Merge pull request #1924 from OpenRefine/issue1907

Disable DTDs in XML importer.
This commit is contained in:
Antonin Delpeuch 2019-01-07 14:07:30 +01:00 committed by GitHub
commit eb16784f01
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 0 deletions

View File

@ -321,6 +321,7 @@ public class XmlImporter extends TreeImportingParserBase {
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_COALESCING, true);
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, true);
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
return factory.createXMLStreamReader(wrapPrefixRemovingInputStream(inputStream));
}

View File

@ -131,6 +131,17 @@ public class XmlImporterTests extends ImporterTest {
Assert.assertEquals(row.getCell(1).value, "Author 1, The");
}
@Test
public void ignoresDtds() {
RunTest(getSampleWithDtd());
assertProjectCreated(project, 4, 6);
Row row = project.rows.get(0);
Assert.assertNotNull(row);
Assert.assertNotNull(row.getCell(1));
Assert.assertEquals(row.getCell(1).value, "Author 1, The");
}
@Test
public void canParseSampleWithDuplicateNestedElements(){
RunTest(getSampleWithDuplicateNestedElements());
@ -224,6 +235,21 @@ public class XmlImporterTests extends ImporterTest {
return sb.toString();
}
public static String getSampleWithDtd(){
StringBuilder sb = new StringBuilder();
sb.append("<?xml version=\"1.0\"?>");
sb.append("<!DOCTYPE library [\n" +
"<!ENTITY % asd SYSTEM \"http://domain.does.not.exist:4444/ext.dtd\">\n" +
"%asd;\n" +
"%c;\n" +
"]><library>");
for(int i = 1; i < 7; i++){
sb.append(getTypicalElement(i));
}
sb.append("</library>");
return sb.toString();
}
public static ObjectNode getOptions(ImportingJob job, TreeImportingParserBase parser) {
ObjectNode options = parser.createParserUIInitializationData(
job, new LinkedList<>(), "text/json");