diff --git a/hutool-core/src/main/java/cn/hutool/core/classloader/JarClassLoader.java b/hutool-core/src/main/java/cn/hutool/core/classloader/JarClassLoader.java index dd284195e..435bbac1d 100644 --- a/hutool-core/src/main/java/cn/hutool/core/classloader/JarClassLoader.java +++ b/hutool-core/src/main/java/cn/hutool/core/classloader/JarClassLoader.java @@ -55,7 +55,6 @@ public class JarClassLoader extends URLClassLoader { try { final Method method = MethodUtil.getMethod(URLClassLoader.class, "addURL", URL.class); if (null != method) { - method.setAccessible(true); final List jars = loopJar(jarFile); for (final File jar : jars) { MethodUtil.invoke(loader, method, jar.toURI().toURL()); diff --git a/hutool-core/src/main/java/cn/hutool/core/util/XmlUtil.java b/hutool-core/src/main/java/cn/hutool/core/util/XmlUtil.java index 360b9e3e4..e90a433c2 100755 --- a/hutool-core/src/main/java/cn/hutool/core/util/XmlUtil.java +++ b/hutool-core/src/main/java/cn/hutool/core/util/XmlUtil.java @@ -308,6 +308,9 @@ public class XmlUtil { // 3.得到解读器 reader = parse.getXMLReader(); + // 防止XEE攻击,见:https://www.jianshu.com/p/1a857905b22c + reader.setFeature("http://xml.org/sax/features/external-general-entities",false); + reader.setFeature("http://xml.org/sax/features/external-parameter-entities",false); reader.setContentHandler(contentHandler); reader.parse(source); } catch (final ParserConfigurationException | SAXException e) { @@ -616,6 +619,8 @@ public class XmlUtil { public static void transform(final Source source, final Result result, final String charset, final int indent, final boolean omitXmlDeclaration) { final TransformerFactory factory = TransformerFactory.newInstance(); try { + // 防止XXE攻击,见:https://www.jianshu.com/p/1a857905b22c + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); final Transformer xformer = factory.newTransformer(); if (indent > 0) { xformer.setOutputProperty(OutputKeys.INDENT, "yes"); diff --git a/hutool-swing/src/main/java/cn/hutool/swing/img/gif/LZWEncoder.java b/hutool-swing/src/main/java/cn/hutool/swing/img/gif/LZWEncoder.java index 0bd9aeba2..0dc2e1ed8 100755 --- a/hutool-swing/src/main/java/cn/hutool/swing/img/gif/LZWEncoder.java +++ b/hutool-swing/src/main/java/cn/hutool/swing/img/gif/LZWEncoder.java @@ -213,8 +213,9 @@ class LZWEncoder { if (free_ent < maxmaxcode) { codetab[i] = free_ent++; // code -> hashtable htab[i] = fcode; - } else + } else { cl_block(outs); + } } // Put out the final code. output(ent, outs);