#889 修复一些潜在的XXE漏洞代码

2025-11-09 17:39:12 +08:00 · 2018-12-20 16:47:02 +08:00
parent 9b6893161a
commit 6272639f02
3 changed files with 14 additions and 11 deletions
--- a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
+++ b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
@ -37,7 +37,9 @@ public class WxCryptUtil {
    @Override
    protected DocumentBuilder initialValue() {
      try {
-        return DocumentBuilderFactory.newInstance().newDocumentBuilder();
+        final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setExpandEntityReferences(false);
+        return factory.newDocumentBuilder();
      } catch (ParserConfigurationException exc) {
        throw new IllegalArgumentException(exc);
      }