fix CVE-2019-17566
This commit is contained in:
zhanghua1831
parent
ef1f52fc55
commit
56fc68f50e
116
CVE-2019-17566.patch
Normal file
116
CVE-2019-17566.patch
Normal file
@ -0,0 +1,116 @@
|
||||
From bc6078ca949039e2076cd08b4cb169c84c1179b1 Mon Sep 17 00:00:00 2001
|
||||
From: Simon Steiner <ssteiner@apache.org>
|
||||
Date: Mon, 9 Dec 2019 12:24:18 +0000
|
||||
Subject: [PATCH] BATIK-1276: Allow blocking of external resources
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1871084 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
.../apache/batik/apps/rasterizer/Main.java | 17 +++++++++++++++++
|
||||
.../batik/apps/rasterizer/SVGConverter.java | 6 ++++++
|
||||
.../transcoder/SVGAbstractTranscoder.java | 19 +++++++++++++++++++
|
||||
3 files changed, 42 insertions(+)
|
||||
|
||||
diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
|
||||
index c70b4dd691..a4248b527d 100644
|
||||
--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
|
||||
+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
|
||||
@@ -501,6 +501,12 @@ public Color parseARGB(String argbVal){
|
||||
public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
|
||||
= Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
|
||||
|
||||
+ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
|
||||
+ = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
|
||||
+
|
||||
+ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
|
||||
+ = Messages.get("Main.cl.option.block.external.resources.description", "No description");
|
||||
+
|
||||
/**
|
||||
* Option to turn off secure execution of scripts
|
||||
*/
|
||||
@@ -829,6 +835,17 @@ public String getOptionDescription(){
|
||||
return CL_OPTION_SECURITY_OFF_DESCRIPTION;
|
||||
}
|
||||
});
|
||||
+
|
||||
+ optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
|
||||
+ new NoValueOptionHandler(){
|
||||
+ public void handleOption(SVGConverter c){
|
||||
+ c.allowExternalResources = false;
|
||||
+ }
|
||||
+
|
||||
+ public String getOptionDescription(){
|
||||
+ return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
|
||||
+ }
|
||||
+ });
|
||||
}
|
||||
|
||||
/**
|
||||
diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
|
||||
index 324c3abcfe..9ec2135458 100644
|
||||
--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
|
||||
+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
|
||||
@@ -253,6 +253,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
the document which references them. */
|
||||
protected boolean constrainScriptOrigin = true;
|
||||
|
||||
+ protected boolean allowExternalResources = true;
|
||||
+
|
||||
/** Controls whether scripts should be run securely or not */
|
||||
protected boolean securityOff = false;
|
||||
|
||||
@@ -925,6 +927,10 @@ protected Map computeTranscodingHints(){
|
||||
map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
|
||||
}
|
||||
|
||||
+ if (!allowExternalResources) {
|
||||
+ map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
|
||||
+ }
|
||||
+
|
||||
return map;
|
||||
}
|
||||
|
||||
diff --git a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
|
||||
index 65d983bfae..8d6ffe3b1f 100644
|
||||
--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
|
||||
+++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
|
||||
@@ -33,8 +33,10 @@ Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
import org.apache.batik.bridge.BridgeContext;
|
||||
import org.apache.batik.bridge.BridgeException;
|
||||
import org.apache.batik.bridge.DefaultScriptSecurity;
|
||||
+import org.apache.batik.bridge.ExternalResourceSecurity;
|
||||
import org.apache.batik.bridge.GVTBuilder;
|
||||
import org.apache.batik.bridge.NoLoadScriptSecurity;
|
||||
+import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
|
||||
import org.apache.batik.bridge.RelaxedScriptSecurity;
|
||||
import org.apache.batik.bridge.SVGUtilities;
|
||||
import org.apache.batik.bridge.ScriptSecurity;
|
||||
@@ -877,6 +879,9 @@ protected void setImageSize(float docWidth, float docHeight) {
|
||||
= new BooleanKey();
|
||||
|
||||
|
||||
+ public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES
|
||||
+ = new BooleanKey();
|
||||
+
|
||||
/**
|
||||
* A user agent implementation for <code>PrintTranscoder</code>.
|
||||
*/
|
||||
@@ -1109,5 +1114,19 @@ protected void computeAllowedScripts(){
|
||||
}
|
||||
}
|
||||
|
||||
+ public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) {
|
||||
+ if (isAllowExternalResources()) {
|
||||
+ return super.getExternalResourceSecurity(resourceURL, docURL);
|
||||
+ }
|
||||
+ return new NoLoadExternalResourceSecurity();
|
||||
+ }
|
||||
+
|
||||
+ public boolean isAllowExternalResources() {
|
||||
+ Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES);
|
||||
+ if (b != null) {
|
||||
+ return b;
|
||||
+ }
|
||||
+ return true;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
18
batik.spec
18
batik.spec
@ -1,14 +1,15 @@
|
||||
%global classpath batik:rhino:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons:jai_imageio
|
||||
Name: batik
|
||||
Version: 1.10
|
||||
Release: 3
|
||||
Summary: Batik is an inline templating engine for CoffeeScript
|
||||
License: ASL 2.0 and W3C
|
||||
URL: https://xmlgraphics.apache.org/batik/
|
||||
Source0: http://archive.apache.org/dist/xmlgraphics/batik/source/batik-src-%{version}.zip
|
||||
Name: batik
|
||||
Version: 1.10
|
||||
Release: 4
|
||||
Summary: Batik is an inline templating engine for CoffeeScript
|
||||
License: Apache-2.0 and W3C
|
||||
URL: https://xmlgraphics.apache.org/batik/
|
||||
Source0: http://archive.apache.org/dist/xmlgraphics/batik/source/batik-src-%{version}.zip
|
||||
Source1: %{name}-security.policy
|
||||
|
||||
Patch1: 0001-Fix-imageio-codec-lookup.patch
|
||||
Patch6000: CVE-2019-17566.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
@ -120,5 +121,8 @@ cp -a samples %{buildroot}/%{_datadir}/%{name}/
|
||||
%doc CHANGES MAINTAIN README NOTICE
|
||||
|
||||
%changelog
|
||||
* Mon Dec 07 2020 zhanghua <zhanghua40@huawei.com> - 1.10-4
|
||||
- fix CVE-2019-17566
|
||||
|
||||
* Tue Dec 10 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.10-3
|
||||
- Package init
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user