python wechatpay微信支付回调_【微信支付】JSAPI支付开发者文档
XXE漏洞需要您在回調(diào)處理代碼里面解析XML之前,加入禁用實(shí)體解析的代碼,不同語言設(shè)置的內(nèi)容不同,下面提供了幾種主流開發(fā)語言的設(shè)置指引(您可以根據(jù)關(guān)鍵字找到xml解析組件采取對應(yīng)方法升級):
【PHP】 解析XML代碼前加入:
libxml_disable_entity_loader(true);//關(guān)鍵代碼
$xml = simplexml_load_string($xmlContent);
......
【JAVA】
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException; // catching unsupported features
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
String FEATURE = null;
try {
// This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented
// Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
dbf.setFeature(FEATURE, true);
// If you can't completely disable DTDs, then at least do the following:
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
// JDK7+ - http://xml.org/sax/features/external-general-entities
FEATURE = "http://xml.org/sax/features/external-general-entities";
dbf.setFeature(FEATURE, false);
// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities
// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities
// JDK7+ - http://xml.org/sax/features/external-parameter-entities
FEATURE = "http://xml.org/sax/features/external-parameter-entities";
dbf.setFeature(FEATURE, false);
// Disable external DTDs as well
FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
dbf.setFeature(FEATURE, false);
// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);
// And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then
// ensure the entity settings are disabled (as shown above) and beware that SSRF attacks
// (http://cwe.mitre.org/data/definitions/918.html) and denial
// of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk."
// remaining parser logic
} catch (ParserConfigurationException e) {
// This should catch a failed setFeature feature
logger.info("ParserConfigurationException was thrown. The feature '" +
FEATURE + "' is probably not supported by your XML processor.");
}
catch (SAXException e) {
// On Apache, this should be thrown when disallowing DOCTYPE
logger.warning("A DOCTYPE was passed into the XML document");
}
catch (IOException e) {
// XXE that points to a file that doesn't exist
logger.error("IOException occurred, XXE may still possible: " + e.getMessage());
}
DocumentBuilder safebuilder = dbf.newDocumentBuilder();
【.Net】
XmlDocument doc= new XmlDocument();
doc.XmlResolver = null;//關(guān)鍵代碼
......
【ASP】
Set xmldom = Server.CreateObject("MSXML2.DOMDocument")
xmldom.resolveExternals = false '關(guān)鍵代碼
......
【Python】
from?lxml?import?etree
xmlData?=?etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))
......
【c/c++(常用庫為libxml2?libxerces-c)】 【libxml2】: 確保關(guān)閉配置選項(xiàng):XML_PARSE_NOENT?和?XML_PARSE_DTDLOAD
2.9版本以上已修復(fù)XXE
【Coldfusion/lucee和node.js】
請更新到庫的最新版本
【libxerces-c】:
如果用的是XercesDOMParser:
XercesDOMParser?*parser?=?new?XercesDOMParser;
parser->setCreateEntityReferenceNodes(false);
如果是用SAXParser:
SAXParser*?parser?=?new?SAXParser;
parser->setDisableDefaultEntityResolution(true);
如果是用SAX2XMLReader:
SAX2XMLReader*?reader?=?XMLReaderFactory::createXMLReader();
parser->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution,?true);
附錄:更多開源庫/語言版本的修復(fù)建議可參考:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B
總結(jié)
以上是生活随笔為你收集整理的python wechatpay微信支付回调_【微信支付】JSAPI支付开发者文档的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 登陆注册
- 下一篇: js调用python接口_JavaScr