python wechatpay微信支付回调_【微信支付】JSAPI支付开发者文档

XXE漏洞需要您在回调处理代码里面解析XML之前，加入禁用实体解析的代码，不同语言设置的内容不同，下面提供了几种主流开发语言的设置指引(您可以根据关键字找到xml解析组件采取对应方法升级)：

【PHP】 解析XML代码前加入：

libxml_disable_entity_loader(true);//关键代码

$xml = simplexml_load_string($xmlContent);

......

【JAVA】

import javax.xml.parsers.DocumentBuilderFactory;

import javax.xml.parsers.ParserConfigurationException; // catching unsupported features

DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();

String FEATURE = null;

try {

// This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented

// Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl

FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";

dbf.setFeature(FEATURE, true);

// If you can't completely disable DTDs, then at least do the following:

// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities

// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities

// JDK7+ - http://xml.org/sax/features/external-general-entities

FEATURE = "http://xml.org/sax/features/external-general-entities";

dbf.setFeature(FEATURE, false);

// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities

// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities

// JDK7+ - http://xml.org/sax/features/external-parameter-entities

FEATURE = "http://xml.org/sax/features/external-parameter-entities";

dbf.setFeature(FEATURE, false);

// Disable external DTDs as well

FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";

dbf.setFeature(FEATURE, false);

// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"

dbf.setXIncludeAware(false);

dbf.setExpandEntityReferences(false);

// And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then

// ensure the entity settings are disabled (as shown above) and beware that SSRF attacks

// (http://cwe.mitre.org/data/definitions/918.html) and denial

// of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk."

// remaining parser logic

} catch (ParserConfigurationException e) {

// This should catch a failed setFeature feature

logger.info("ParserConfigurationException was thrown. The feature '" +

FEATURE + "' is probably not supported by your XML processor.");

}

catch (SAXException e) {

// On Apache, this should be thrown when disallowing DOCTYPE

logger.warning("A DOCTYPE was passed into the XML document");

}

catch (IOException e) {

// XXE that points to a file that doesn't exist

logger.error("IOException occurred, XXE may still possible: " + e.getMessage());

}

DocumentBuilder safebuilder = dbf.newDocumentBuilder();

【.Net】

XmlDocument doc= new XmlDocument();

doc.XmlResolver = null;//关键代码

......

【ASP】

Set xmldom = Server.CreateObject("MSXML2.DOMDocument")

xmldom.resolveExternals = false '关键代码

......

【Python】

from lxml import etree

xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))

......

【c/c++(常用库为libxml2 libxerces-c)】 【libxml2】: 确保关闭配置选项：XML_PARSE_NOENT 和 XML_PARSE_DTDLOAD

2.9版本以上已修复XXE

【Coldfusion/lucee和node.js】

请更新到库的最新版本

【libxerces-c】：

如果用的是XercesDOMParser:

XercesDOMParser *parser = new XercesDOMParser;

parser->setCreateEntityReferenceNodes(false);

如果是用SAXParser:

SAXParser* parser = new SAXParser;

parser->setDisableDefaultEntityResolution(true);

如果是用SAX2XMLReader:

SAX2XMLReader* reader = XMLReaderFactory::createXMLReader();

parser->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true);

附录：更多开源库/语言版本的修复建议可参考：

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B