Fix CVE-2019-13990
This commit is contained in:
zhanghua1831
parent
4af71dd87c
commit
71b4ac3e3c
99
CVE-2019-13990.patch
Normal file
99
CVE-2019-13990.patch
Normal file
@ -0,0 +1,99 @@
|
||||
From a961d9a9af5f457a12838aa9e28db385b051603d Mon Sep 17 00:00:00 2001
|
||||
From: Jonathan Gallimore <jon@jrg.me.uk>
|
||||
Date: Tue, 6 Aug 2019 10:36:16 +0100
|
||||
Subject: [PATCH] Issue #467 provide XML parser with a strong configuration to
|
||||
prevent XXE attacks
|
||||
|
||||
---
|
||||
.../xml/XMLSchedulingDataProcessor.java | 9 ++++++-
|
||||
.../xml/XMLSchedulingDataProcessorTest.java | 26 +++++++++++++++++++
|
||||
.../org/quartz/xml/bad-job-config.xml | 15 +++++++++++
|
||||
3 files changed, 49 insertions(+), 1 deletion(-)
|
||||
create mode 100755 quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml
|
||||
|
||||
diff --git a/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java b/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
|
||||
index 0a074ebb..506651a8 100644
|
||||
--- a/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
|
||||
+++ b/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
|
||||
@@ -173,7 +173,14 @@ protected void initDocumentParser() throws ParserConfigurationException {
|
||||
docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaLanguage", "http://www.w3.org/2001/XMLSchema");
|
||||
|
||||
docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource", resolveSchemaSource());
|
||||
-
|
||||
+
|
||||
+ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||
+ docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||
+ docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||
+ docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||
+ docBuilderFactory.setXIncludeAware(false);
|
||||
+ docBuilderFactory.setExpandEntityReferences(false);
|
||||
+
|
||||
docBuilder = docBuilderFactory.newDocumentBuilder();
|
||||
|
||||
docBuilder.setErrorHandler(this);
|
||||
diff --git a/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java b/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
|
||||
index 4aeb6464..ae8fc298 100755
|
||||
--- a/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
|
||||
+++ b/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
|
||||
@@ -30,6 +30,7 @@
|
||||
import org.quartz.simpl.SimpleThreadPool;
|
||||
import org.quartz.spi.ClassLoadHelper;
|
||||
import org.quartz.utils.DBConnectionManager;
|
||||
+import org.xml.sax.SAXParseException;
|
||||
|
||||
/**
|
||||
* Unit test for XMLSchedulingDataProcessor.
|
||||
@@ -204,6 +205,31 @@ public void testQTZ327SimpleTriggerNoRepeat() throws Exception {
|
||||
}
|
||||
}
|
||||
|
||||
+ public void testXmlParserConfiguration() throws Exception {
|
||||
+ Scheduler scheduler = null;
|
||||
+ try {
|
||||
+ StdSchedulerFactory factory = new StdSchedulerFactory("org/quartz/xml/quartz-test.properties");
|
||||
+ scheduler = factory.getScheduler();
|
||||
+ ClassLoadHelper clhelper = new CascadingClassLoadHelper();
|
||||
+ clhelper.initialize();
|
||||
+ XMLSchedulingDataProcessor processor = new XMLSchedulingDataProcessor(clhelper);
|
||||
+ processor.processFileAndScheduleJobs("org/quartz/xml/bad-job-config.xml", scheduler);
|
||||
+
|
||||
+
|
||||
+ final JobKey jobKey = scheduler.getJobKeys(GroupMatcher.jobGroupEquals("native")).iterator().next();
|
||||
+ final JobDetail jobDetail = scheduler.getJobDetail(jobKey);
|
||||
+ final String description = jobDetail.getDescription();
|
||||
+
|
||||
+
|
||||
+ fail("Expected parser configuration to block DOCTYPE. The following was injected into the job description field: " + description);
|
||||
+ } catch (SAXParseException e) {
|
||||
+ assertTrue(e.getMessage().contains("DOCTYPE is disallowed"));
|
||||
+ } finally {
|
||||
+ if (scheduler != null)
|
||||
+ scheduler.shutdown();
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
private Date dateOfGMT_UTC(int hour, int minute, int second, int dayOfMonth, int month, int year) {
|
||||
final GregorianCalendar calendar = new GregorianCalendar(TimeZone.getTimeZone("GMT"));
|
||||
calendar.set(year, month, dayOfMonth, hour, minute, second);
|
||||
diff --git a/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml b/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml
|
||||
new file mode 100755
|
||||
index 00000000..9aeb5673
|
||||
--- /dev/null
|
||||
+++ b/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml
|
||||
@@ -0,0 +1,15 @@
|
||||
+<?xml version="1.0" encoding="UTF-8"?>
|
||||
+<!DOCTYPE foo [<!ELEMENT foo ANY >
|
||||
+ <!ENTITY xxe SYSTEM "/" >]>
|
||||
+<job-scheduling-data xmlns="http://www.quartz-scheduler.org/xml/JobSchedulingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.quartz-scheduler.org/xml/JobSchedulingData http://www.quartz-scheduler.org/xml/job_scheduling_data_2_0.xsd" version="2.0">
|
||||
+ <schedule>
|
||||
+ <job>
|
||||
+ <name>xxe</name>
|
||||
+ <group>native</group>
|
||||
+ <description>&xxe;</description>
|
||||
+ <job-class>org.quartz.xml.XMLSchedulingDataProcessorTest$MyJob</job-class>
|
||||
+ <durability>true</durability>
|
||||
+ <recover>false</recover>
|
||||
+ </job>
|
||||
+ </schedule>
|
||||
+</job-scheduling-data>
|
||||
\ No newline at end of file
|
||||
@ -1,13 +1,14 @@
|
||||
Summary: Enterprise Job Scheduler for Java
|
||||
Name: quartz
|
||||
Version: 2.2.1
|
||||
Release: 1
|
||||
Release: 2
|
||||
Epoch: 0
|
||||
License: ASL 2.0
|
||||
URL: http://www.quartz-scheduler.org/
|
||||
# svn export http://svn.terracotta.org/svn/quartz/tags/quartz-2.2.1
|
||||
# tar caf quartz-2.2.1.tar.xz quartz-2.2.1
|
||||
Source0: quartz-%{version}.tar.xz
|
||||
Patch6000: CVE-2019-13990.patch
|
||||
BuildRequires: maven-local maven-antrun-plugin maven-checkstyle-plugin maven-dependency-plugin
|
||||
BuildRequires: maven-enforcer-plugin maven-release-plugin maven-shade-plugin maven-shared
|
||||
BuildRequires: rmic-maven-plugin mvn(com.mchange:c3p0) mvn(javax.mail:mail) >= 1.4.3
|
||||
@ -35,7 +36,7 @@ Summary: API docs for quartz
|
||||
This package contains the API Documentation for quartz.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
%autosetup -p1
|
||||
%pom_disable_module quartz-jboss
|
||||
%pom_disable_module quartz-oracle
|
||||
%pom_disable_module quartz-weblogic
|
||||
@ -88,5 +89,8 @@ sed -i 's/\r//' LICENSE.txt
|
||||
%license LICENSE.txt
|
||||
|
||||
%changelog
|
||||
* Sat Sep 19 2020 zhanghua <zhanghua40@huawei.com> - 2.2.1-2
|
||||
- Fix CVE-2019-13990
|
||||
|
||||
* Fri Aug 21 2020 yaokai <yaokai13@huawei.com> - 2.2.1-1
|
||||
- package init
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user