成年人的在线免费视频,婷婷91精品国产91久久综合,人妻精品人妻888,性感美女视频一区二区三区,国产熟女精品视频免费看,国内精品九九久久精品小草,中文字幕日韩精品欧美丝袜,午夜精品久久久久蜜桃毛片,91久久在线视频观看

關(guān)于XML解析存在的安全問(wèn)題指引

微信支付商戶(hù)，最近暴露的XML外部實(shí)體注入漏洞(XML External Entity Injection，簡(jiǎn)稱(chēng) XXE)，該安全問(wèn)題是由XML組件默認(rèn)沒(méi)有禁用外部實(shí)體引用導(dǎo)致，非微信支付系統(tǒng)存在漏洞。

如果你在使用支付業(yè)務(wù)回調(diào)通知中，存在以下場(chǎng)景有使用XML解析的情況，請(qǐng)務(wù)必檢查是否對(duì)進(jìn)行了防范。

場(chǎng)景1：支付成功通知；
場(chǎng)景2：退款成功通知；
場(chǎng)景3：委托代扣簽約、解約、扣款通知；
場(chǎng)景4：車(chē)主解約通知；
場(chǎng)景5：掃碼支付模式一回調(diào)；

注：APP支付的用戶(hù)端SDK不受影響，但APP支付成功回調(diào)通知里面要檢查。
微信支付會(huì)通過(guò)這幾個(gè)系統(tǒng)號(hào)碼通知商戶(hù)進(jìn)行安全周知和詢(xún)問(wèn)是否授權(quán)平臺(tái)進(jìn)行安全掃描。
(0755)36560292
(0755)61954612
(0755)61954613
(0755)61954614
(0755)61954615
(0755)61954616
授權(quán)檢測(cè)支付系統(tǒng)操作，不會(huì)影響商戶(hù)系統(tǒng)安全。
注：商戶(hù)如需自我檢測(cè)XXE漏洞，可前往商戶(hù)平臺(tái)（pay.weixin.qq.com）-->產(chǎn)品中心-->安全醫(yī)生進(jìn)行測(cè)試。

檢查及修復(fù)建議

1.如果您的后臺(tái)系統(tǒng)使用了官方SDK，請(qǐng)更新SDK到最新版本 SDK的鏈接:https://pay.weixin.qq.com/wiki/doc/api/jsapi.php?chapter=11_1
2.如果您是有系統(tǒng)提供商，請(qǐng)聯(lián)系提供商進(jìn)行核查和升級(jí)修復(fù)；
3.如果您是自研系統(tǒng)，請(qǐng)聯(lián)系技術(shù)部門(mén)按以下指引核查和修復(fù)：
如有疑問(wèn)，可通過(guò)郵箱WePayTS@tencent.com與我們聯(lián)系，感謝您對(duì)微信支付的支持。
XXE漏洞需要你在代碼中進(jìn)行相應(yīng)的設(shè)置，不同語(yǔ)言設(shè)置的內(nèi)容不同，下面提供了幾種主流開(kāi)發(fā)語(yǔ)言的設(shè)置指引：
【PHP】

libxml_disable_entity_loader(true);

【JAVA】

import javax.xml.parsers.DocumentBuilderFactory;import javax.xml.parsers.ParserConfigurationException; // catching unsupported featuresDocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();String FEATURE = null;try {	// This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented
	// Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
	FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
	dbf.setFeature(FEATURE, true);	
	// If you can't completely disable DTDs, then at least do the following:
	// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
	// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
	// JDK7+ - http://xml.org/sax/features/external-general-entities 
	FEATURE = "http://xml.org/sax/features/external-general-entities";
	dbf.setFeature(FEATURE, false);	
	// Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities
	// Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities
	// JDK7+ - http://xml.org/sax/features/external-parameter-entities 
	FEATURE = "http://xml.org/sax/features/external-parameter-entities";
	dbf.setFeature(FEATURE, false);	
	// Disable external DTDs as well
	FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
	dbf.setFeature(FEATURE, false);	
	// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"
	dbf.setXIncludeAware(false);
	dbf.setExpandEntityReferences(false);	
	// And, per Timothy Morgan: "If for some reason support for inline DOCTYPEs are a requirement, then 
	// ensure the entity settings are disabled (as shown above) and beware that SSRF attacks
	// (http://cwe.mitre.org/data/definitions/918.html) and denial 
	// of service attacks (such as billion laughs or decompression bombs via "jar:") are a risk."
	
	// remaining parser logic} catch (ParserConfigurationException e) {	// This should catch a failed setFeature feature
	logger.info("ParserConfigurationException was thrown. The feature '" +
	FEATURE + "' is probably not supported by your XML processor.");
}catch (SAXException e) {	// On Apache, this should be thrown when disallowing DOCTYPE
	logger.warning("A DOCTYPE was passed into the XML document");
}catch (IOException e) {	// XXE that points to a file that doesn't exist
	logger.error("IOException occurred, XXE may still possible: " + e.getMessage());
}
DocumentBuilder safebuilder = dbf.newDocumentBuilder();

【.Net】

XmlDocument doc= new XmlDocument();
doc.XmlResolver = null;

【ASP】

Set xmldom = Server.CreateObject("MSXML2.DOMDocument")
xmldom.resolveExternals = false

【Python】

from lxml import etree
xmlData = etree.parse(xmlSource,etree.XMLParser(resolve_entities=False))

【c/c++(常用庫(kù)為libxml2 libxerces-c)】 【libxml2】: 確保關(guān)閉配置選項(xiàng)：XML_PARSE_NOENT 和 XML_PARSE_DTDLOAD
2.9版本以上已修復(fù)XXE

【libxerces-c】：
如果用的是XercesDOMParser:

XercesDOMParser *parser = new XercesDOMParser;
parser->setCreateEntityReferenceNodes(false);

如果是用SAXParser:

SAXParser* parser = new SAXParser;
parser->setDisableDefaultEntityResolution(true);

如果是用SAX2XMLReader:

SAX2XMLReader* reader = XMLReaderFactory::createXMLReader();
parser->setFeature(XMLUni::fgXercesDisableDefaultEntityResolution, true);

附錄：更多開(kāi)源庫(kù)/語(yǔ)言版本的修復(fù)建議可參考：
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#C.2FC.2B.2B