今早收到产品的微信说收到微信通知如下:
【微信支付】安全提醒:请贵司技术人员排查系统是否存在名为XXE的常见漏洞,其危害较大,点击查看修复指引 http://url.cn/55h4BVd ,谢谢。
根据上面的文档查看相关通知接口
发现我们是用的是dom4j的DocumentHelper
package com.tcl.jsapi.util;
import java.io.StringReader;
import java.util.StringTokenizer;
import org.apache.log4j.Logger;
import org.dom4j.Document;
import org.dom4j.DocumentException;
import org.dom4j.io.SAXReader;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
public class SecurityXMPHelper {
private static final Logger log = Logger.getLogger(SecurityXMPHelper.class);
public static Document parseText(String text) throws DocumentException {
Document result = null;
SAXReader reader = new SAXReader();
try {
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
} catch (SAXException e) {
log.error("SAXException", e);
}
String encoding = getEncoding(text);
InputSource source = new InputSource(new StringReader(text));
source.setEncoding(encoding);
result = reader.read(source);
// if the XML parser doesn't provide a way to retrieve the encoding,
// specify it manually
if (result.getXMLEncoding() == null) {
result.setXMLEncoding(encoding);
}
return result;
}
private static String getEncoding(String text) {
String result = null;
String xml = text.trim();
if (xml.startsWith("<?xml")) {
int end = xml.indexOf("?>");
String sub = xml.substring(0, end);
StringTokenizer tokens = new StringTokenizer(sub, " =\"\'");
while (tokens.hasMoreTokens()) {
String token = tokens.nextToken();
if ("encoding".equals(token)) {
if (tokens.hasMoreTokens()) {
result = tokens.nextToken();
}
break;
}
}
}
return result;
}
}
