common icon indicating copy to clipboard operation
common copied to clipboard
verified publisher icon ihaolin

微信支付XXE漏洞

Open Caratacus opened this issue 7 years ago • 1 comments

微信支付的SDK曝出重大漏洞(XXE漏洞) https://www.cnblogs.com/kismetv/p/9266224.html

Caratacus avatar Jul 06 '18 10:07 Caratacus

更新:微信表示上述2条语句无法禁止该漏洞,又双叒叕更新了官方SDK,加了以下语句(对于微信的这波操作,不知如何评价):

documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); documentBuilderFactory.setXIncludeAware(false); documentBuilderFactory.setExpandEntityReferences(false);

Caratacus avatar Jul 06 '18 10:07 Caratacus