问答
问答

xxe漏洞是如何修复的

九三
1009
2021-01-30 18:42:15
栏目: 网络安全

xxe漏洞是如何修复的

使用java对xxe漏洞进行修复的方法

xxe漏洞代码:

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = null;
// dbf.setExpandEntityReferences无法防止xxe
dbf.setExpandEntityReferences(false);
DocumentBuilder documentBuilder = dbf.newDocumentBuilder();
Document document = documentBuilder.parse(new File("poc.xml"));

xxe漏洞修复代码:

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = null;
FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);
FEATURE = "http://xml.org/sax/features/external-general-entities";
dbf.setFeature(FEATURE, false);
FEATURE = "http://xml.org/sax/features/external-parameter-entities";
dbf.setFeature(FEATURE, false);
FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
dbf.setFeature(FEATURE, false);
dbf.setXIncludeAware(false);
// dbf.setExpandEntityReferences无法防止xxe
dbf.setExpandEntityReferences(false);
DocumentBuilder documentBuilder = dbf.newDocumentBuilder();

0
看了该问题的人还看了
产品服务
地区划分
帮助支持
关于我们
行业资讯-文章归档 问答-问答归档
广州亿速云计算有限公司

7*24小时在线电话:400-100-2938

7*24小时在线QQ:800811969

Copyright © Yisu Cloud Ltd. All Rights Reserved. 2018 版权所有
粤ICP备17096448号-1 粤公网安备 44010402001142号