ant-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 55132] New: Javadoc vulnerability (CVE-2013-1571, VU#225657)
Date Mon, 24 Jun 2013 12:25:19 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=55132

            Bug ID: 55132
           Summary: Javadoc vulnerability (CVE-2013-1571, VU#225657)
           Product: Ant
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Core tasks
          Assignee: notifications@ant.apache.org
          Reporter: uwe@thetaphi.de

Recently Oracle released Java 7 update 25 to work around a serious frame
injection bug in the Javadocs as produced by JDK's javadoc tool. This also
applies to IBM J9 and JRockit.

The problem is: There is no public available bugfix release for Java 6 or Java
5 (which are also affected by the security issue). You can download 1.6.0_45
for MacOSX provided by Apple.

Any project that is on an older Java version (e.g. 1.5 or 1.6) and builds the
release candidates using the "official supported" Java version will produce
Javadocs that can no longer be published on the internet, because it would
bring any webserver administrator into trouble and may do harm to the company
(e.g., the ASF). ASF no longer allows to publish new javadocs with the frame
injection bug anymore (see mail to all committers) and enforces all PMCs to
"patch" their web site.

The Oracle patch tool is officially not ASF compliant (License-wise, see
https://issues.apache.org/jira/browse/LEGAL-171), so cannot be include into
official builds. But we still want to patch our javadocs directly after
generating them.

For Maven I provided a "replacement pather with ASF license), see
https://jira.codehaus.org/browse/MJAVADOC-370 - Maven will release a new
version ASAP.

For ANT, the Apache Lucene project has a ANT macro that can be called directly
after the <javadoc/> call (https://issues.apache.org/jira/browse/LUCENE-5072),
looks like that:

  <!--
    Patch frame injection bugs in javadoc generated files - see CVE-2013-1571,
http://www.kb.cert.org/vuls/id/225657

    Feel free to use this macro in your own Ant build file. This macro works
together with the javadoc task on Ant
    and should be invoked directly after its execution to patch broken
javadocs, e.g.:
      <patch-javadoc dir="..." docencoding="UTF-8"/>
    Please make sure that the docencoding parameter uses the same charset like
javadoc's docencoding. Default
    is the platform default encoding (like the javadoc task).
    The specified dir is the destination directory of the javadoc task.
  -->
  <macrodef name="patch-javadoc">
    <attribute name="dir"/>
    <attribute name="docencoding" default="${file.encoding}"/>
    <sequential>
      <replace encoding="@{docencoding}" summary="true"
taskname="patch-javadoc">
        <restrict>
          <fileset dir="@{dir}" casesensitive="false"
includes="**/index.html,**/index.htm,**/toc.html,**/toc.htm"/>
          <!-- TODO: add encoding="@{docencoding}" to contains check, when we
are on ANT 1.9.0: -->
          <not><contains text="function validURL(url) {" casesensitive="true"
/></not>
        </restrict>
        <replacetoken><![CDATA[function loadFrames() {]]></replacetoken>
        <replacevalue expandProperties="false"><![CDATA[if (targetPage != "" &&
!validURL(targetPage))
        targetPage = "undefined";
    function validURL(url) {
        var pos = url.indexOf(".html");
        if (pos == -1 || pos != url.length - 5)
            return false;
        var allowNumber = false;
        var allowSep = false;
        var seenDot = false;
        for (var i = 0; i < url.length - 5; i++) {
            var ch = url.charAt(i);
            if ('a' <= ch && ch <= 'z' ||
                    'A' <= ch && ch <= 'Z' ||
                    ch == '$' ||
                    ch == '_') {
                allowNumber = true;
                allowSep = true;
            } else if ('0' <= ch && ch <= '9'
                    || ch == '-') {
                if (!allowNumber)
                     return false;
            } else if (ch == '/' || ch == '.') {
                if (!allowSep)
                    return false;
                allowNumber = false;
                allowSep = false;
                if (ch == '.')
                     seenDot = true;
                if (ch == '/' && seenDot)
                     return false;
            } else {
                return false;
            }
        }
        return true;
    }
    function loadFrames() {]]></replacevalue>
      </replace>
    </sequential>
  </macrodef>

It would be good to modify the ANT javadoc task to do this transformation
internally directly after calling the javadoc executable. The similar patch, as
used in Maven, could be ported 1:1 to Ant (replace plexus-utils with
DirectoryScanner and IOUtil/FileUtils by the ANT equivalents):
https://jira.codehaus.org/secure/attachment/63558/MJAVADOC-370.patch

We tested this approach with various JVMs, it correctly detects the buggy
javascript and patches for Oracle JDK 1.5.0_22, 1.6.0_32, 1.6.0_35, 1.7.0_21,
1.8.0-ea-b93, also Oracle JRockit and IBM J9 version 6 and 7. Oracle JDK
1.7.0_25 (and Apple JDK 1.6.0_45) will correctly not be touched. Same applies
for pre-1.5 JVMs as those dont have Javascript that's vulnerable, so patch will
ignore them.

Unfortunately, fixing ANT to do this would not help all projects, because in
contrast to Maven, the build.xml writer cannot decide which "javadoc-plugin" is
to be used, it depends on the Ant version installed on user's machine. So In
Lucene we will stay for a while with the current manual Ant macro, but it would
still be good to support patching by default with later Ant versions. On the
other hand, anybody who is afraid of publishing vulnerable javadoc can always
use <antversion/> to fail the build...

-- 
You are receiving this mail because:
You are the assignee for the bug.

Mime
View raw message