diff --git a/CVE-2021-23926-1.patch b/CVE-2021-23926-1.patch new file mode 100644 index 0000000..ea2ea6d --- /dev/null +++ b/CVE-2021-23926-1.patch @@ -0,0 +1,421 @@ +From 80cb805eb1488ba3a16c427866fa8ae1f52ff0c5 Mon Sep 17 00:00:00 2001 +From: PJ Fanning +Date: Sun, 10 Jun 2018 10:15:30 +0000 +Subject: [PATCH 1/2] use safe XML parsers + +git-svn-id: https://svn.apache.org/repos/asf/xmlbeans/trunk@1833260 13f79535-47bb-0310-9956-ffa450edef68 +--- + .../xmlbeans/impl/common/DocumentHelper.java | 165 ++++++++++++++++++ + .../xmlbeans/impl/common/LoadSaveUtils.java | 6 +- + .../xmlbeans/impl/common}/NullLogger.java | 4 +- + .../xmlbeans/impl/common}/SAXHelper.java | 6 +- + .../apache/xmlbeans/impl/common/Sax2Dom.java | 9 +- + .../xmlbeans/impl/common}/XBLogFactory.java | 4 +- + .../xmlbeans/impl/common}/XBLogger.java | 4 +- + .../apache/xmlbeans/impl/store/Locale.java | 24 +-- + 8 files changed, 189 insertions(+), 33 deletions(-) + create mode 100644 src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java + rename src/{store/org/apache/xmlbeans/impl/store => common/org/apache/xmlbeans/impl/common}/NullLogger.java (95%) + rename src/{store/org/apache/xmlbeans/impl/store => common/org/apache/xmlbeans/impl/common}/SAXHelper.java (96%) + rename src/{store/org/apache/xmlbeans/impl/store => common/org/apache/xmlbeans/impl/common}/XBLogFactory.java (97%) + rename src/{store/org/apache/xmlbeans/impl/store => common/org/apache/xmlbeans/impl/common}/XBLogger.java (97%) + +diff --git a/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java b/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java +new file mode 100644 +index 00000000..8c487644 +--- /dev/null ++++ b/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java +@@ -0,0 +1,165 @@ ++/* Copyright 2004-2018 The Apache Software Foundation ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package org.apache.xmlbeans.impl.common; ++ ++import java.io.IOException; ++import java.io.InputStream; ++import java.lang.reflect.Method; ++ ++import javax.xml.XMLConstants; ++import javax.xml.parsers.DocumentBuilder; ++import javax.xml.parsers.DocumentBuilderFactory; ++import javax.xml.parsers.ParserConfigurationException; ++import javax.xml.stream.events.Namespace; ++ ++import org.w3c.dom.Document; ++import org.w3c.dom.Element; ++import org.xml.sax.ErrorHandler; ++import org.xml.sax.InputSource; ++import org.xml.sax.SAXException; ++import org.xml.sax.SAXParseException; ++ ++public final class DocumentHelper { ++ private static XBLogger logger = XBLogFactory.getLogger(DocumentHelper.class); ++ ++ private DocumentHelper() {} ++ ++ private static class DocHelperErrorHandler implements ErrorHandler { ++ ++ public void warning(SAXParseException exception) throws SAXException { ++ printError(XBLogger.WARN, exception); ++ } ++ ++ public void error(SAXParseException exception) throws SAXException { ++ printError(XBLogger.ERROR, exception); ++ } ++ ++ public void fatalError(SAXParseException exception) throws SAXException { ++ printError(XBLogger.FATAL, exception); ++ throw exception; ++ } ++ ++ /** Prints the error message. */ ++ private void printError(int type, SAXParseException ex) { ++ StringBuilder sb = new StringBuilder(); ++ ++ String systemId = ex.getSystemId(); ++ if (systemId != null) { ++ int index = systemId.lastIndexOf('/'); ++ if (index != -1) ++ systemId = systemId.substring(index + 1); ++ sb.append(systemId); ++ } ++ sb.append(':'); ++ sb.append(ex.getLineNumber()); ++ sb.append(':'); ++ sb.append(ex.getColumnNumber()); ++ sb.append(": "); ++ sb.append(ex.getMessage()); ++ ++ logger.log(type, sb.toString(), ex); ++ } ++ } ++ ++ /** ++ * Creates a new document builder, with sensible defaults ++ * ++ * @throws IllegalStateException If creating the DocumentBuilder fails, e.g. ++ * due to {@link ParserConfigurationException}. ++ */ ++ public static synchronized DocumentBuilder newDocumentBuilder() { ++ try { ++ DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); ++ documentBuilder.setEntityResolver(SAXHelper.IGNORING_ENTITY_RESOLVER); ++ documentBuilder.setErrorHandler(new DocHelperErrorHandler()); ++ return documentBuilder; ++ } catch (ParserConfigurationException e) { ++ throw new IllegalStateException("cannot create a DocumentBuilder", e); ++ } ++ } ++ ++ private static final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); ++ static { ++ documentBuilderFactory.setNamespaceAware(true); ++ documentBuilderFactory.setValidating(false); ++ trySetSAXFeature(documentBuilderFactory, XMLConstants.FEATURE_SECURE_PROCESSING, true); ++ trySetXercesSecurityManager(documentBuilderFactory); ++ } ++ ++ private static void trySetSAXFeature(DocumentBuilderFactory dbf, String feature, boolean enabled) { ++ try { ++ dbf.setFeature(feature, enabled); ++ } catch (Exception e) { ++ logger.log(XBLogger.WARN, "SAX Feature unsupported", feature, e); ++ } catch (AbstractMethodError ame) { ++ logger.log(XBLogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", feature, ame); ++ } ++ } ++ ++ private static void trySetXercesSecurityManager(DocumentBuilderFactory dbf) { ++ // Try built-in JVM one first, standalone if not ++ for (String securityManagerClassName : new String[]{ ++ //"com.sun.org.apache.xerces.internal.util.SecurityManager", ++ "org.apache.xerces.util.SecurityManager" ++ }) { ++ try { ++ Object mgr = Class.forName(securityManagerClassName).newInstance(); ++ Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE); ++ setLimit.invoke(mgr, 4096); ++ dbf.setAttribute("http://apache.org/xml/properties/security-manager", mgr); ++ // Stop once one can be setup without error ++ return; ++ } catch (ClassNotFoundException e) { ++ // continue without log, this is expected in some setups ++ } catch (Throwable e) { // NOSONAR - also catch things like NoClassDefError here ++ logger.log(XBLogger.WARN, "SAX Security Manager could not be setup", e); ++ } ++ } ++ ++ // separate old version of Xerces not found => use the builtin way of setting the property ++ dbf.setAttribute("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit", 4096); ++ } ++ ++ /** ++ * Parses the given stream via the default (sensible) ++ * DocumentBuilder ++ * @param inp Stream to read the XML data from ++ * @return the parsed Document ++ */ ++ public static Document readDocument(InputStream inp) throws IOException, SAXException { ++ return newDocumentBuilder().parse(inp); ++ } ++ ++ /** ++ * Parses the given stream via the default (sensible) ++ * DocumentBuilder ++ * @param inp sax source to read the XML data from ++ * @return the parsed Document ++ */ ++ public static Document readDocument(InputSource inp) throws IOException, SAXException { ++ return newDocumentBuilder().parse(inp); ++ } ++ ++ // must only be used to create empty documents, do not use it for parsing! ++ private static final DocumentBuilder documentBuilderSingleton = newDocumentBuilder(); ++ ++ /** ++ * Creates a new DOM Document ++ */ ++ public static synchronized Document createDocument() { ++ return documentBuilderSingleton.newDocument(); ++ } ++} +diff --git a/src/common/org/apache/xmlbeans/impl/common/LoadSaveUtils.java b/src/common/org/apache/xmlbeans/impl/common/LoadSaveUtils.java +index 74b52743..a80deff9 100644 +--- a/src/common/org/apache/xmlbeans/impl/common/LoadSaveUtils.java ++++ b/src/common/org/apache/xmlbeans/impl/common/LoadSaveUtils.java +@@ -22,7 +22,6 @@ package org.apache.xmlbeans.impl.common; + import org.w3c.dom.Document; + import org.xml.sax.SAXException; + +-import javax.xml.parsers.SAXParserFactory; + import javax.xml.parsers.SAXParser; + import javax.xml.parsers.ParserConfigurationException; + import javax.xml.stream.XMLStreamWriter; +@@ -40,10 +39,7 @@ public class LoadSaveUtils + public static Document xmlText2GenericDom(InputStream is, Document emptyDoc) + throws SAXException, ParserConfigurationException, IOException + { +- SAXParserFactory factory = SAXParserFactory.newInstance(); +- factory.setNamespaceAware(true); +- +- SAXParser parser = factory.newSAXParser(); ++ SAXParser parser = SAXHelper.saxFactory.newSAXParser(); + + Sax2Dom handler = new Sax2Dom(emptyDoc); + +diff --git a/src/store/org/apache/xmlbeans/impl/store/NullLogger.java b/src/common/org/apache/xmlbeans/impl/common/NullLogger.java +similarity index 95% +rename from src/store/org/apache/xmlbeans/impl/store/NullLogger.java +rename to src/common/org/apache/xmlbeans/impl/common/NullLogger.java +index aca8d1d5..6b5874a4 100644 +--- a/src/store/org/apache/xmlbeans/impl/store/NullLogger.java ++++ b/src/common/org/apache/xmlbeans/impl/common/NullLogger.java +@@ -1,4 +1,4 @@ +-/* Copyright 2017 The Apache Software Foundation ++/* Copyright 2017, 2018 The Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. +@@ -13,7 +13,7 @@ + * limitations under the License. + */ + +-package org.apache.xmlbeans.impl.store; ++package org.apache.xmlbeans.impl.common; + + /** + * A logger class that strives to make it as easy as possible for +diff --git a/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java b/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java +similarity index 96% +rename from src/store/org/apache/xmlbeans/impl/store/SAXHelper.java +rename to src/common/org/apache/xmlbeans/impl/common/SAXHelper.java +index 67fb3a0e..71bed2dc 100644 +--- a/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java ++++ b/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java +@@ -1,4 +1,4 @@ +-/* Copyright 2017 The Apache Software Foundation ++/* Copyright 2017, 2018 The Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. +@@ -13,7 +13,7 @@ + * limitations under the License. + */ + +-package org.apache.xmlbeans.impl.store; ++package org.apache.xmlbeans.impl.common; + + import java.io.IOException; + import java.io.StringReader; +@@ -57,7 +57,7 @@ public final class SAXHelper { + } + }; + +- private static final SAXParserFactory saxFactory; ++ static final SAXParserFactory saxFactory; + static { + saxFactory = SAXParserFactory.newInstance(); + saxFactory.setValidating(false); +diff --git a/src/common/org/apache/xmlbeans/impl/common/Sax2Dom.java b/src/common/org/apache/xmlbeans/impl/common/Sax2Dom.java +index 67294bb8..989eafcb 100644 +--- a/src/common/org/apache/xmlbeans/impl/common/Sax2Dom.java ++++ b/src/common/org/apache/xmlbeans/impl/common/Sax2Dom.java +@@ -28,7 +28,6 @@ import org.xml.sax.helpers.DefaultHandler; + import org.xml.sax.ext.LexicalHandler; + + import javax.xml.parsers.ParserConfigurationException; +-import javax.xml.parsers.DocumentBuilderFactory; + import java.util.Stack; + import java.util.Vector; + +@@ -49,9 +48,7 @@ public class Sax2Dom + + public Sax2Dom() throws ParserConfigurationException + { +- final DocumentBuilderFactory factory = +- DocumentBuilderFactory.newInstance(); +- _document = factory.newDocumentBuilder().newDocument(); ++ _document = DocumentHelper.newDocumentBuilder().newDocument(); + _root = _document; + } + +@@ -68,9 +65,7 @@ public class Sax2Dom + } + else + { +- final DocumentBuilderFactory factory = +- DocumentBuilderFactory.newInstance(); +- _document = factory.newDocumentBuilder().newDocument(); ++ _document = DocumentHelper.newDocumentBuilder().newDocument(); + _root = _document; + } + } +diff --git a/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java b/src/common/org/apache/xmlbeans/impl/common/XBLogFactory.java +similarity index 97% +rename from src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java +rename to src/common/org/apache/xmlbeans/impl/common/XBLogFactory.java +index f31d4db7..0afac4d5 100644 +--- a/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java ++++ b/src/common/org/apache/xmlbeans/impl/common/XBLogFactory.java +@@ -1,4 +1,4 @@ +-/* Copyright 2017 The Apache Software Foundation ++/* Copyright 2017, 2018 The Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. +@@ -13,7 +13,7 @@ + * limitations under the License. + */ + +-package org.apache.xmlbeans.impl.store; ++package org.apache.xmlbeans.impl.common; + + import java.util.HashMap; + import java.util.Map; +diff --git a/src/store/org/apache/xmlbeans/impl/store/XBLogger.java b/src/common/org/apache/xmlbeans/impl/common/XBLogger.java +similarity index 97% +rename from src/store/org/apache/xmlbeans/impl/store/XBLogger.java +rename to src/common/org/apache/xmlbeans/impl/common/XBLogger.java +index fa605112..b1394226 100644 +--- a/src/store/org/apache/xmlbeans/impl/store/XBLogger.java ++++ b/src/common/org/apache/xmlbeans/impl/common/XBLogger.java +@@ -1,4 +1,4 @@ +-/* Copyright 2017 The Apache Software Foundation ++/* Copyright 2017, 2018 The Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. +@@ -13,7 +13,7 @@ + * limitations under the License. + */ + +-package org.apache.xmlbeans.impl.store; ++package org.apache.xmlbeans.impl.common; + + /** + * A logger interface that strives to make it as easy as possible for +diff --git a/src/store/org/apache/xmlbeans/impl/store/Locale.java b/src/store/org/apache/xmlbeans/impl/store/Locale.java +index 1f02a160..4a4d5927 100644 +--- a/src/store/org/apache/xmlbeans/impl/store/Locale.java ++++ b/src/store/org/apache/xmlbeans/impl/store/Locale.java +@@ -1,4 +1,4 @@ +-/* Copyright 2004 The Apache Software Foundation ++/* Copyright 2004-2018 The Apache Software Foundation + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. +@@ -15,7 +15,6 @@ + + package org.apache.xmlbeans.impl.store; + +-import org.apache.xmlbeans.XmlErrorCodes; + import org.xml.sax.Locator; + import org.xml.sax.Attributes; + import org.xml.sax.ContentHandler; +@@ -45,6 +44,7 @@ import java.io.Reader; + import java.io.StringReader; + import java.io.IOException; + ++import javax.xml.namespace.QName; + import javax.xml.stream.XMLStreamReader; + import javax.xml.stream.XMLStreamException; + +@@ -59,15 +59,7 @@ import org.apache.xmlbeans.xml.stream.XMLEvent; + import org.apache.xmlbeans.xml.stream.XMLInputStream; + import org.apache.xmlbeans.xml.stream.XMLName; + +-import org.w3c.dom.DOMImplementation; +-import org.w3c.dom.Document; +-import org.w3c.dom.DocumentType; +-import org.w3c.dom.Node; +-import org.w3c.dom.NamedNodeMap; +-import org.w3c.dom.Element; +- +-import javax.xml.namespace.QName; +- ++import org.apache.xmlbeans.impl.common.SAXHelper; + import org.apache.xmlbeans.impl.common.XMLNameHelper; + import org.apache.xmlbeans.impl.common.QNameHelper; + import org.apache.xmlbeans.impl.common.XmlLocale; +@@ -89,10 +81,11 @@ import org.apache.xmlbeans.XmlBeans; + import org.apache.xmlbeans.XmlLineNumber; + import org.apache.xmlbeans.XmlCursor; + import org.apache.xmlbeans.XmlCursor.XmlBookmark; +-import org.apache.xmlbeans.XmlSaxHandler; ++import org.apache.xmlbeans.XmlErrorCodes; + import org.apache.xmlbeans.XmlException; + import org.apache.xmlbeans.XmlObject; + import org.apache.xmlbeans.XmlOptions; ++import org.apache.xmlbeans.XmlSaxHandler; + import org.apache.xmlbeans.SchemaType; + import org.apache.xmlbeans.SchemaTypeLoader; + import org.apache.xmlbeans.XmlTokenSource; +@@ -109,6 +102,13 @@ import org.apache.xmlbeans.impl.values.TypeStoreUserFactory; + import org.apache.xmlbeans.impl.piccolo.xml.Piccolo; + import org.apache.xmlbeans.impl.piccolo.io.FileFormatException; + ++import org.w3c.dom.DOMImplementation; ++import org.w3c.dom.Document; ++import org.w3c.dom.DocumentType; ++import org.w3c.dom.Node; ++import org.w3c.dom.NamedNodeMap; ++import org.w3c.dom.Element; ++ + public final class Locale + implements DOMImplementation, SaajCallback, XmlLocale + { +-- +2.23.0 + diff --git a/CVE-2021-23926-2.patch b/CVE-2021-23926-2.patch new file mode 100644 index 0000000..6941319 --- /dev/null +++ b/CVE-2021-23926-2.patch @@ -0,0 +1,120 @@ +From a2604e07eeb04bd9a88f8624c3b8efd57b88237c Mon Sep 17 00:00:00 2001 +From: PJ Fanning +Date: Sun, 10 Jun 2018 10:38:41 +0000 +Subject: [PATCH 2/2] use safe XML parsers + +git-svn-id: https://svn.apache.org/repos/asf/xmlbeans/trunk@1833263 13f79535-47bb-0310-9956-ffa450edef68 +--- + .../xmlbeans/impl/common/StaxHelper.java | 78 +++++++++++++++++++ + .../impl/tool/StreamInstanceValidator.java | 3 +- + 2 files changed, 80 insertions(+), 1 deletion(-) + create mode 100644 src/common/org/apache/xmlbeans/impl/common/StaxHelper.java + +diff --git a/src/common/org/apache/xmlbeans/impl/common/StaxHelper.java b/src/common/org/apache/xmlbeans/impl/common/StaxHelper.java +new file mode 100644 +index 00000000..b6a960ca +--- /dev/null ++++ b/src/common/org/apache/xmlbeans/impl/common/StaxHelper.java +@@ -0,0 +1,78 @@ ++/* Copyright 2017, 2018 The Apache Software Foundation ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package org.apache.xmlbeans.impl.common; ++ ++import javax.xml.stream.XMLEventFactory; ++import javax.xml.stream.XMLInputFactory; ++import javax.xml.stream.XMLOutputFactory; ++ ++ ++/** ++ * Provides handy methods for working with StAX parsers and readers ++ */ ++public final class StaxHelper { ++ private static final XBLogger logger = XBLogFactory.getLogger(StaxHelper.class); ++ ++ private StaxHelper() {} ++ ++ /** ++ * Creates a new StAX XMLInputFactory, with sensible defaults ++ */ ++ public static XMLInputFactory newXMLInputFactory() { ++ XMLInputFactory factory = XMLInputFactory.newFactory(); ++ trySetProperty(factory, XMLInputFactory.IS_NAMESPACE_AWARE, true); ++ trySetProperty(factory, XMLInputFactory.IS_VALIDATING, false); ++ trySetProperty(factory, XMLInputFactory.SUPPORT_DTD, false); ++ trySetProperty(factory, XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); ++ return factory; ++ } ++ ++ /** ++ * Creates a new StAX XMLOutputFactory, with sensible defaults ++ */ ++ public static XMLOutputFactory newXMLOutputFactory() { ++ XMLOutputFactory factory = XMLOutputFactory.newFactory(); ++ trySetProperty(factory, XMLOutputFactory.IS_REPAIRING_NAMESPACES, true); ++ return factory; ++ } ++ ++ /** ++ * Creates a new StAX XMLEventFactory, with sensible defaults ++ */ ++ public static XMLEventFactory newXMLEventFactory() { ++ return XMLEventFactory.newFactory(); ++ } ++ ++ private static void trySetProperty(XMLInputFactory factory, String feature, boolean flag) { ++ try { ++ factory.setProperty(feature, flag); ++ } catch (Exception e) { ++ logger.log(XBLogger.WARN, "StAX Property unsupported", feature, e); ++ } catch (AbstractMethodError ame) { ++ logger.log(XBLogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame); ++ } ++ } ++ ++ private static void trySetProperty(XMLOutputFactory factory, String feature, boolean flag) { ++ try { ++ factory.setProperty(feature, flag); ++ } catch (Exception e) { ++ logger.log(XBLogger.WARN, "StAX Property unsupported", feature, e); ++ } catch (AbstractMethodError ame) { ++ logger.log(XBLogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame); ++ } ++ } ++} +diff --git a/src/xmlcomp/org/apache/xmlbeans/impl/tool/StreamInstanceValidator.java b/src/xmlcomp/org/apache/xmlbeans/impl/tool/StreamInstanceValidator.java +index e6463f51..28d97318 100644 +--- a/src/xmlcomp/org/apache/xmlbeans/impl/tool/StreamInstanceValidator.java ++++ b/src/xmlcomp/org/apache/xmlbeans/impl/tool/StreamInstanceValidator.java +@@ -21,6 +21,7 @@ import org.apache.xmlbeans.XmlException; + import org.apache.xmlbeans.XmlObject; + import org.apache.xmlbeans.XmlOptions; + import org.apache.xmlbeans.XmlError; ++import org.apache.xmlbeans.impl.common.StaxHelper; + import org.apache.xmlbeans.impl.validator.ValidatingXMLStreamReader; + + import javax.xml.stream.XMLInputFactory; +@@ -39,7 +40,7 @@ import java.util.HashSet; + + public class StreamInstanceValidator + { +- private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance(); ++ private static final XMLInputFactory XML_INPUT_FACTORY = StaxHelper.newXMLInputFactory(); + + public static void printUsage() + { +-- +2.23.0 + diff --git a/CVE-2021-23926-pre.patch b/CVE-2021-23926-pre.patch new file mode 100644 index 0000000..ed9e9ee --- /dev/null +++ b/CVE-2021-23926-pre.patch @@ -0,0 +1,461 @@ +From a8ecfd058a46a00ea76624a516b6def793c53821 Mon Sep 17 00:00:00 2001 +From: PJ Fanning +Date: Sat, 26 May 2018 08:31:14 +0000 +Subject: [PATCH] fix build and bring in fixes from + https://github.com/pjfanning/xmlbeans/blob/trunk/CHANGES.txt + +[Part of 3.0.0 backport of +https://github.com/apache/xmlbeans/commit/a8ecfd0] + +--- + .../xmlbeans/impl/store/NullLogger.java | 81 ++++++++++++ + .../apache/xmlbeans/impl/store/SAXHelper.java | 99 +++++++++++++++ + .../xmlbeans/impl/store/XBLogFactory.java | 119 ++++++++++++++++++ + .../apache/xmlbeans/impl/store/XBLogger.java | 115 +++++++++++++++++ + 4 files changed, 414 insertions(+) + create mode 100644 src/store/org/apache/xmlbeans/impl/store/NullLogger.java + create mode 100644 src/store/org/apache/xmlbeans/impl/store/SAXHelper.java + create mode 100644 src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java + create mode 100644 src/store/org/apache/xmlbeans/impl/store/XBLogger.java + +diff --git a/src/store/org/apache/xmlbeans/impl/store/NullLogger.java b/src/store/org/apache/xmlbeans/impl/store/NullLogger.java +new file mode 100644 +index 00000000..aca8d1d5 +--- /dev/null ++++ b/src/store/org/apache/xmlbeans/impl/store/NullLogger.java +@@ -0,0 +1,81 @@ ++/* Copyright 2017 The Apache Software Foundation ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package org.apache.xmlbeans.impl.store; ++ ++/** ++ * A logger class that strives to make it as easy as possible for ++ * developers to write log calls, while simultaneously making those ++ * calls as cheap as possible by performing lazy evaluation of the log ++ * message.

++ */ ++public class NullLogger extends XBLogger { ++ @Override ++ public void initialize(final String cat) { ++ // do nothing ++ } ++ ++ /** ++ * Log a message ++ * ++ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL ++ * @param obj1 The object to log. ++ */ ++ ++ @Override ++ protected void _log(final int level, final Object obj1) { ++ // do nothing ++ } ++ ++ /** ++ * Log a message ++ * ++ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL ++ * @param obj1 The object to log. This is converted to a string. ++ * @param exception An exception to be logged ++ */ ++ @Override ++ protected void _log(int level, Object obj1, final Throwable exception) { ++ // do nothing ++ } ++ ++ /** ++ * Log a message. Lazily appends Object parameters together. ++ * If the last parameter is a {@link Throwable} it is logged specially. ++ * ++ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL ++ * @param objs the objects to place in the message ++ */ ++ @Override ++ public void log(int level, Object... objs) { ++ // do nothing ++ } ++ ++ ++ /** ++ * Check if a logger is enabled to log at the specified level ++ * ++ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL ++ */ ++ @Override ++ public boolean check(final int level) { ++ return false; ++ } ++} ++ ++ ++ ++ ++ +diff --git a/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java b/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java +new file mode 100644 +index 00000000..67fb3a0e +--- /dev/null ++++ b/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java +@@ -0,0 +1,99 @@ ++/* Copyright 2017 The Apache Software Foundation ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package org.apache.xmlbeans.impl.store; ++ ++import java.io.IOException; ++import java.io.StringReader; ++import java.lang.reflect.Method; ++import java.util.concurrent.TimeUnit; ++ ++import javax.xml.XMLConstants; ++import javax.xml.parsers.ParserConfigurationException; ++import javax.xml.parsers.SAXParserFactory; ++ ++import org.xml.sax.EntityResolver; ++import org.xml.sax.InputSource; ++import org.xml.sax.SAXException; ++import org.xml.sax.XMLReader; ++ ++/** ++ * Provides handy methods for working with SAX parsers and readers ++ */ ++public final class SAXHelper { ++ private static final XBLogger logger = XBLogFactory.getLogger(SAXHelper.class); ++ private static long lastLog; ++ ++ private SAXHelper() {} ++ ++ /** ++ * Creates a new SAX XMLReader, with sensible defaults ++ */ ++ public static synchronized XMLReader newXMLReader() throws SAXException, ParserConfigurationException { ++ XMLReader xmlReader = saxFactory.newSAXParser().getXMLReader(); ++ xmlReader.setEntityResolver(IGNORING_ENTITY_RESOLVER); ++ trySetSAXFeature(xmlReader, XMLConstants.FEATURE_SECURE_PROCESSING); ++ trySetXercesSecurityManager(xmlReader); ++ return xmlReader; ++ } ++ ++ static final EntityResolver IGNORING_ENTITY_RESOLVER = new EntityResolver() { ++ @Override ++ public InputSource resolveEntity(String publicId, String systemId) ++ throws SAXException, IOException { ++ return new InputSource(new StringReader("")); ++ } ++ }; ++ ++ private static final SAXParserFactory saxFactory; ++ static { ++ saxFactory = SAXParserFactory.newInstance(); ++ saxFactory.setValidating(false); ++ saxFactory.setNamespaceAware(true); ++ } ++ ++ private static void trySetSAXFeature(XMLReader xmlReader, String feature) { ++ try { ++ xmlReader.setFeature(feature, true); ++ } catch (Exception e) { ++ logger.log(XBLogger.WARN, "SAX Feature unsupported", feature, e); ++ } catch (AbstractMethodError ame) { ++ logger.log(XBLogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", feature, ame); ++ } ++ } ++ ++ private static void trySetXercesSecurityManager(XMLReader xmlReader) { ++ // Try built-in JVM one first, standalone if not ++ for (String securityManagerClassName : new String[] { ++ "com.sun.org.apache.xerces.internal.util.SecurityManager", ++ "org.apache.xerces.util.SecurityManager" ++ }) { ++ try { ++ Object mgr = Class.forName(securityManagerClassName).newInstance(); ++ Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE); ++ setLimit.invoke(mgr, 4096); ++ xmlReader.setProperty("http://apache.org/xml/properties/security-manager", mgr); ++ // Stop once one can be setup without error ++ return; ++ } catch (Throwable e) { // NOSONAR - also catch things like NoClassDefError here ++ // throttle the log somewhat as it can spam the log otherwise ++ if(System.currentTimeMillis() > lastLog + TimeUnit.MINUTES.toMillis(5)) { ++ logger.log(XBLogger.WARN, "SAX Security Manager could not be setup [log suppressed for 5 minutes]", e); ++ lastLog = System.currentTimeMillis(); ++ } ++ } ++ } ++ } ++} +diff --git a/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java b/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java +new file mode 100644 +index 00000000..f31d4db7 +--- /dev/null ++++ b/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java +@@ -0,0 +1,119 @@ ++/* Copyright 2017 The Apache Software Foundation ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package org.apache.xmlbeans.impl.store; ++ ++import java.util.HashMap; ++import java.util.Map; ++ ++/** ++ * Provides logging without clients having to mess with ++ * configuration/initialization. ++ * ++ * @author Andrew C. Oliver (acoliver at apache dot org) ++ * @author Marc Johnson (mjohnson at apache dot org) ++ * @author Nicola Ken Barozzi (nicolaken at apache.org) ++ */ ++public final class XBLogFactory { ++ /** ++ * Map of XBLogger instances, with classes as keys ++ */ ++ private static final Map _loggers = new HashMap(); ++ ++ /** ++ * A common instance of NullLogger, as it does nothing ++ * we only need the one ++ */ ++ private static final XBLogger _nullLogger = new NullLogger(); ++ /** ++ * The name of the class to use. Initialised the ++ * first time we need it ++ */ ++ static String _loggerClassName = null; ++ ++ /** ++ * Construct a XBLogFactory. ++ */ ++ private XBLogFactory() {} ++ ++ /** ++ * Get a logger, based on a class name ++ * ++ * @param theclass the class whose name defines the log ++ * ++ * @return a XBLogger for the specified class ++ */ ++ public static XBLogger getLogger(final Class theclass) { ++ return getLogger(theclass.getName()); ++ } ++ ++ /** ++ * Get a logger, based on a String ++ * ++ * @param cat the String that defines the log ++ * ++ * @return a XBLogger for the specified class ++ */ ++ public static XBLogger getLogger(final String cat) { ++ // If we haven't found out what logger to use yet, ++ // then do so now ++ // Don't look it up until we're first asked, so ++ // that our users can set the system property ++ // between class loading and first use ++ if(_loggerClassName == null) { ++ try { ++ _loggerClassName = System.getProperty("org.apache.xmlbeans.impl.store.XBLogger"); ++ } catch(Exception e) { ++ // ignore any exception here ++ } ++ ++ // Use the default logger if none specified, ++ // or none could be fetched ++ if(_loggerClassName == null) { ++ _loggerClassName = _nullLogger.getClass().getName(); ++ } ++ } ++ ++ // Short circuit for the null logger, which ++ // ignores all categories ++ if(_loggerClassName.equals(_nullLogger.getClass().getName())) { ++ return _nullLogger; ++ } ++ ++ ++ // Fetch the right logger for them, creating ++ // it if that's required ++ XBLogger logger = _loggers.get(cat); ++ if (logger == null) { ++ try { ++ @SuppressWarnings("unchecked") ++ Class loggerClass = ++ (Class) Class.forName(_loggerClassName); ++ logger = loggerClass.newInstance(); ++ logger.initialize(cat); ++ } catch(Exception e) { ++ // Give up and use the null logger ++ logger = _nullLogger; ++ _loggerClassName = _nullLogger.getClass().getName(); ++ } ++ ++ // Save for next time ++ _loggers.put(cat, logger); ++ } ++ return logger; ++ } ++} ++ ++ +diff --git a/src/store/org/apache/xmlbeans/impl/store/XBLogger.java b/src/store/org/apache/xmlbeans/impl/store/XBLogger.java +new file mode 100644 +index 00000000..fa605112 +--- /dev/null ++++ b/src/store/org/apache/xmlbeans/impl/store/XBLogger.java +@@ -0,0 +1,115 @@ ++/* Copyright 2017 The Apache Software Foundation ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++package org.apache.xmlbeans.impl.store; ++ ++/** ++ * A logger interface that strives to make it as easy as possible for ++ * developers to write log calls, while simultaneously making those ++ * calls as cheap as possible by performing lazy evaluation of the log ++ * message.

++ */ ++public abstract class XBLogger { ++ ++ public static final int DEBUG = 1; ++ public static final int INFO = 3; ++ public static final int WARN = 5; ++ public static final int ERROR = 7; ++ public static final int FATAL = 9; ++ ++ /** Short strings for numeric log level. Use level as array index. */ ++ protected static final String LEVEL_STRINGS_SHORT[] = {"?", "D", "?", "I", "?", "W", "?", "E", "?", "F", "?"}; ++ /** Long strings for numeric log level. Use level as array index. */ ++ protected static final String LEVEL_STRINGS[] = {"?0?", "DEBUG", "?2?", "INFO", "?4?", "WARN", "?6?", "ERROR", "?8?", "FATAL", "?10+?"}; ++ ++ ++ /** ++ * package scope so it cannot be instantiated outside of the util ++ * package. You need a XBLogger? Go to the XBLogFactory for one ++ */ ++ XBLogger() { ++ // no fields to initialize ++ } ++ ++ abstract public void initialize(String cat); ++ ++ /** ++ * Log a message ++ * ++ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL ++ * @param obj1 The object to log. This is converted to a string. ++ */ ++ abstract protected void _log(int level, Object obj1); ++ ++ /** ++ * Log a message ++ * ++ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL ++ * @param obj1 The object to log. This is converted to a string. ++ * @param exception An exception to be logged ++ */ ++ abstract protected void _log(int level, Object obj1, final Throwable exception); ++ ++ ++ /** ++ * Check if a logger is enabled to log at the specified level ++ * This allows code to avoid building strings or evaluating functions in ++ * the arguments to log. ++ * ++ * An example: ++ * 

++     * if (logger.check(XBLogger.INFO)) {
++     *     logger.log(XBLogger.INFO, "Avoid concatenating " + " strings and evaluating " + functions());
++     * }
++     *
++ * ++ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL ++ */ ++ abstract public boolean check(int level); ++ ++ /** ++ * Log a message. Lazily appends Object parameters together. ++ * If the last parameter is a {@link Throwable} it is logged specially. ++ * ++ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL ++ * @param objs the objects to place in the message ++ */ ++ public void log(int level, Object... objs) { ++ if (!check(level)) return; ++ StringBuilder sb = new StringBuilder(32); ++ Throwable lastEx = null; ++ for (int i=0; i - 2.6.0-2 +- Fix CVE-2021-23926 + * Thu Aug 20 2020 maminjie - 2.6.0-1 - package init