packages/xmlbeans
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!2 fix CVE-2021-23926

Browse Source 
From: @wangxiao65
Reviewed-by: @wang_yue111,@wangchong1995924
Signed-off-by: @wangchong1995924
This commit is contained in:
openeuler-ci-bot 2021-02-09 09:24:28 +08:00 committed by Gitee
commit 7aa4d81d13
4 changed files with 1013 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

421
CVE-2021-23926-1.patch Normal file
View File

@ -0,0 +1,421 @@
From 80cb805eb1488ba3a16c427866fa8ae1f52ff0c5 Mon Sep 17 00:00:00 2001
From: PJ Fanning <fanningpj@apache.org>
Date: Sun, 10 Jun 2018 10:15:30 +0000
Subject: [PATCH 1/2] use safe XML parsers
git-svn-id: https://svn.apache.org/repos/asf/xmlbeans/trunk@1833260 13f79535-47bb-0310-9956-ffa450edef68
---
.../xmlbeans/impl/common/DocumentHelper.java | 165 ++++++++++++++++++
.../xmlbeans/impl/common/LoadSaveUtils.java | 6 +-
.../xmlbeans/impl/common}/NullLogger.java | 4 +-
.../xmlbeans/impl/common}/SAXHelper.java | 6 +-
.../apache/xmlbeans/impl/common/Sax2Dom.java | 9 +-
.../xmlbeans/impl/common}/XBLogFactory.java | 4 +-
.../xmlbeans/impl/common}/XBLogger.java | 4 +-
.../apache/xmlbeans/impl/store/Locale.java | 24 +--
8 files changed, 189 insertions(+), 33 deletions(-)
create mode 100644 src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java
rename src/{store/org/apache/xmlbeans/impl/store => common/org/apache/xmlbeans/impl/common}/NullLogger.java (95%)
rename src/{store/org/apache/xmlbeans/impl/store => common/org/apache/xmlbeans/impl/common}/SAXHelper.java (96%)
rename src/{store/org/apache/xmlbeans/impl/store => common/org/apache/xmlbeans/impl/common}/XBLogFactory.java (97%)
rename src/{store/org/apache/xmlbeans/impl/store => common/org/apache/xmlbeans/impl/common}/XBLogger.java (97%)
diff --git a/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java b/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java
new file mode 100644
index 00000000..8c487644
--- /dev/null
+++ b/src/common/org/apache/xmlbeans/impl/common/DocumentHelper.java
@@ -0,0 +1,165 @@
+/* Copyright 2004-2018 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.xmlbeans.impl.common;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.Method;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.stream.events.Namespace;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.xml.sax.ErrorHandler;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.SAXParseException;
+
+public final class DocumentHelper {
+ private static XBLogger logger = XBLogFactory.getLogger(DocumentHelper.class);
+
+ private DocumentHelper() {}
+
+ private static class DocHelperErrorHandler implements ErrorHandler {
+
+ public void warning(SAXParseException exception) throws SAXException {
+ printError(XBLogger.WARN, exception);
+ }
+
+ public void error(SAXParseException exception) throws SAXException {
+ printError(XBLogger.ERROR, exception);
+ }
+
+ public void fatalError(SAXParseException exception) throws SAXException {
+ printError(XBLogger.FATAL, exception);
+ throw exception;
+ }
+
+ /** Prints the error message. */
+ private void printError(int type, SAXParseException ex) {
+ StringBuilder sb = new StringBuilder();
+
+ String systemId = ex.getSystemId();
+ if (systemId != null) {
+ int index = systemId.lastIndexOf('/');
+ if (index != -1)
+ systemId = systemId.substring(index + 1);
+ sb.append(systemId);
+ }
+ sb.append(':');
+ sb.append(ex.getLineNumber());
+ sb.append(':');
+ sb.append(ex.getColumnNumber());
+ sb.append(": ");
+ sb.append(ex.getMessage());
+
+ logger.log(type, sb.toString(), ex);
+ }
+ }
+
+ /**
+ * Creates a new document builder, with sensible defaults
+ *
+ * @throws IllegalStateException If creating the DocumentBuilder fails, e.g.
+ * due to {@link ParserConfigurationException}.
+ */
+ public static synchronized DocumentBuilder newDocumentBuilder() {
+ try {
+ DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
+ documentBuilder.setEntityResolver(SAXHelper.IGNORING_ENTITY_RESOLVER);
+ documentBuilder.setErrorHandler(new DocHelperErrorHandler());
+ return documentBuilder;
+ } catch (ParserConfigurationException e) {
+ throw new IllegalStateException("cannot create a DocumentBuilder", e);
+ }
+ }
+
+ private static final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+ static {
+ documentBuilderFactory.setNamespaceAware(true);
+ documentBuilderFactory.setValidating(false);
+ trySetSAXFeature(documentBuilderFactory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ trySetXercesSecurityManager(documentBuilderFactory);
+ }
+
+ private static void trySetSAXFeature(DocumentBuilderFactory dbf, String feature, boolean enabled) {
+ try {
+ dbf.setFeature(feature, enabled);
+ } catch (Exception e) {
+ logger.log(XBLogger.WARN, "SAX Feature unsupported", feature, e);
+ } catch (AbstractMethodError ame) {
+ logger.log(XBLogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", feature, ame);
+ }
+ }
+
+ private static void trySetXercesSecurityManager(DocumentBuilderFactory dbf) {
+ // Try built-in JVM one first, standalone if not
+ for (String securityManagerClassName : new String[]{
+ //"com.sun.org.apache.xerces.internal.util.SecurityManager",
+ "org.apache.xerces.util.SecurityManager"
+ }) {
+ try {
+ Object mgr = Class.forName(securityManagerClassName).newInstance();
+ Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
+ setLimit.invoke(mgr, 4096);
+ dbf.setAttribute("http://apache.org/xml/properties/security-manager", mgr);
+ // Stop once one can be setup without error
+ return;
+ } catch (ClassNotFoundException e) {
+ // continue without log, this is expected in some setups
+ } catch (Throwable e) { // NOSONAR - also catch things like NoClassDefError here
+ logger.log(XBLogger.WARN, "SAX Security Manager could not be setup", e);
+ }
+ }
+
+ // separate old version of Xerces not found => use the builtin way of setting the property
+ dbf.setAttribute("http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit", 4096);
+ }
+
+ /**
+ * Parses the given stream via the default (sensible)
+ * DocumentBuilder
+ * @param inp Stream to read the XML data from
+ * @return the parsed Document
+ */
+ public static Document readDocument(InputStream inp) throws IOException, SAXException {
+ return newDocumentBuilder().parse(inp);
+ }
+
+ /**
+ * Parses the given stream via the default (sensible)
+ * DocumentBuilder
+ * @param inp sax source to read the XML data from
+ * @return the parsed Document
+ */
+ public static Document readDocument(InputSource inp) throws IOException, SAXException {
+ return newDocumentBuilder().parse(inp);
+ }
+
+ // must only be used to create empty documents, do not use it for parsing!
+ private static final DocumentBuilder documentBuilderSingleton = newDocumentBuilder();
+
+ /**
+ * Creates a new DOM Document
+ */
+ public static synchronized Document createDocument() {
+ return documentBuilderSingleton.newDocument();
+ }
+}
diff --git a/src/common/org/apache/xmlbeans/impl/common/LoadSaveUtils.java b/src/common/org/apache/xmlbeans/impl/common/LoadSaveUtils.java
index 74b52743..a80deff9 100644
--- a/src/common/org/apache/xmlbeans/impl/common/LoadSaveUtils.java
+++ b/src/common/org/apache/xmlbeans/impl/common/LoadSaveUtils.java
@@ -22,7 +22,6 @@ package org.apache.xmlbeans.impl.common;
import org.w3c.dom.Document;
import org.xml.sax.SAXException;
-import javax.xml.parsers.SAXParserFactory;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.stream.XMLStreamWriter;
@@ -40,10 +39,7 @@ public class LoadSaveUtils
public static Document xmlText2GenericDom(InputStream is, Document emptyDoc)
throws SAXException, ParserConfigurationException, IOException
{
- SAXParserFactory factory = SAXParserFactory.newInstance();
- factory.setNamespaceAware(true);
-
- SAXParser parser = factory.newSAXParser();
+ SAXParser parser = SAXHelper.saxFactory.newSAXParser();
Sax2Dom handler = new Sax2Dom(emptyDoc);
diff --git a/src/store/org/apache/xmlbeans/impl/store/NullLogger.java b/src/common/org/apache/xmlbeans/impl/common/NullLogger.java
similarity index 95%
rename from src/store/org/apache/xmlbeans/impl/store/NullLogger.java
rename to src/common/org/apache/xmlbeans/impl/common/NullLogger.java
index aca8d1d5..6b5874a4 100644
--- a/src/store/org/apache/xmlbeans/impl/store/NullLogger.java
+++ b/src/common/org/apache/xmlbeans/impl/common/NullLogger.java
@@ -1,4 +1,4 @@
-/* Copyright 2017 The Apache Software Foundation
+/* Copyright 2017, 2018 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,7 +13,7 @@
* limitations under the License.
*/
-package org.apache.xmlbeans.impl.store;
+package org.apache.xmlbeans.impl.common;
/**
* A logger class that strives to make it as easy as possible for
diff --git a/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java b/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java
similarity index 96%
rename from src/store/org/apache/xmlbeans/impl/store/SAXHelper.java
rename to src/common/org/apache/xmlbeans/impl/common/SAXHelper.java
index 67fb3a0e..71bed2dc 100644
--- a/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java
+++ b/src/common/org/apache/xmlbeans/impl/common/SAXHelper.java
@@ -1,4 +1,4 @@
-/* Copyright 2017 The Apache Software Foundation
+/* Copyright 2017, 2018 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,7 +13,7 @@
* limitations under the License.
*/
-package org.apache.xmlbeans.impl.store;
+package org.apache.xmlbeans.impl.common;
import java.io.IOException;
import java.io.StringReader;
@@ -57,7 +57,7 @@ public final class SAXHelper {
}
};
- private static final SAXParserFactory saxFactory;
+ static final SAXParserFactory saxFactory;
static {
saxFactory = SAXParserFactory.newInstance();
saxFactory.setValidating(false);
diff --git a/src/common/org/apache/xmlbeans/impl/common/Sax2Dom.java b/src/common/org/apache/xmlbeans/impl/common/Sax2Dom.java
index 67294bb8..989eafcb 100644
--- a/src/common/org/apache/xmlbeans/impl/common/Sax2Dom.java
+++ b/src/common/org/apache/xmlbeans/impl/common/Sax2Dom.java
@@ -28,7 +28,6 @@ import org.xml.sax.helpers.DefaultHandler;
import org.xml.sax.ext.LexicalHandler;
import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.DocumentBuilderFactory;
import java.util.Stack;
import java.util.Vector;
@@ -49,9 +48,7 @@ public class Sax2Dom
public Sax2Dom() throws ParserConfigurationException
{
- final DocumentBuilderFactory factory =
- DocumentBuilderFactory.newInstance();
- _document = factory.newDocumentBuilder().newDocument();
+ _document = DocumentHelper.newDocumentBuilder().newDocument();
_root = _document;
}
@@ -68,9 +65,7 @@ public class Sax2Dom
}
else
{
- final DocumentBuilderFactory factory =
- DocumentBuilderFactory.newInstance();
- _document = factory.newDocumentBuilder().newDocument();
+ _document = DocumentHelper.newDocumentBuilder().newDocument();
_root = _document;
}
}
diff --git a/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java b/src/common/org/apache/xmlbeans/impl/common/XBLogFactory.java
similarity index 97%
rename from src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java
rename to src/common/org/apache/xmlbeans/impl/common/XBLogFactory.java
index f31d4db7..0afac4d5 100644
--- a/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java
+++ b/src/common/org/apache/xmlbeans/impl/common/XBLogFactory.java
@@ -1,4 +1,4 @@
-/* Copyright 2017 The Apache Software Foundation
+/* Copyright 2017, 2018 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,7 +13,7 @@
* limitations under the License.
*/
-package org.apache.xmlbeans.impl.store;
+package org.apache.xmlbeans.impl.common;
import java.util.HashMap;
import java.util.Map;
diff --git a/src/store/org/apache/xmlbeans/impl/store/XBLogger.java b/src/common/org/apache/xmlbeans/impl/common/XBLogger.java
similarity index 97%
rename from src/store/org/apache/xmlbeans/impl/store/XBLogger.java
rename to src/common/org/apache/xmlbeans/impl/common/XBLogger.java
index fa605112..b1394226 100644
--- a/src/store/org/apache/xmlbeans/impl/store/XBLogger.java
+++ b/src/common/org/apache/xmlbeans/impl/common/XBLogger.java
@@ -1,4 +1,4 @@
-/* Copyright 2017 The Apache Software Foundation
+/* Copyright 2017, 2018 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -13,7 +13,7 @@
* limitations under the License.
*/
-package org.apache.xmlbeans.impl.store;
+package org.apache.xmlbeans.impl.common;
/**
* A logger interface that strives to make it as easy as possible for
diff --git a/src/store/org/apache/xmlbeans/impl/store/Locale.java b/src/store/org/apache/xmlbeans/impl/store/Locale.java
index 1f02a160..4a4d5927 100644
--- a/src/store/org/apache/xmlbeans/impl/store/Locale.java
+++ b/src/store/org/apache/xmlbeans/impl/store/Locale.java
@@ -1,4 +1,4 @@
-/* Copyright 2004 The Apache Software Foundation
+/* Copyright 2004-2018 The Apache Software Foundation
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -15,7 +15,6 @@
package org.apache.xmlbeans.impl.store;
-import org.apache.xmlbeans.XmlErrorCodes;
import org.xml.sax.Locator;
import org.xml.sax.Attributes;
import org.xml.sax.ContentHandler;
@@ -45,6 +44,7 @@ import java.io.Reader;
import java.io.StringReader;
import java.io.IOException;
+import javax.xml.namespace.QName;
import javax.xml.stream.XMLStreamReader;
import javax.xml.stream.XMLStreamException;
@@ -59,15 +59,7 @@ import org.apache.xmlbeans.xml.stream.XMLEvent;
import org.apache.xmlbeans.xml.stream.XMLInputStream;
import org.apache.xmlbeans.xml.stream.XMLName;
-import org.w3c.dom.DOMImplementation;
-import org.w3c.dom.Document;
-import org.w3c.dom.DocumentType;
-import org.w3c.dom.Node;
-import org.w3c.dom.NamedNodeMap;
-import org.w3c.dom.Element;
-
-import javax.xml.namespace.QName;
-
+import org.apache.xmlbeans.impl.common.SAXHelper;
import org.apache.xmlbeans.impl.common.XMLNameHelper;
import org.apache.xmlbeans.impl.common.QNameHelper;
import org.apache.xmlbeans.impl.common.XmlLocale;
@@ -89,10 +81,11 @@ import org.apache.xmlbeans.XmlBeans;
import org.apache.xmlbeans.XmlLineNumber;
import org.apache.xmlbeans.XmlCursor;
import org.apache.xmlbeans.XmlCursor.XmlBookmark;
-import org.apache.xmlbeans.XmlSaxHandler;
+import org.apache.xmlbeans.XmlErrorCodes;
import org.apache.xmlbeans.XmlException;
import org.apache.xmlbeans.XmlObject;
import org.apache.xmlbeans.XmlOptions;
+import org.apache.xmlbeans.XmlSaxHandler;
import org.apache.xmlbeans.SchemaType;
import org.apache.xmlbeans.SchemaTypeLoader;
import org.apache.xmlbeans.XmlTokenSource;
@@ -109,6 +102,13 @@ import org.apache.xmlbeans.impl.values.TypeStoreUserFactory;
import org.apache.xmlbeans.impl.piccolo.xml.Piccolo;
import org.apache.xmlbeans.impl.piccolo.io.FileFormatException;
+import org.w3c.dom.DOMImplementation;
+import org.w3c.dom.Document;
+import org.w3c.dom.DocumentType;
+import org.w3c.dom.Node;
+import org.w3c.dom.NamedNodeMap;
+import org.w3c.dom.Element;
+
public final class Locale
implements DOMImplementation, SaajCallback, XmlLocale
{
--
2.23.0

120
CVE-2021-23926-2.patch Normal file
View File

@ -0,0 +1,120 @@
From a2604e07eeb04bd9a88f8624c3b8efd57b88237c Mon Sep 17 00:00:00 2001
From: PJ Fanning <fanningpj@apache.org>
Date: Sun, 10 Jun 2018 10:38:41 +0000
Subject: [PATCH 2/2] use safe XML parsers
git-svn-id: https://svn.apache.org/repos/asf/xmlbeans/trunk@1833263 13f79535-47bb-0310-9956-ffa450edef68
---
.../xmlbeans/impl/common/StaxHelper.java | 78 +++++++++++++++++++
.../impl/tool/StreamInstanceValidator.java | 3 +-
2 files changed, 80 insertions(+), 1 deletion(-)
create mode 100644 src/common/org/apache/xmlbeans/impl/common/StaxHelper.java
diff --git a/src/common/org/apache/xmlbeans/impl/common/StaxHelper.java b/src/common/org/apache/xmlbeans/impl/common/StaxHelper.java
new file mode 100644
index 00000000..b6a960ca
--- /dev/null
+++ b/src/common/org/apache/xmlbeans/impl/common/StaxHelper.java
@@ -0,0 +1,78 @@
+/* Copyright 2017, 2018 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.xmlbeans.impl.common;
+
+import javax.xml.stream.XMLEventFactory;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLOutputFactory;
+
+
+/**
+ * Provides handy methods for working with StAX parsers and readers
+ */
+public final class StaxHelper {
+ private static final XBLogger logger = XBLogFactory.getLogger(StaxHelper.class);
+
+ private StaxHelper() {}
+
+ /**
+ * Creates a new StAX XMLInputFactory, with sensible defaults
+ */
+ public static XMLInputFactory newXMLInputFactory() {
+ XMLInputFactory factory = XMLInputFactory.newFactory();
+ trySetProperty(factory, XMLInputFactory.IS_NAMESPACE_AWARE, true);
+ trySetProperty(factory, XMLInputFactory.IS_VALIDATING, false);
+ trySetProperty(factory, XMLInputFactory.SUPPORT_DTD, false);
+ trySetProperty(factory, XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+ return factory;
+ }
+
+ /**
+ * Creates a new StAX XMLOutputFactory, with sensible defaults
+ */
+ public static XMLOutputFactory newXMLOutputFactory() {
+ XMLOutputFactory factory = XMLOutputFactory.newFactory();
+ trySetProperty(factory, XMLOutputFactory.IS_REPAIRING_NAMESPACES, true);
+ return factory;
+ }
+
+ /**
+ * Creates a new StAX XMLEventFactory, with sensible defaults
+ */
+ public static XMLEventFactory newXMLEventFactory() {
+ return XMLEventFactory.newFactory();
+ }
+
+ private static void trySetProperty(XMLInputFactory factory, String feature, boolean flag) {
+ try {
+ factory.setProperty(feature, flag);
+ } catch (Exception e) {
+ logger.log(XBLogger.WARN, "StAX Property unsupported", feature, e);
+ } catch (AbstractMethodError ame) {
+ logger.log(XBLogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
+ }
+ }
+
+ private static void trySetProperty(XMLOutputFactory factory, String feature, boolean flag) {
+ try {
+ factory.setProperty(feature, flag);
+ } catch (Exception e) {
+ logger.log(XBLogger.WARN, "StAX Property unsupported", feature, e);
+ } catch (AbstractMethodError ame) {
+ logger.log(XBLogger.WARN, "Cannot set StAX property because outdated StAX parser in classpath", feature, ame);
+ }
+ }
+}
diff --git a/src/xmlcomp/org/apache/xmlbeans/impl/tool/StreamInstanceValidator.java b/src/xmlcomp/org/apache/xmlbeans/impl/tool/StreamInstanceValidator.java
index e6463f51..28d97318 100644
--- a/src/xmlcomp/org/apache/xmlbeans/impl/tool/StreamInstanceValidator.java
+++ b/src/xmlcomp/org/apache/xmlbeans/impl/tool/StreamInstanceValidator.java
@@ -21,6 +21,7 @@ import org.apache.xmlbeans.XmlException;
import org.apache.xmlbeans.XmlObject;
import org.apache.xmlbeans.XmlOptions;
import org.apache.xmlbeans.XmlError;
+import org.apache.xmlbeans.impl.common.StaxHelper;
import org.apache.xmlbeans.impl.validator.ValidatingXMLStreamReader;
import javax.xml.stream.XMLInputFactory;
@@ -39,7 +40,7 @@ import java.util.HashSet;
public class StreamInstanceValidator
{
- private static final XMLInputFactory XML_INPUT_FACTORY = XMLInputFactory.newInstance();
+ private static final XMLInputFactory XML_INPUT_FACTORY = StaxHelper.newXMLInputFactory();
public static void printUsage()
{
--
2.23.0

461
CVE-2021-23926-pre.patch Normal file
View File

@ -0,0 +1,461 @@
From a8ecfd058a46a00ea76624a516b6def793c53821 Mon Sep 17 00:00:00 2001
From: PJ Fanning <fanningpj@apache.org>
Date: Sat, 26 May 2018 08:31:14 +0000
Subject: [PATCH] fix build and bring in fixes from
https://github.com/pjfanning/xmlbeans/blob/trunk/CHANGES.txt
[Part of 3.0.0 backport of
https://github.com/apache/xmlbeans/commit/a8ecfd0]
---
.../xmlbeans/impl/store/NullLogger.java | 81 ++++++++++++
.../apache/xmlbeans/impl/store/SAXHelper.java | 99 +++++++++++++++
.../xmlbeans/impl/store/XBLogFactory.java | 119 ++++++++++++++++++
.../apache/xmlbeans/impl/store/XBLogger.java | 115 +++++++++++++++++
4 files changed, 414 insertions(+)
create mode 100644 src/store/org/apache/xmlbeans/impl/store/NullLogger.java
create mode 100644 src/store/org/apache/xmlbeans/impl/store/SAXHelper.java
create mode 100644 src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java
create mode 100644 src/store/org/apache/xmlbeans/impl/store/XBLogger.java
diff --git a/src/store/org/apache/xmlbeans/impl/store/NullLogger.java b/src/store/org/apache/xmlbeans/impl/store/NullLogger.java
new file mode 100644
index 00000000..aca8d1d5
--- /dev/null
+++ b/src/store/org/apache/xmlbeans/impl/store/NullLogger.java
@@ -0,0 +1,81 @@
+/* Copyright 2017 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.xmlbeans.impl.store;
+
+/**
+ * A logger class that strives to make it as easy as possible for
+ * developers to write log calls, while simultaneously making those
+ * calls as cheap as possible by performing lazy evaluation of the log
+ * message.<p>
+ */
+public class NullLogger extends XBLogger {
+ @Override
+ public void initialize(final String cat) {
+ // do nothing
+ }
+
+ /**
+ * Log a message
+ *
+ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL
+ * @param obj1 The object to log.
+ */
+
+ @Override
+ protected void _log(final int level, final Object obj1) {
+ // do nothing
+ }
+
+ /**
+ * Log a message
+ *
+ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL
+ * @param obj1 The object to log. This is converted to a string.
+ * @param exception An exception to be logged
+ */
+ @Override
+ protected void _log(int level, Object obj1, final Throwable exception) {
+ // do nothing
+ }
+
+ /**
+ * Log a message. Lazily appends Object parameters together.
+ * If the last parameter is a {@link Throwable} it is logged specially.
+ *
+ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL
+ * @param objs the objects to place in the message
+ */
+ @Override
+ public void log(int level, Object... objs) {
+ // do nothing
+ }
+
+
+ /**
+ * Check if a logger is enabled to log at the specified level
+ *
+ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL
+ */
+ @Override
+ public boolean check(final int level) {
+ return false;
+ }
+}
+
+
+
+
+
diff --git a/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java b/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java
new file mode 100644
index 00000000..67fb3a0e
--- /dev/null
+++ b/src/store/org/apache/xmlbeans/impl/store/SAXHelper.java
@@ -0,0 +1,99 @@
+/* Copyright 2017 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.xmlbeans.impl.store;
+
+import java.io.IOException;
+import java.io.StringReader;
+import java.lang.reflect.Method;
+import java.util.concurrent.TimeUnit;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParserFactory;
+
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
+
+/**
+ * Provides handy methods for working with SAX parsers and readers
+ */
+public final class SAXHelper {
+ private static final XBLogger logger = XBLogFactory.getLogger(SAXHelper.class);
+ private static long lastLog;
+
+ private SAXHelper() {}
+
+ /**
+ * Creates a new SAX XMLReader, with sensible defaults
+ */
+ public static synchronized XMLReader newXMLReader() throws SAXException, ParserConfigurationException {
+ XMLReader xmlReader = saxFactory.newSAXParser().getXMLReader();
+ xmlReader.setEntityResolver(IGNORING_ENTITY_RESOLVER);
+ trySetSAXFeature(xmlReader, XMLConstants.FEATURE_SECURE_PROCESSING);
+ trySetXercesSecurityManager(xmlReader);
+ return xmlReader;
+ }
+
+ static final EntityResolver IGNORING_ENTITY_RESOLVER = new EntityResolver() {
+ @Override
+ public InputSource resolveEntity(String publicId, String systemId)
+ throws SAXException, IOException {
+ return new InputSource(new StringReader(""));
+ }
+ };
+
+ private static final SAXParserFactory saxFactory;
+ static {
+ saxFactory = SAXParserFactory.newInstance();
+ saxFactory.setValidating(false);
+ saxFactory.setNamespaceAware(true);
+ }
+
+ private static void trySetSAXFeature(XMLReader xmlReader, String feature) {
+ try {
+ xmlReader.setFeature(feature, true);
+ } catch (Exception e) {
+ logger.log(XBLogger.WARN, "SAX Feature unsupported", feature, e);
+ } catch (AbstractMethodError ame) {
+ logger.log(XBLogger.WARN, "Cannot set SAX feature because outdated XML parser in classpath", feature, ame);
+ }
+ }
+
+ private static void trySetXercesSecurityManager(XMLReader xmlReader) {
+ // Try built-in JVM one first, standalone if not
+ for (String securityManagerClassName : new String[] {
+ "com.sun.org.apache.xerces.internal.util.SecurityManager",
+ "org.apache.xerces.util.SecurityManager"
+ }) {
+ try {
+ Object mgr = Class.forName(securityManagerClassName).newInstance();
+ Method setLimit = mgr.getClass().getMethod("setEntityExpansionLimit", Integer.TYPE);
+ setLimit.invoke(mgr, 4096);
+ xmlReader.setProperty("http://apache.org/xml/properties/security-manager", mgr);
+ // Stop once one can be setup without error
+ return;
+ } catch (Throwable e) { // NOSONAR - also catch things like NoClassDefError here
+ // throttle the log somewhat as it can spam the log otherwise
+ if(System.currentTimeMillis() > lastLog + TimeUnit.MINUTES.toMillis(5)) {
+ logger.log(XBLogger.WARN, "SAX Security Manager could not be setup [log suppressed for 5 minutes]", e);
+ lastLog = System.currentTimeMillis();
+ }
+ }
+ }
+ }
+}
diff --git a/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java b/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java
new file mode 100644
index 00000000..f31d4db7
--- /dev/null
+++ b/src/store/org/apache/xmlbeans/impl/store/XBLogFactory.java
@@ -0,0 +1,119 @@
+/* Copyright 2017 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.xmlbeans.impl.store;
+
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Provides logging without clients having to mess with
+ * configuration/initialization.
+ *
+ * @author Andrew C. Oliver (acoliver at apache dot org)
+ * @author Marc Johnson (mjohnson at apache dot org)
+ * @author Nicola Ken Barozzi (nicolaken at apache.org)
+ */
+public final class XBLogFactory {
+ /**
+ * Map of XBLogger instances, with classes as keys
+ */
+ private static final Map<String,XBLogger> _loggers = new HashMap<String,XBLogger>();
+
+ /**
+ * A common instance of NullLogger, as it does nothing
+ * we only need the one
+ */
+ private static final XBLogger _nullLogger = new NullLogger();
+ /**
+ * The name of the class to use. Initialised the
+ * first time we need it
+ */
+ static String _loggerClassName = null;
+
+ /**
+ * Construct a XBLogFactory.
+ */
+ private XBLogFactory() {}
+
+ /**
+ * Get a logger, based on a class name
+ *
+ * @param theclass the class whose name defines the log
+ *
+ * @return a XBLogger for the specified class
+ */
+ public static XBLogger getLogger(final Class<?> theclass) {
+ return getLogger(theclass.getName());
+ }
+
+ /**
+ * Get a logger, based on a String
+ *
+ * @param cat the String that defines the log
+ *
+ * @return a XBLogger for the specified class
+ */
+ public static XBLogger getLogger(final String cat) {
+ // If we haven't found out what logger to use yet,
+ // then do so now
+ // Don't look it up until we're first asked, so
+ // that our users can set the system property
+ // between class loading and first use
+ if(_loggerClassName == null) {
+ try {
+ _loggerClassName = System.getProperty("org.apache.xmlbeans.impl.store.XBLogger");
+ } catch(Exception e) {
+ // ignore any exception here
+ }
+
+ // Use the default logger if none specified,
+ // or none could be fetched
+ if(_loggerClassName == null) {
+ _loggerClassName = _nullLogger.getClass().getName();
+ }
+ }
+
+ // Short circuit for the null logger, which
+ // ignores all categories
+ if(_loggerClassName.equals(_nullLogger.getClass().getName())) {
+ return _nullLogger;
+ }
+
+
+ // Fetch the right logger for them, creating
+ // it if that's required
+ XBLogger logger = _loggers.get(cat);
+ if (logger == null) {
+ try {
+ @SuppressWarnings("unchecked")
+ Class<? extends XBLogger> loggerClass =
+ (Class<? extends XBLogger>) Class.forName(_loggerClassName);
+ logger = loggerClass.newInstance();
+ logger.initialize(cat);
+ } catch(Exception e) {
+ // Give up and use the null logger
+ logger = _nullLogger;
+ _loggerClassName = _nullLogger.getClass().getName();
+ }
+
+ // Save for next time
+ _loggers.put(cat, logger);
+ }
+ return logger;
+ }
+}
+
+
diff --git a/src/store/org/apache/xmlbeans/impl/store/XBLogger.java b/src/store/org/apache/xmlbeans/impl/store/XBLogger.java
new file mode 100644
index 00000000..fa605112
--- /dev/null
+++ b/src/store/org/apache/xmlbeans/impl/store/XBLogger.java
@@ -0,0 +1,115 @@
+/* Copyright 2017 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.xmlbeans.impl.store;
+
+/**
+ * A logger interface that strives to make it as easy as possible for
+ * developers to write log calls, while simultaneously making those
+ * calls as cheap as possible by performing lazy evaluation of the log
+ * message.<p>
+ */
+public abstract class XBLogger {
+
+ public static final int DEBUG = 1;
+ public static final int INFO = 3;
+ public static final int WARN = 5;
+ public static final int ERROR = 7;
+ public static final int FATAL = 9;
+
+ /** Short strings for numeric log level. Use level as array index. */
+ protected static final String LEVEL_STRINGS_SHORT[] = {"?", "D", "?", "I", "?", "W", "?", "E", "?", "F", "?"};
+ /** Long strings for numeric log level. Use level as array index. */
+ protected static final String LEVEL_STRINGS[] = {"?0?", "DEBUG", "?2?", "INFO", "?4?", "WARN", "?6?", "ERROR", "?8?", "FATAL", "?10+?"};
+
+
+ /**
+ * package scope so it cannot be instantiated outside of the util
+ * package. You need a XBLogger? Go to the XBLogFactory for one
+ */
+ XBLogger() {
+ // no fields to initialize
+ }
+
+ abstract public void initialize(String cat);
+
+ /**
+ * Log a message
+ *
+ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL
+ * @param obj1 The object to log. This is converted to a string.
+ */
+ abstract protected void _log(int level, Object obj1);
+
+ /**
+ * Log a message
+ *
+ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL
+ * @param obj1 The object to log. This is converted to a string.
+ * @param exception An exception to be logged
+ */
+ abstract protected void _log(int level, Object obj1, final Throwable exception);
+
+
+ /**
+ * Check if a logger is enabled to log at the specified level
+ * This allows code to avoid building strings or evaluating functions in
+ * the arguments to log.
+ *
+ * An example:
+ * <code><pre>
+ * if (logger.check(XBLogger.INFO)) {
+ * logger.log(XBLogger.INFO, "Avoid concatenating " + " strings and evaluating " + functions());
+ * }
+ * </pre></code>
+ *
+ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL
+ */
+ abstract public boolean check(int level);
+
+ /**
+ * Log a message. Lazily appends Object parameters together.
+ * If the last parameter is a {@link Throwable} it is logged specially.
+ *
+ * @param level One of DEBUG, INFO, WARN, ERROR, FATAL
+ * @param objs the objects to place in the message
+ */
+ public void log(int level, Object... objs) {
+ if (!check(level)) return;
+ StringBuilder sb = new StringBuilder(32);
+ Throwable lastEx = null;
+ for (int i=0; i<objs.length; i++) {
+ if (i == objs.length-1 && objs[i] instanceof Throwable) {
+ lastEx = (Throwable)objs[i];
+ } else {
+ sb.append(objs[i]);
+ }
+ }
+
+ String msg = sb.toString();
+ msg = msg.replaceAll("[\r\n]+", " "); // log forging escape
+
+ // somehow this ambiguity works and doesn't lead to a loop,
+ // but it's confusing ...
+ if (lastEx == null) {
+ _log(level, msg);
+ } else {
+ _log(level, msg, lastEx);
+ }
+ }
+}
+
+
+
--
2.23.0

13
xmlbeans.spec
View File

@ -2,7 +2,7 @@
%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
Name: xmlbeans
Version: 2.6.0
Release: 1
Release: 2
Summary: XML-Java binding tool
URL: http://xmlbeans.apache.org/
Source0: http://archive.apache.org/dist/xmlbeans/source/%{name}-%{version}-src.tgz
@ -15,7 +15,10 @@ Patch2: xmlbeans-2.6.0-iso-8859-1-encoding.patch
Patch3: xmlbeans-2.6.0-jsr-bundle.patch
Patch4: xmlbeans-scripts-classpath.patch
Patch5: xmlbeans-2.6.0-java8.patch
License: ASL 2.0
Patch6: CVE-2021-23926-pre.patch
Patch7: CVE-2021-23926-1.patch
Patch8: CVE-2021-23926-2.patch
License: Apache-2.0 and CPL-1.0
%if %without bootstrap
BuildRequires: xmlbeans
%endif
@ -66,6 +69,9 @@ Requires: %{name} = %{version}-%{release}
%patch3 -p1
%patch4 -p1
%patch5 -p0
%patch6 -p1
%patch7 -p1
%patch8 -p1
%build
find . \( -name '*.jar' -o -name '*.zip' \) \
@ -129,5 +135,8 @@ cp -pr build/docs/* README.txt $RPM_BUILD_ROOT%{_pkgdocdir}
%attr(0755,root,root) %{_bindir}/*
%changelog
* Mon Feb 8 2021 wangxiao <wangxiao65@huawei.com> - 2.6.0-2
- Fix CVE-2021-23926
* Thu Aug 20 2020 maminjie <maminjie1@huawei.com> - 2.6.0-1
- package init