[英]How to disable XInclude when parsing XML?
I have been given to understand that XInclude
is a potential vulnerability when receiving XML from untrusted sources. 我已经了解XInclude
是从不受信任的来源接收XML时的潜在漏洞。 See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java 请参阅https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java
The XML which I expect from external sources is quite simple and there is never any requirement for including external XML. 我期望从外部源获取的XML非常简单,并且不需要包含外部XML。
I have tried the following to disable XInclude (as recommended in the Cheat Sheet): 我已尝试以下方法来禁用XInclude(如备忘单中所推荐):
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
and used this XML to test 并使用此XML进行测试
<?xml version="1.0" encoding="utf-8"?>
<data xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include href="file://d/temp/badxml.xml" parse="xml">
</xi:include>
</data>
The external file contains invalid XML. 外部文件包含无效的XML。
I had expected that the parser would fail if setXIncludeAware
is set to true
but this is not the case. 如果setXIncludeAware
设置为true
,我原以为解析器会失败,但事实并非如此。 The snippet is always parseable. 该代码段始终是可解析的。 I am using Java 8. 我使用的是Java 8。
Is this a valid test? 这是一个有效的测试吗? Is this the correct way to avoid XInclude attacks? 这是避免XInclude攻击的正确方法吗?
This is the correct way to avoid XInclude and entity attacks, but that is not a valid test for XInclude attacks, as you have discovered. 这是避免XInclude和实体攻击的正确方法,但正如您所发现的那样,这不是XInclude攻击的有效测试。
According to this answer , "XInclude support relies on namespace support, which is turned off by default for backward compatibility reasons". 根据这个答案 ,“XInclude支持依赖于名称空间支持,默认情况下会出于向后兼容性原因而关闭它”。 So call dbf.setNamespaceAware(true);
所以调用dbf.setNamespaceAware(true);
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.