From 06623086e231ef094ec80b65a18b0fe8c8457bb7 Mon Sep 17 00:00:00 2001 From: Andreas Fitzek Date: Thu, 19 Nov 2015 08:45:02 +0100 Subject: XML-Entity Injection in DataUrl Servlet gefixt --- .../java/at/gv/egiz/sl/util/SLMarschaller.java | 26 ++++++++++++++++++++-- .../at/gv/egiz/pdfas/web/helper/PdfAsHelper.java | 17 ++++++++++++++ .../gv/egiz/pdfas/web/servlets/DataURLServlet.java | 4 ++++ 3 files changed, 45 insertions(+), 2 deletions(-) diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/SLMarschaller.java b/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/SLMarschaller.java index 8f570ccc..e53fc230 100644 --- a/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/SLMarschaller.java +++ b/pdf-as-lib/src/main/java/at/gv/egiz/sl/util/SLMarschaller.java @@ -32,6 +32,9 @@ import javax.xml.bind.JAXBContext; import javax.xml.bind.JAXBException; import javax.xml.bind.Marshaller; import javax.xml.bind.Unmarshaller; +import javax.xml.stream.XMLInputFactory; +import javax.xml.stream.XMLStreamException; +import javax.xml.stream.XMLStreamReader; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -69,11 +72,30 @@ public class SLMarschaller { } public static Object unmarshal(InputStream is) throws JAXBException { - return unmarshaller.unmarshal(is); + XMLInputFactory xif = XMLInputFactory.newFactory(); + xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); + xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); + XMLStreamReader xmlStreamReader; + try { + xmlStreamReader = xif.createXMLStreamReader(is); + return unmarshaller.unmarshal(xmlStreamReader); + } catch (XMLStreamException e) { + throw new JAXBException(e); + } + } public static Object unmarshalFromString(String message) throws JAXBException { StringReader sr = new StringReader(message); - return unmarshaller.unmarshal(sr); + XMLInputFactory xif = XMLInputFactory.newFactory(); + xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); + xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); + XMLStreamReader xmlStreamReader; + try { + xmlStreamReader = xif.createXMLStreamReader(sr); + return unmarshaller.unmarshal(xmlStreamReader); + } catch (XMLStreamException e) { + throw new JAXBException(e); + } } } diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java index 52eb8468..b2559b25 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/helper/PdfAsHelper.java @@ -793,6 +793,23 @@ public class PdfAsHelper { return baos.toByteArray(); } + public static boolean checkDataUrlAccess(HttpServletRequest request) throws Exception { + HttpSession session = request.getSession(false); + + if(session != null) { + Object statusObject = session + .getAttribute(PDF_STATUS); + if(statusObject != null && statusObject instanceof StatusRequest) { + StatusRequest statusRequest = (StatusRequest)statusObject; + if(statusRequest.needCertificate() || statusRequest.needSignature()) { + return true; + } + } + } + + return false; + } + public static void injectCertificate(HttpServletRequest request, HttpServletResponse response, InfoboxReadResponseType infoboxReadResponseType, diff --git a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java index 5b3fe82a..13c37171 100644 --- a/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java +++ b/pdf-as-web/src/main/java/at/gv/egiz/pdfas/web/servlets/DataURLServlet.java @@ -80,6 +80,10 @@ public class DataURLServlet extends HttpServlet { protected void process(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { try { + if(!PdfAsHelper.checkDataUrlAccess(request)) { + throw new Exception("No valid dataURL access"); + } + PdfAsHelper.setFromDataUrl(request); String xmlResponse = request.getParameter("XMLResponse"); -- cgit v1.2.3