我对 xml 外部实体注入有疑问。
工作示例:
def xslt = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
"<!DOCTYPE a [\n" +
"<!ENTITY e SYSTEM \"/etc/passwd\"> ]>\n" +
" <xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" version=\"1.0\">\n" +
" <xsl:template match=\"/\">\n" +
"\n" +
" <Row>\n" +
" &e;\n" +
" </Row>\n" +
" </xsl:template>\n" +
" </xsl:stylesheet>"
def input = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" +
"<Records>\n" +
" <Row>\n" +
" <data>data1</data>\n" +
" </Row>\n" +
"</Records>"
TransformerFactory factory = TransformerFactory.newInstance();
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
StreamSource xsltStream = new StreamSource(new ByteArrayInputStream(xslt.getBytes()))
Transformer transformer = factory.newTransformer(xsltStream);
StreamSource ins = new StreamSource(new ByteArrayInputStream(input.getBytes()))
ByteArrayOutputStream bout = new ByteArrayOutputStream()
StreamResult out = new StreamResult(bout);
transformer.transform(ins, out);
print bout.toString()
结果显示 /etc/passwd 文件的内容。我能做些什么来避免这个问题?
设置了安全功能,但它不起作用吗?