packages/lucene3
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2017-12629

Browse Source
This commit is contained in:
wang_yue111 2020-09-20 16:21:26 +08:00
parent 125e080133
commit e414eaa362
2 changed files with 144 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
CVE-2017-12629.patch Normal file
View File

@ -0,0 +1,138 @@
From 1853361e9f49f6b04aa5cd9ead85cf4620d4d249 Mon Sep 17 00:00:00 2001
From: Christine Poerschke <cpoerschke@apache.org>
Date: Fri, 13 Oct 2017 12:46:58 +0100
Subject: [PATCH] SOLR-11477: Disallow resolving of external entities in
Lucene
queryparser/xml/CoreParser and SolrCoreParser (defType=xmlparser or
{!xmlparser ...}) by default.
(Michael Stepankin, Olga Barinova, Uwe Schindler, Christine Poerschke)
---
.../apache/lucene/xmlparser/CoreParser.java | 74 +++++++++++++++----
1 file changed, 58 insertions(+), 16 deletions(-)
diff --git a/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java b/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java
index c84b90a..68c1529 100644
--- a/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java
+++ b/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java
@@ -1,9 +1,12 @@
package org.apache.lucene.xmlparser;
import java.io.InputStream;
+import java.util.Locale;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
import org.apache.lucene.analysis.Analyzer;
import org.apache.lucene.queryParser.QueryParser;
@@ -11,6 +14,10 @@ import org.apache.lucene.search.Query;
import org.apache.lucene.xmlparser.builders.*;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.ErrorHandler;
+import org.xml.sax.SAXException;
+import org.xml.sax.InputSource;
/**
* Licensed to the Apache Software Foundation (ASF) under one or more
@@ -123,7 +130,11 @@ public class CoreParser implements QueryBuilder
sqof.addBuilder("SpanNot",snot);
queryFactory.addBuilder("SpanNot",snot);
}
-
+
+ /**
+ * Parses the given stream as XML file and returns a {@link Query}.
+ * By default this disallows external entities for security reasons.
+ */
public Query parse(InputStream xmlStream) throws ParserException
{
return getQuery(parseXML(xmlStream).getDocumentElement());
@@ -138,28 +149,49 @@ public class CoreParser implements QueryBuilder
filterFactory.addBuilder(nodeName,builder);
}
- private static Document parseXML(InputStream pXmlFile) throws ParserException
- {
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
- DocumentBuilder db = null;
+ /**
+ * Returns a SAX {@link EntityResolver} to be used by {@link DocumentBuilder}.
+ * By default this returns {@link #DISALLOW_EXTERNAL_ENTITY_RESOLVER}, which disallows the
+ * expansion of external entities (for security reasons). To restore legacy behavior,
+ * override this method to return {@code null}.
+ */
+ protected EntityResolver getEntityResolver() {
+ return DISALLOW_EXTERNAL_ENTITY_RESOLVER;
+ }
+
+ /**
+ * Subclass and override to return a SAX {@link ErrorHandler} to be used by {@link DocumentBuilder}.
+ * By default this returns {@code null} so no error handler is used.
+ * This method can be used to redirect XML parse errors/warnings to a custom logger.
+ */
+ protected ErrorHandler getErrorHandler() {
+ return null;
+ }
+
+ private Document parseXML(InputStream pXmlFile) throws ParserException {
+ final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setValidating(false);
try
{
- db = dbf.newDocumentBuilder();
- }
- catch (Exception se)
- {
- throw new ParserException("XML Parser configuration error", se);
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException e) {
+ // ignore since all implementations are required to support the
+ // {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} feature
}
- org.w3c.dom.Document doc = null;
+ final DocumentBuilder db;
try
{
- doc = db.parse(pXmlFile);
+ db = dbf.newDocumentBuilder();
+ } catch (Exception se) {
+ throw new ParserException("XML Parser configuration error.", se);
}
- catch (Exception se)
- {
- throw new ParserException("Error parsing XML stream:" + se, se);
+ try {
+ db.setEntityResolver(getEntityResolver());
+ db.setErrorHandler(getErrorHandler());
+ return db.parse(pXmlFile);
+ } catch (Exception se) {
+ throw new ParserException("Error parsing XML stream: " + se, se);
}
- return doc;
}
@@ -167,4 +199,14 @@ public class CoreParser implements QueryBuilder
{
return queryFactory.getQuery(e);
}
+
+ public static final EntityResolver DISALLOW_EXTERNAL_ENTITY_RESOLVER = new EntityResolver() {
+ @Override
+ public InputSource resolveEntity(String publicId, String systemId) throws SAXException {
+ throw new SAXException(String.format(Locale.ENGLISH,
+ "External Entity resolving unsupported: publicId=\"%s\" systemId=\"%s\"",
+ publicId, systemId));
+ }
+ };
+
}
--
2.23.0

7
lucene3.spec
View File

@ -1,7 +1,7 @@
Summary: High-performance, full-featured text search engine Summary: High-performance, full-featured text search engine
Name: lucene3 Name: lucene3
Version: 3.6.2 Version: 3.6.2
Release: 1 Release: 2
Epoch: 0 Epoch: 0
License: ASL 2.0 and BSD License: ASL 2.0 and BSD
URL: http://lucene.apache.org/ URL: http://lucene.apache.org/
@ -12,6 +12,7 @@ Patch0: lucene_contrib_icu4j_v50.patch
Patch1: lucene-3.6.2-hamcrest-core.patch Patch1: lucene-3.6.2-hamcrest-core.patch
Patch2: lucene-3.6.2-javascript.patch Patch2: lucene-3.6.2-javascript.patch
Patch3: test-framework.patch Patch3: test-framework.patch
Patch4: CVE-2017-12629.patch
#svn export http://svn.apache.org/repos/asf/lucene/dev/tags/lucene_solr_3_6_2/dev-tools@r145 #svn export http://svn.apache.org/repos/asf/lucene/dev/tags/lucene_solr_3_6_2/dev-tools@r145
#tar caf dev-tools.tar.xz dev-tools/ #tar caf dev-tools.tar.xz dev-tools/
Source4: dev-tools.tar.xz Source4: dev-tools.tar.xz
@ -51,6 +52,7 @@ sed -i -e "s|3.5.0|3.6.2|g" backwards/ivy.xml
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p0 %patch3 -p0
%patch4 -p1
%build %build
mkdir -p docs mkdir -p docs
@ -113,5 +115,8 @@ done
%license LICENSE.txt NOTICE.txt %license LICENSE.txt NOTICE.txt
%changelog %changelog
* Sun 20 Sep 2020 wangyue <wangyue92@huawei.com> - 3.6.2-2
- fix CVE-2017-12629
* Sat Aug 22 2020 Jeffery.Gao <gaojianxing@huawei.com> - 3.6.2-1 * Sat Aug 22 2020 Jeffery.Gao <gaojianxing@huawei.com> - 3.6.2-1
- package init - package init