Merge pull request #56 from albfernandez/fix_cve_2017_9096

tlxtellef · web-flow · commit 672c137469fb · 2017-11-16T15:45:01.000+01:00
Fix for CVE-2017-9096 iText XML External Entity Vulnerability
diff --git a/openpdf/src/main/java/com/lowagie/text/pdf/XfaForm.java b/openpdf/src/main/java/com/lowagie/text/pdf/XfaForm.java
@@ -53,9 +53,9 @@
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
-import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.StringReader;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.EmptyStackException;
@@ -67,9 +67,9 @@
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.w3c.dom.Document;
-import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
@@ -148,6 +148,12 @@ else if (xfa instanceof PRStream) {
         DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
         fact.setNamespaceAware(true);
         DocumentBuilder db = fact.newDocumentBuilder();
+        db.setEntityResolver(new EntityResolver() {
+			@Override
+			public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+				return new InputSource(new StringReader(""));
+			}        	
+        });
         domDocument = db.parse(new ByteArrayInputStream(bout.toByteArray()));   
         extractNodes();
     }
@@ -1119,7 +1125,13 @@ public void fillXfaForm(InputStream is) throws ParserConfigurationException, SAX
     
     public void fillXfaForm(InputSource is) throws ParserConfigurationException, SAXException, IOException {
 		DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-    	DocumentBuilder db = dbf.newDocumentBuilder();        		
+    	DocumentBuilder db = dbf.newDocumentBuilder(); 
+        db.setEntityResolver(new EntityResolver() {
+			@Override
+			public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+				return new InputSource(new StringReader(""));
+			}        	
+        });
     	Document newdoc = db.parse(is);
     	fillXfaForm(newdoc.getDocumentElement());
     }
diff --git a/openpdf/src/main/java/com/lowagie/text/xml/xmp/XmpReader.java b/openpdf/src/main/java/com/lowagie/text/xml/xmp/XmpReader.java
@@ -49,6 +49,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.StringReader;
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -58,6 +59,8 @@
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
 import com.lowagie.text.ExceptionConverter;
@@ -85,6 +88,12 @@ public XmpReader(byte[] bytes) throws SAXException, IOException {
 	        DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
 	        fact.setNamespaceAware(true);
 			DocumentBuilder db = fact.newDocumentBuilder();
+	        db.setEntityResolver(new EntityResolver() {
+				@Override
+				public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+					return new InputSource(new StringReader(""));
+				}        	
+	        });
 	        ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
 	        domDocument = db.parse(bais);
 		} catch (ParserConfigurationException e) {
diff --git a/pdf-toolbox/src/main/java/com/lowagie/tools/BuildTutorial.java b/pdf-toolbox/src/main/java/com/lowagie/tools/BuildTutorial.java
@@ -54,6 +54,7 @@
 import java.io.FileWriter;
 import java.io.IOException;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.Result;
 import javax.xml.transform.Source;
 import javax.xml.transform.Templates;
@@ -171,7 +172,7 @@ public static void convert(File infile, File xslfile, File outfile) {
 		try {
 			// Create transformer factory
 			TransformerFactory factory = TransformerFactory.newInstance();
-
+			factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			// Use the factory to create a template containing the xsl file
 			Templates template = factory.newTemplates(new StreamSource(
 					new FileInputStream(xslfile)));
