http://xml.org/sax/features/external-parameter-entities",false);
+
 			reader.setContentHandler(contentHandler);
 			reader.parse(source);
 		} catch (ParserConfigurationException | SAXException e) {