From 6a0d7d56e4ffb420316ce7849fde881344fbf881 Mon Sep 17 00:00:00 2001
From: Antonin Delpeuch <antonin@delpeuch.eu>
Date: Mon, 31 Dec 2018 16:02:34 +0100
Subject: [PATCH] Disable DTDs in XML importer. Closes #1907.

---
 .../google/refine/importers/XmlImporter.java  |  1 +
 .../tests/importers/XmlImporterTests.java     | 26 +++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/main/src/com/google/refine/importers/XmlImporter.java b/main/src/com/google/refine/importers/XmlImporter.java
index dd3b76175..6b31cb856 100644
--- a/main/src/com/google/refine/importers/XmlImporter.java
+++ b/main/src/com/google/refine/importers/XmlImporter.java
@@ -321,6 +321,7 @@ public class XmlImporter extends TreeImportingParserBase {
         XMLInputFactory factory = XMLInputFactory.newInstance();
         factory.setProperty(XMLInputFactory.IS_COALESCING, true);
         factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, true);
+        factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
         
         return factory.createXMLStreamReader(wrapPrefixRemovingInputStream(inputStream));
     }
diff --git a/main/tests/server/src/com/google/refine/tests/importers/XmlImporterTests.java b/main/tests/server/src/com/google/refine/tests/importers/XmlImporterTests.java
index 40d35d882..d31717054 100644
--- a/main/tests/server/src/com/google/refine/tests/importers/XmlImporterTests.java
+++ b/main/tests/server/src/com/google/refine/tests/importers/XmlImporterTests.java
@@ -130,6 +130,17 @@ public class XmlImporterTests extends ImporterTest {
         Assert.assertNotNull(row.getCell(1));
         Assert.assertEquals(row.getCell(1).value, "Author 1, The");
     }
+    
+    @Test
+    public void ignoresDtds() {
+    	RunTest(getSampleWithDtd());
+    	
+    	assertProjectCreated(project, 4, 6);
+    	Row row = project.rows.get(0);
+        Assert.assertNotNull(row);
+        Assert.assertNotNull(row.getCell(1));
+        Assert.assertEquals(row.getCell(1).value, "Author 1, The");
+    }
 
     @Test
     public void canParseSampleWithDuplicateNestedElements(){
@@ -224,6 +235,21 @@ public class XmlImporterTests extends ImporterTest {
         return sb.toString();
     }
     
+    public static String getSampleWithDtd(){
+        StringBuilder sb = new StringBuilder();
+        sb.append("<?xml version=\"1.0\"?>");
+        sb.append("<!DOCTYPE library [\n" + 
+    			"<!ENTITY % asd SYSTEM \"http://domain.does.not.exist:4444/ext.dtd\">\n" + 
+    			"%asd;\n" + 
+    			"%c;\n" + 
+    			"]><library>");
+        for(int i = 1; i < 7; i++){
+            sb.append(getTypicalElement(i));
+        }
+        sb.append("</library>");
+        return sb.toString();
+    }
+
     public static ObjectNode getOptions(ImportingJob job, TreeImportingParserBase parser) {
         ObjectNode options = parser.createParserUIInitializationData(
                 job, new LinkedList<>(), "text/json");