安全修复：防范XML外部实体注入漏洞（XXE）

参考：https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=23_5
zwczou · Jul 4, 2018 · e54abad · e54abad
1 parent 2539f1a
commit e54abad
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/weixin/msg.py b/weixin/msg.py
@@ -64,7 +64,8 @@ def validate(self, signature, timestamp, nonce):
 
     def parse(self, content):
         raw = {}
-        root = etree.fromstring(content)
+        root = etree.fromstring(content,
+                                parser=etree.XMLParser(resolve_entities=False))
         for child in root:
             raw[child.tag] = child.text
 

diff --git a/weixin/pay.py b/weixin/pay.py
@@ -79,7 +79,8 @@ def to_xml(self, raw):
 
     def to_dict(self, content):
         raw = {}
-        root = etree.fromstring(content.encode("utf-8"))
+        root = etree.fromstring(content.encode("utf-8"),
+                                parser=etree.XMLParser(resolve_entities=False))
         for child in root:
             raw[child.tag] = child.text
         return raw