From aa4ac5f081150a80cc2f88b3bee50c68d57b29f7 Mon Sep 17 00:00:00 2001
From: Alberto Fernandez <infjaf@gmail.com>
Date: Tue, 14 Nov 2017 19:13:58 +0100
Subject: [PATCH] Fix for CVE-2017-9096 iText XML External Entity Vulnerability

---
 .../java/com/lowagie/text/pdf/XfaForm.java     | 18 +++++++++++++++---
 .../com/lowagie/text/xml/xmp/XmpReader.java    |  9 +++++++++
 .../java/com/lowagie/tools/BuildTutorial.java  |  3 ++-
 3 files changed, 26 insertions(+), 4 deletions(-)

diff --git a/openpdf/src/main/java/com/lowagie/text/pdf/XfaForm.java b/openpdf/src/main/java/com/lowagie/text/pdf/XfaForm.java
index 006b52d52..5cbd2af1a 100644
--- a/openpdf/src/main/java/com/lowagie/text/pdf/XfaForm.java
+++ b/openpdf/src/main/java/com/lowagie/text/pdf/XfaForm.java
@@ -53,9 +53,9 @@
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
-import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.StringReader;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.EmptyStackException;
@@ -67,9 +67,9 @@
 import javax.xml.parsers.ParserConfigurationException;
 
 import org.w3c.dom.Document;
-import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
@@ -148,6 +148,12 @@ else if (xfa instanceof PRStream) {
         DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
         fact.setNamespaceAware(true);
         DocumentBuilder db = fact.newDocumentBuilder();
+        db.setEntityResolver(new EntityResolver() {
+			@Override
+			public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+				return new InputSource(new StringReader(""));
+			}        	
+        });
         domDocument = db.parse(new ByteArrayInputStream(bout.toByteArray()));   
         extractNodes();
     }
@@ -1119,7 +1125,13 @@ public void fillXfaForm(InputStream is) throws ParserConfigurationException, SAX
     
     public void fillXfaForm(InputSource is) throws ParserConfigurationException, SAXException, IOException {
 		DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-    	DocumentBuilder db = dbf.newDocumentBuilder();        		
+    	DocumentBuilder db = dbf.newDocumentBuilder(); 
+        db.setEntityResolver(new EntityResolver() {
+			@Override
+			public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+				return new InputSource(new StringReader(""));
+			}        	
+        });
     	Document newdoc = db.parse(is);
     	fillXfaForm(newdoc.getDocumentElement());
     }
diff --git a/openpdf/src/main/java/com/lowagie/text/xml/xmp/XmpReader.java b/openpdf/src/main/java/com/lowagie/text/xml/xmp/XmpReader.java
index fe812be29..7d1dccba4 100644
--- a/openpdf/src/main/java/com/lowagie/text/xml/xmp/XmpReader.java
+++ b/openpdf/src/main/java/com/lowagie/text/xml/xmp/XmpReader.java
@@ -49,6 +49,7 @@
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.io.StringReader;
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -58,6 +59,8 @@
 import org.w3c.dom.NamedNodeMap;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
 import com.lowagie.text.ExceptionConverter;
@@ -85,6 +88,12 @@ public XmpReader(byte[] bytes) throws SAXException, IOException {
 	        DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
 	        fact.setNamespaceAware(true);
 			DocumentBuilder db = fact.newDocumentBuilder();
+	        db.setEntityResolver(new EntityResolver() {
+				@Override
+				public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+					return new InputSource(new StringReader(""));
+				}        	
+	        });
 	        ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
 	        domDocument = db.parse(bais);
 		} catch (ParserConfigurationException e) {
diff --git a/pdf-toolbox/src/main/java/com/lowagie/tools/BuildTutorial.java b/pdf-toolbox/src/main/java/com/lowagie/tools/BuildTutorial.java
index a4ccb7e56..fc523ba56 100644
--- a/pdf-toolbox/src/main/java/com/lowagie/tools/BuildTutorial.java
+++ b/pdf-toolbox/src/main/java/com/lowagie/tools/BuildTutorial.java
@@ -54,6 +54,7 @@
 import java.io.FileWriter;
 import java.io.IOException;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.Result;
 import javax.xml.transform.Source;
 import javax.xml.transform.Templates;
@@ -171,7 +172,7 @@ public static void convert(File infile, File xslfile, File outfile) {
 		try {
 			// Create transformer factory
 			TransformerFactory factory = TransformerFactory.newInstance();
-
+			factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
 			// Use the factory to create a template containing the xsl file
 			Templates template = factory.newTemplates(new StreamSource(
 					new FileInputStream(xslfile)));