微信支付安全

今早收到产品的微信说收到微信通知如下:
【微信支付】安全提醒:请贵司技术人员排查系统是否存在名为XXE的常见漏洞,其危害较大,点击查看修复指引 http://url.cn/55h4BVd ,谢谢。

根据上面的文档查看相关通知接口
发现我们是用的是dom4j的DocumentHelper

package com.tcl.jsapi.util;

import java.io.StringReader;
import java.util.StringTokenizer;

import org.apache.log4j.Logger;
import org.dom4j.Document;
import org.dom4j.DocumentException;
import org.dom4j.io.SAXReader;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;

public class SecurityXMPHelper {

    private static final Logger log = Logger.getLogger(SecurityXMPHelper.class);

     public static Document parseText(String text) throws DocumentException {
            Document result = null;

            SAXReader reader = new SAXReader();
            
            try {
                reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
                reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
                reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
                
            } catch (SAXException e) {
                log.error("SAXException", e);
            }
            
            String encoding = getEncoding(text);

            InputSource source = new InputSource(new StringReader(text));
            source.setEncoding(encoding);

            result = reader.read(source);

            // if the XML parser doesn't provide a way to retrieve the encoding,
            // specify it manually
            if (result.getXMLEncoding() == null) {
                result.setXMLEncoding(encoding);
            }

            return result;
        }
     
     private static String getEncoding(String text) {
            String result = null;

            String xml = text.trim();

            if (xml.startsWith("");
                String sub = xml.substring(0, end);
                StringTokenizer tokens = new StringTokenizer(sub, " =\"\'");

                while (tokens.hasMoreTokens()) {
                    String token = tokens.nextToken();

                    if ("encoding".equals(token)) {
                        if (tokens.hasMoreTokens()) {
                            result = tokens.nextToken();
                        }

                        break;
                    }
                }
            }

            return result;
        }
}

你可能感兴趣的:(微信支付安全)