--- src/ooxml/java/org/apache/poi/openxml4j/opc/internal/unmarshallers/PackagePropertiesUnmarshaller.java (revision 82213) +++ src/ooxml/java/org/apache/poi/openxml4j/opc/internal/unmarshallers/PackagePropertiesUnmarshaller.java (working copy) @@ -23,6 +23,12 @@ import java.util.List; import java.util.zip.ZipEntry; +import javax.xml.XMLConstants; +import javax.xml.parsers.ParserConfigurationException; +import javax.xml.parsers.SAXParser; +import javax.xml.parsers.SAXParserFactory; + +import org.apache.poi.POIXMLException; import org.apache.poi.openxml4j.exceptions.InvalidFormatException; import org.apache.poi.openxml4j.opc.PackageNamespaces; import org.apache.poi.openxml4j.opc.PackagePart; @@ -39,9 +45,8 @@ import org.dom4j.QName; import org.dom4j.io.SAXReader; import org.xml.sax.SAXException; +import org.xml.sax.SAXParseException; /** * Package properties unmarshaller. * @@ -128,13 +127,13 @@ } SAXReader xmlReader = new SAXReader(); + SAXParserFactory spf = SAXParserFactory.newInstance(); + SAXParser sp; Document xmlDoc; try { + spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + sp = spf.newSAXParser(); + xmlReader.setXMLReader(sp.getXMLReader()); xmlDoc = xmlReader.read(in); /* Check OPC compliance */ @@ -145,10 +144,19 @@ /* End OPC compliance */ } catch (DocumentException e) { + Throwable nestedException = e.getNestedException(); + if (null != nestedException && + nestedException instanceof SAXParseException && + null != nestedException.getMessage() && + nestedException.getMessage().contains("entity expansions in this document; this is the limit")) { + throw new POIXMLException(e); + } throw new IOException(e.getMessage()); } catch (SAXException e) { throw new IOException(e.getMessage()); - } + } catch (ParserConfigurationException e) { + throw new IOException(e.getMessage()); + } coreProps.setCategoryProperty(loadCategory(xmlDoc)); coreProps.setContentStatusProperty(loadContentStatus(xmlDoc));