Fix CVE-2020-10683
This commit is contained in:
lingsheng
parent
8485dd1ef0
commit
e08632136f
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,97 @@
|
||||
From a16aaa7a192f5e5258dd941cb6a4344c1ca80839 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Filip=20Jirs=C3=A1k?= <filip@jirsak.org>
|
||||
Date: Sun, 1 Jul 2018 13:20:26 +0200
|
||||
Subject: [PATCH] #44 Default SAXParser features are set when SAXParser is
|
||||
created, so they can be overriden.
|
||||
|
||||
(cherry picked from commit 161078a8a520dcd1db6d451190f2434d56547664)
|
||||
---
|
||||
src/main/java/org/dom4j/io/SAXHelper.java | 15 +++++++++++++++
|
||||
src/main/java/org/dom4j/io/SAXReader.java | 23 +----------------------
|
||||
src/test/java/org/dom4j/io/DTDTest.java | 2 ++
|
||||
3 files changed, 18 insertions(+), 22 deletions(-)
|
||||
|
||||
diff --git a/src/main/java/org/dom4j/io/SAXHelper.java b/src/main/java/org/dom4j/io/SAXHelper.java
|
||||
index 0810a90c..f120337f 100644
|
||||
--- a/src/main/java/org/dom4j/io/SAXHelper.java
|
||||
+++ b/src/main/java/org/dom4j/io/SAXHelper.java
|
||||
@@ -103,6 +103,21 @@ public static XMLReader createXMLReader(boolean validating)
|
||||
throw new SAXException("Couldn't create SAX reader");
|
||||
}
|
||||
|
||||
+ // configure namespace support
|
||||
+ SAXHelper.setParserFeature(reader, "http://xml.org/sax/features/namespaces", true);
|
||||
+ SAXHelper.setParserFeature(reader, "http://xml.org/sax/features/namespace-prefixes", false);
|
||||
+
|
||||
+ // external entites
|
||||
+// SAXHelper.setParserFeature(reader, "http://xml.org/sax/properties/external-general-entities", false);
|
||||
+// SAXHelper.setParserFeature(reader, "http://xml.org/sax/properties/external-parameter-entities", false);
|
||||
+
|
||||
+ // external DTD
|
||||
+ SAXHelper.setParserFeature(reader,"http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
+
|
||||
+
|
||||
+ // use Locator2 if possible
|
||||
+ SAXHelper.setParserFeature(reader,"http://xml.org/sax/features/use-locator2", true);
|
||||
+
|
||||
return reader;
|
||||
}
|
||||
|
||||
diff --git a/src/main/java/org/dom4j/io/SAXReader.java b/src/main/java/org/dom4j/io/SAXReader.java
|
||||
index 23559e49..6bb3d926 100644
|
||||
--- a/src/main/java/org/dom4j/io/SAXReader.java
|
||||
+++ b/src/main/java/org/dom4j/io/SAXReader.java
|
||||
@@ -65,11 +65,7 @@
|
||||
public class SAXReader {
|
||||
private static final String SAX_STRING_INTERNING =
|
||||
"http://xml.org/sax/features/string-interning";
|
||||
- private static final String SAX_NAMESPACE_PREFIXES =
|
||||
- "http://xml.org/sax/features/namespace-prefixes";
|
||||
- private static final String SAX_NAMESPACES =
|
||||
- "http://xml.org/sax/features/namespaces";
|
||||
- private static final String SAX_DECL_HANDLER =
|
||||
+ private static final String SAX_DECL_HANDLER =
|
||||
"http://xml.org/sax/properties/declaration-handler";
|
||||
private static final String SAX_LEXICAL_HANDLER =
|
||||
"http://xml.org/sax/properties/lexical-handler";
|
||||
@@ -902,27 +898,10 @@ protected void configureReader(XMLReader reader, DefaultHandler handler)
|
||||
SAXHelper.setParserProperty(reader, SAX_DECL_HANDLER, handler);
|
||||
}
|
||||
|
||||
- // configure namespace support
|
||||
- SAXHelper.setParserFeature(reader, SAX_NAMESPACES, true);
|
||||
-
|
||||
- SAXHelper.setParserFeature(reader, SAX_NAMESPACE_PREFIXES, false);
|
||||
-
|
||||
// string interning
|
||||
SAXHelper.setParserFeature(reader, SAX_STRING_INTERNING,
|
||||
isStringInternEnabled());
|
||||
|
||||
- // external entites
|
||||
- /*
|
||||
- * SAXHelper.setParserFeature( reader,
|
||||
- * "http://xml.org/sax/properties/external-general-entities",
|
||||
- * includeExternalGeneralEntities ); SAXHelper.setParserFeature( reader,
|
||||
- * "http://xml.org/sax/properties/external-parameter-entities",
|
||||
- * includeExternalParameterEntities );
|
||||
- */
|
||||
- // use Locator2 if possible
|
||||
- SAXHelper.setParserFeature(reader,
|
||||
- "http://xml.org/sax/features/use-locator2", true);
|
||||
-
|
||||
try {
|
||||
// configure validation support
|
||||
reader.setFeature("http://xml.org/sax/features/validation",
|
||||
diff --git a/src/test/java/org/dom4j/io/DTDTest.java b/src/test/java/org/dom4j/io/DTDTest.java
|
||||
index ff77e4be..1c432328 100644
|
||||
--- a/src/test/java/org/dom4j/io/DTDTest.java
|
||||
+++ b/src/test/java/org/dom4j/io/DTDTest.java
|
||||
@@ -445,6 +445,8 @@ protected Document readDocument(String resourceName,
|
||||
reader.setEntityResolver(new MyEntityResolver(DTD_FILE,
|
||||
DTD_PUBLICID, DTD_SYSTEM_ID));
|
||||
|
||||
+ reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);
|
||||
+
|
||||
return getDocument(resourceName, reader);
|
||||
}
|
||||
|
||||
31
backport-Disable-downloading-external-resources-with-1.patch
Normal file
31
backport-Disable-downloading-external-resources-with-1.patch
Normal file
@ -0,0 +1,31 @@
|
||||
From c8d112e458799721d0c78959bc591b90e2f8d199 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Filip=20Jirs=C3=A1k?= <filip@jirsak.org>
|
||||
Date: Sun, 1 Jul 2018 12:45:33 +0200
|
||||
Subject: [PATCH] #28 Disable downloading external resources with
|
||||
DocumentHelper.parseText() helper.
|
||||
|
||||
(cherry picked from commit 8f6a7f6001d679176c1079ac65871d4e493360db)
|
||||
---
|
||||
src/main/java/org/dom4j/DocumentHelper.java | 3 +++
|
||||
|
||||
diff --git a/src/main/java/org/dom4j/DocumentHelper.java b/src/main/java/org/dom4j/DocumentHelper.java
|
||||
index 26569e2d..a3a69dca 100644
|
||||
--- a/src/main/java/org/dom4j/DocumentHelper.java
|
||||
+++ b/src/main/java/org/dom4j/DocumentHelper.java
|
||||
@@ -18,6 +18,7 @@
|
||||
import org.jaxen.VariableContext;
|
||||
|
||||
import org.xml.sax.InputSource;
|
||||
+import org.xml.sax.SAXException;
|
||||
|
||||
/**
|
||||
* <code>DocumentHelper</code> is a collection of helper methods for using
|
||||
@@ -256,6 +257,8 @@ public static void sort(List<Node> list, String expression, boolean distinct) {
|
||||
* <code>parseText</code> parses the given text as an XML document and
|
||||
* returns the newly created Document.
|
||||
* </p>
|
||||
+ *
|
||||
+ * Loading external DTD and entities is disabled (if it is possible) for security reasons.
|
||||
*
|
||||
* @param text
|
||||
* the XML text to be parsed
|
||||
30
backport-Disable-downloading-external-resources-with-2.patch
Normal file
30
backport-Disable-downloading-external-resources-with-2.patch
Normal file
@ -0,0 +1,30 @@
|
||||
From 1707bf3d898a8ada3b213acb0e3b38f16eaae73d Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Filip=20Jirs=C3=A1k?= <filip@jirsak.org>
|
||||
Date: Sat, 11 Apr 2020 19:27:36 +0200
|
||||
Subject: [PATCH] #28 Disable downloading external resources with
|
||||
DocumentHelper.parseText() helper.
|
||||
|
||||
(cherry picked from commit 8f6a7f6001d679176c1079ac65871d4e493360db)
|
||||
---
|
||||
src/main/java/org/dom4j/DocumentHelper.java | 8 ++++++++
|
||||
1 file changed, 8 insertions(+)
|
||||
|
||||
diff --git a/src/main/java/org/dom4j/DocumentHelper.java b/src/main/java/org/dom4j/DocumentHelper.java
|
||||
index a3a69dca..6ceed9a3 100644
|
||||
--- a/src/main/java/org/dom4j/DocumentHelper.java
|
||||
+++ b/src/main/java/org/dom4j/DocumentHelper.java
|
||||
@@ -270,6 +270,14 @@ public static void sort(List<Node> list, String expression, boolean distinct) {
|
||||
*/
|
||||
public static Document parseText(String text) throws DocumentException {
|
||||
SAXReader reader = new SAXReader();
|
||||
+ try {
|
||||
+ reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
+ reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
+ reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
+ } catch (SAXException e) {
|
||||
+ //Parse with external resources downloading allowed.
|
||||
+ }
|
||||
+
|
||||
String encoding = getEncoding(text);
|
||||
|
||||
InputSource source = new InputSource(new StringReader(text));
|
||||
@ -1,6 +1,6 @@
|
||||
Name: dom4j
|
||||
Version: 2.0.0
|
||||
Release: 7
|
||||
Release: 8
|
||||
Summary: Flexible XML framework for Java
|
||||
License: BSD
|
||||
URL: https://dom4j.github.io/
|
||||
@ -8,6 +8,10 @@ Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz
|
||||
Source1: https://repo1.maven.org/maven2/org/%{name}/%{name}/%{version}/%{name}-%{version}.pom
|
||||
Patch6000: CVE-2018-1000632-pre.patch
|
||||
Patch6001: CVE-2018-1000632.patch
|
||||
Patch6002: backport-Disable-downloading-external-resources-with-1.patch
|
||||
Patch6003: backport-Disable-downloading-external-resources-with-2.patch
|
||||
Patch6004: backport-Default-SAXParser-features-are-set-when-SAXParser-is.patch
|
||||
Patch6005: backport-CVE-2020-10683-SAXReader-uses-system-default-XMLReader-with-its-defaults.patch
|
||||
BuildArch: noarch
|
||||
|
||||
BuildRequires: maven-local, mvn(jaxen:jaxen), mvn(net.java.dev.msv:xsdlib), mvn(xpp3:xpp3), mvn(javax.xml.bind:jaxb-api)
|
||||
@ -48,5 +52,8 @@ rm -rf src/test/java/org/dom4j/util/PerThreadSingletonTest.java
|
||||
%{_javadocdir}/%{name}/*
|
||||
|
||||
%changelog
|
||||
* Fri Jun 19 2020 lingsheng <lingsheng@huawei.com> - 2.0.0-8
|
||||
- Fix CVE-2020-10683
|
||||
|
||||
* Fri Dec 13 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.0.0-7
|
||||
- Package init
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user