packages/apache-poi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!3 Fix CVE-2019-12415

Browse Source 
From: @hht8
Reviewed-by: @lei_ju,@licihua
Signed-off-by: @licihua
This commit is contained in:
openeuler-ci-bot 2020-12-03 09:25:22 +08:00 committed by Gitee
commit 9f3f02a136
2 changed files with 68 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
Adjust-handling-of-SchemaFactory.patch Normal file
View File

@ -0,0 +1,61 @@
From 06f28db213744590c98feed69bda7d5f5c011b38 Mon Sep 17 00:00:00 2001
From: PJ Fanning <fanningpj@apache.org>
Date: Tue, 24 Sep 2019 18:33:37 +0000
Subject: [PATCH] Bug 63768: Adjust handling of SchemaFactory
git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1867484 13f79535-47bb-0310-9956-ffa450edef68
---
.../poi/xssf/extractor/XSSFExportToXml.java | 16 +-
.../xssf/extractor/TestXSSFExportToXML.java | 532 +++++++++---------
test-data/spreadsheet/xxe_in_schema.xlsx | Bin 0 -> 9801 bytes
3 files changed, 286 insertions(+), 262 deletions(-)
create mode 100644 test-data/spreadsheet/xxe_in_schema.xlsx
diff --git a/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java b/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java
index 9320a226db..53984fec28 100644
--- a/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java
+++ b/src/ooxml/java/org/apache/poi/xssf/extractor/XSSFExportToXml.java
@@ -28,6 +28,7 @@ Licensed to the Apache Software Foundation (ASF) under one or more
import java.util.Map;
import java.util.Vector;
+import javax.xml.XMLConstants;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
@@ -241,9 +242,10 @@ public void exportToXML(OutputStream os, String encoding, boolean validate) thro
* @throws SAXException If validating the document fails
*/
private boolean isValid(Document xml) throws SAXException{
- try{
+ try {
String language = "http://www.w3.org/2001/XMLSchema";
SchemaFactory factory = SchemaFactory.newInstance(language);
+ trySetFeature(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
Source source = new DOMSource(map.getSchema());
Schema schema = factory.newSchema(source);
@@ -313,7 +315,7 @@ private Node getNodeByXPath(String xpath,Node rootNode,Document doc,boolean crea
String[] xpathTokens = xpath.split("/");
- Node currentNode =rootNode;
+ Node currentNode = rootNode;
// The first token is empty, the second is the root node
for(int i =2; i<xpathTokens.length;i++) {
@@ -535,4 +537,14 @@ private Node getComplexTypeNodeFromSchemaChildren(Node xmlSchema, Node complexTy
}
return complexTypeNode;
}
+
+ private static void trySetFeature(SchemaFactory sf, String feature, boolean enabled) {
+ try {
+ sf.setFeature(feature, enabled);
+ } catch (Exception e) {
+ LOG.log(POILogger.WARN, "SchemaFactory Feature unsupported", feature, e);
+ } catch (AbstractMethodError ame) {
+ LOG.log(POILogger.WARN, "Cannot set SchemaFactory feature because outdated XML parser in classpath", feature, ame);
+ }
+ }
}

9
apache-poi.spec
View File

@ -1,11 +1,11 @@
%global reldate 20170915 %global reldate 20170915
Name: apache-poi Name: apache-poi
Version: 3.17 Version: 3.17
Release: 1 Release: 2
Summary: The Java API for Microsoft Documents Summary: The Java API for Microsoft Documents
License: ASL 2.0 and (CC-BY and CC-BY-SA and W3C) and GPLv3 License: ASL 2.0 and (CC-BY and CC-BY-SA and W3C) and GPLv3
URL: http://poi.apache.org/ URL: http://poi.apache.org/
Source0: http://archive.apache.org/dist/poi/release/src/poi-src-3.17-20170915.tar.gz Source0: http://archive.apache.org/dist/poi/release/src/poi-src-%{version}-%{reldate}.tar.gz
# These two zip files renamed after download # These two zip files renamed after download
#Source1: http://www.ecma-international.org/publications/files/ECMA-ST/Office%20Open%20XML%201st%20edition%20Part%204%20%28PDF%29.zip #Source1: http://www.ecma-international.org/publications/files/ECMA-ST/Office%20Open%20XML%201st%20edition%20Part%204%20%28PDF%29.zip
#Source2: http://www.ecma-international.org/publications/files/ECMA-ST/Office%20Open%20XML%201st%20edition%20Part%202%20%28PDF%29.zip #Source2: http://www.ecma-international.org/publications/files/ECMA-ST/Office%20Open%20XML%201st%20edition%20Part%202%20%28PDF%29.zip
@ -19,6 +19,7 @@ Source7: http://uri.etsi.org/01903/v1.3.2/XAdES.xsd
Source8: http://uri.etsi.org/01903/v1.4.1/XAdESv141.xsd Source8: http://uri.etsi.org/01903/v1.4.1/XAdESv141.xsd
Patch1: apache-poi-3.14-compile-xsds.patch Patch1: apache-poi-3.14-compile-xsds.patch
Patch2: apache-poi-3.14-build.patch Patch2: apache-poi-3.14-build.patch
Patch3: Adjust-handling-of-SchemaFactory.patch
BuildArch: noarch BuildArch: noarch
BuildRequires: jacoco javapackages-local jmh jmh-generator-annprocess BuildRequires: jacoco javapackages-local jmh jmh-generator-annprocess
BuildRequires: apache-commons-collections4 >= 4.1 apache-commons-codec apache-commons-logging BuildRequires: apache-commons-collections4 >= 4.1 apache-commons-codec apache-commons-logging
@ -63,6 +64,7 @@ This package contains the API documentation for %{name}.
%setup -q -n poi-%{version} %setup -q -n poi-%{version}
%patch1 %patch1
%patch2 %patch2
%patch3 -p1
find -name '*.class' -delete find -name '*.class' -delete
find -name '*.jar' -delete find -name '*.jar' -delete
mkdir lib ooxml-lib mkdir lib ooxml-lib
@ -132,5 +134,8 @@ done
%license LICENSE NOTICE %license LICENSE NOTICE
%changelog %changelog
* Tue Dec 1 2020 huanghaitao <huanghaitao8@huawei.com> - 3.17-2
- Fix CVE-2019-12415
* Thu Aug 13 2020 chengzihan <chengzihan2@huawei.com> - 3.17-1 * Thu Aug 13 2020 chengzihan <chengzihan2@huawei.com> - 3.17-1
- Package init - Package init