CVE-2018-20222 Prevent xxe during parse

Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
6 years ago · 1a88f46c18
parent faedfd8a62
commit 1a88f46c18
4 changed files with 22 additions and 5 deletions
--- a/airsonic-main/src/main/java/org/airsonic/player/ajax/LyricsService.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/ajax/LyricsService.java
@ -39,6 +39,8 @@ import java.io.IOException;
 import java.io.StringReader;
 import java.net.SocketException;
 import static org.airsonic.player.util.XMLUtil.createSAXBuilder;
 /**
 * Provides AJAX-enabled services for retrieving song lyrics from chartlyrics.com.
 * <p/>
@ -80,7 +82,7 @@ public class LyricsService {
    }
    private LyricsInfo parseSearchResult(String xml) throws Exception {
-        SAXBuilder builder = new SAXBuilder();
+        SAXBuilder builder = createSAXBuilder();
        Document document = builder.build(new StringReader(xml));
        Element root = document.getRootElement();
--- a/airsonic-main/src/main/java/org/airsonic/player/controller/JAXBWriter.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/controller/JAXBWriter.java
@ -25,7 +25,6 @@ import org.eclipse.persistence.jaxb.JAXBContext;
 import org.eclipse.persistence.jaxb.MarshallerProperties;
 import org.jdom.Attribute;
 import org.jdom.Document;
 import org.jdom.input.SAXBuilder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.subsonic.restapi.Error;
@ -46,6 +45,7 @@ import java.io.StringWriter;
 import java.util.Date;
 import java.util.GregorianCalendar;
 import static org.airsonic.player.util.XMLUtil.createSAXBuilder;
 import static org.springframework.web.bind.ServletRequestUtils.getStringParameter;
 /**
@ -100,7 +100,7 @@ public class JAXBWriter {
        InputStream in = null;
        try {
            in = StringUtil.class.getResourceAsStream("/subsonic-rest-api.xsd");
-            Document document = new SAXBuilder().build(in);
+            Document document = createSAXBuilder().build(in);
            Attribute version = document.getRootElement().getAttribute("version");
            return version.getValue();
        } finally {
--- a/airsonic-main/src/main/java/org/airsonic/player/service/PodcastService.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/service/PodcastService.java
@ -45,7 +45,6 @@ import org.apache.http.impl.client.HttpClients;
 import org.jdom.Document;
 import org.jdom.Element;
 import org.jdom.Namespace;
 import org.jdom.input.SAXBuilder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@ -62,6 +61,8 @@ import java.text.SimpleDateFormat;
 import java.util.*;
 import java.util.concurrent.*;
 import static org.airsonic.player.util.XMLUtil.createSAXBuilder;
 /**
 * Provides services for Podcast reception.
 *
@ -317,7 +318,7 @@ public class PodcastService {
            try (CloseableHttpResponse response = client.execute(method)) {
                in = response.getEntity().getContent();
-                Document document = new SAXBuilder().build(in);
+                Document document = createSAXBuilder().build(in);
                Element channelElement = document.getRootElement().getChild("channel");
                channel.setTitle(StringUtil.removeMarkup(channelElement.getChildTextTrim("title")));
--- a/airsonic-main/src/main/java/org/airsonic/player/util/XMLUtil.java
+++ b/airsonic-main/src/main/java/org/airsonic/player/util/XMLUtil.java
@ -0,0 +1,14 @@
 package org.airsonic.player.util;
 import org.jdom.input.SAXBuilder;
 public class XMLUtil {
    public static SAXBuilder createSAXBuilder() {
        SAXBuilder builder = new SAXBuilder();
        builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
        builder.setFeature("http://xml.org/sax/features/external-general-entities", false);
        builder.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
        return builder;
    }
 }