Groovy avoid XML External Entity Injection -


i have problem xml external entity injection.

working example:

def xslt = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n" +             "<!doctype [\n" +             "<!entity e system \"/etc/passwd\"> ]>\n" +             "    <xsl:stylesheet xmlns:xsl=\"http://www.w3.org/1999/xsl/transform\" version=\"1.0\">\n" +             "        <xsl:template match=\"/\">\n" +             "\n" +             "          <row>\n" +             "             &e;\n" +             "          </row>\n" +             "        </xsl:template>\n" +             "    </xsl:stylesheet>"      def input = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n" +             "<records>\n" +             "  <row>\n" +             "     <data>data1</data>\n" +             "  </row>\n" +             "</records>"     transformerfactory factory = transformerfactory.newinstance();     factory.setfeature(xmlconstants.feature_secure_processing, true);     streamsource xsltstream = new streamsource(new bytearrayinputstream(xslt.getbytes()))      transformer transformer = factory.newtransformer(xsltstream);     streamsource ins = new streamsource(new bytearrayinputstream(input.getbytes()))     bytearrayoutputstream bout = new bytearrayoutputstream()     streamresult out = new streamresult(bout);     transformer.transform(ins, out);     print bout.tostring()

as result contents of /etc/passwd file displayed. can avoid problem?

the security feature set, not working?


Comments

Post a Comment

Popular posts from this blog

1111. appearing after print sequence - php -

morning, i have code takes string of shoe sizes, explodes , puts in table. code works , info displayed correctly on page after table there few 1's after table. i'm confused this. so table looks (in columns of 3 on webpage) available in following sizes: 3 4 5 6 9 10 111 here's codes, purpose of example $x = 3|4|6|10|9 function get_sizes_pipe($x) { $counter = 0; $splits = explode("|",$x); asort($splits); $x = print "<table class='greentable'>"; $x .= print "<thead><tr><th scope='col' colspan='3' abbr='starter'>available in following sizes:</th></tr></thead><tbody><tr>"; foreach ($splits $split) { $entry = print "<td>".$split."</td>"; if($counter == 2){ $entry .= print "</tr><tr>"; $counter =0; } else { $counter++; ...
Read more

java - WARN : org.springframework.web.servlet.PageNotFound - No mapping found for HTTP request with URI [/board/] in DispatcherServlet with name 'appServlet' -

this question has answer here: why spring mvc respond 404 , report “no mapping found http request uri […] in dispatcherservlet”? 3 answers i trying making simple bbs i'm encountering following error, warn : org.springframework.web.servlet.pagenotfound - no mapping found http request uri [/board/] in dispatcherservlet name 'appservlet' i have tried solve error many times, have failed. how can solve error? here web.xml, controllerand , servlet-context. my web.xml <?xml version="1.0" encoding="utf-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <filter> <filter-nam...
Read more

Ruby on Rails, ActiveRecord, Postgres, UTF-8 and ASCII-8BIT encodings -

weirdest error, who’s challenge try , me? spent hours yesterday on , it’s magic. can't believe happening , it's driving me crazy. btw, using: rails 4.2.3 ruby 2.2.3 pg 0.18 encoding.default_internal = encoding.default_external = utf-8 config.encoding = 'utf-8' it has postgres, activerecord , encodings! turns out we’ve been getting these errors whenever create new users on database special characters: encoding::undefinedconversionerror: "\xc3" ascii-8bit utf-8 \xc3 may vary depending on characters. weird part we’ve set since beginning utf-8. makes no sense , digged it, , used script: user.all.each |user| user.attributes.each |name, value| if value.is_a? string puts user.email + name.encoding.to_s + value.encoding.to_s end end end and output of 1 of users, users same: dr_lottahelp@blahblah.comutf-8utf-8 dr_lottahelp@blahblah.comutf-8ascii-8bit dr_lottahelp@blahblah.comutf-8ascii-8bit dr_lottahelp@blahblah.comutf-8asci...
Read more