XML-Entity Injection in DataUrl Servlet gefixt

3 files changed, 45 insertions, 2 deletions

diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/SLMarschaller.java b/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/SLMarschaller.java
index 8f570ccc..e53fc230 100644
--- a/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/SLMarschaller.java
+++ b/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/SLMarschaller.java
@@ -32,6 +32,9 @@ import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
 import javax.xml.bind.Marshaller;
 import javax.xml.bind.Unmarshaller;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -69,11 +72,30 @@ public class SLMarschaller {
 	}
 	
 	public static Object unmarshal(InputStream is) throws JAXBException {
-		return unmarshaller.unmarshal(is);
+		XMLInputFactory xif = XMLInputFactory.newFactory();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+        XMLStreamReader xmlStreamReader;
+		try {
+			xmlStreamReader = xif.createXMLStreamReader(is);
+			return unmarshaller.unmarshal(xmlStreamReader);
+		} catch (XMLStreamException e) {
+			throw new JAXBException(e);
+		}
+		
 	}
 	
 	public static Object unmarshalFromString(String message) throws JAXBException {
 		StringReader sr = new StringReader(message);
-		return unmarshaller.unmarshal(sr);
+		XMLInputFactory xif = XMLInputFactory.newFactory();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+        XMLStreamReader xmlStreamReader;
+		try {
+			xmlStreamReader = xif.createXMLStreamReader(sr);
+			return unmarshaller.unmarshal(xmlStreamReader);
+		} catch (XMLStreamException e) {
+			throw new JAXBException(e);
+		}
 	}
 }
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java
index 52eb8468..b2559b25 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java
@@ -793,6 +793,23 @@ public class PdfAsHelper {
 		return baos.toByteArray();
 	}
 
+	public static boolean checkDataUrlAccess(HttpServletRequest request) throws Exception {
+		HttpSession session = request.getSession(false);
+		
+		if(session != null) {
+			Object statusObject = session
+					.getAttribute(PDF_STATUS);
+			if(statusObject != null && statusObject instanceof StatusRequest) {
+				StatusRequest statusRequest = (StatusRequest)statusObject;
+				if(statusRequest.needCertificate() || statusRequest.needSignature()) {
+					return true;
+				}
+			}
+		}
+
+		return false;
+	}
+	
 	public static void injectCertificate(HttpServletRequest request,
 			HttpServletResponse response,
 			InfoboxReadResponseType infoboxReadResponseType,
diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java
index 5b3fe82a..13c37171 100644
--- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java
+++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java
@@ -80,6 +80,10 @@ public class DataURLServlet extends HttpServlet {
 	protected void process(HttpServletRequest request,
 			HttpServletResponse response) throws ServletException, IOException {
 		try {
+			if(!PdfAsHelper.checkDataUrlAccess(request)) {
+				throw new Exception("No valid dataURL access");
+			}
+			
 			PdfAsHelper.setFromDataUrl(request);
 			String xmlResponse = request.getParameter("XMLResponse");