We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XMLParse类在解析XML的时候没有禁用对外部实体的引用 fix:
DocumentBuilderFactory dbf =DocumentBuilderFactory.newInstance(); dbf.setExpandEntityReferences(false);
尊敬的微信支付商户:
您的系统在接受微信支付XML格式的商户回调通知(支付成功通知、退款成功通知、委托代扣签约/解约/扣款通知、车主解约通知)时,如未正确地进行安全设置或编码,将会引入有较大安全隐患的XML外部实体注入漏洞(XML External Entity Injection,简称 XXE)。
请贵司研发人员务必参考微信支付安全实践指引:https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=23_5 ,进行安全隐患确认和排除。
微信支付团队 2018年7月4号
The text was updated successfully, but these errors were encountered:
@amaoamao 周六前会发布一个更新版本
Sorry, something went wrong.
#158 #159 XML 解析 XXE漏洞处理
71c58bf
No branches or pull requests
XMLParse类在解析XML的时候没有禁用对外部实体的引用
fix:
尊敬的微信支付商户:
您的系统在接受微信支付XML格式的商户回调通知(支付成功通知、退款成功通知、委托代扣签约/解约/扣款通知、车主解约通知)时,如未正确地进行安全设置或编码,将会引入有较大安全隐患的XML外部实体注入漏洞(XML External Entity Injection,简称 XXE)。
请贵司研发人员务必参考微信支付安全实践指引:https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=23_5 ,进行安全隐患确认和排除。
微信支付团队
2018年7月4号
The text was updated successfully, but these errors were encountered: