微信支付商户,最近暴露的XML外部实体注入漏洞(XML External Entity Injection,简称 XXE),该安全问题是由XML组件默认没有禁用外部实体引用导致,非微信支付系统存在漏洞。
Java的修复方案:
升级SDK
或者手工修改代码增加校验。
这里给出的是增加校验的方法:
找到路径为:
com.tencent.common.XMLParser
搜索代码:
DocumentBuilderFactory.newInstance()
我们会看到:
在这两行代码中间增加代码:
String FEATURE = null; try { FEATURE = "http://apache.org/xml/features/disallow-doctype-decl"; factory.setFeature(FEATURE, true); FEATURE = "http://xml.org/sax/features/external-general-entities"; factory.setFeature(FEATURE, false); FEATURE = "http://xml.org/sax/features/external-parameter-entities"; factory.setFeature(FEATURE, false); FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd"; factory.setFeature(FEATURE, false); factory.setXIncludeAware(false); factory.setExpandEntityReferences(false); } catch (ParserConfigurationException e) { log.warn("ParserConfigurationException was thrown. The feature '" + FEATURE + "' is probably not supported by your XML processor."); }
即可