jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From resc...@apache.org
Subject svn commit: r1680798 - in /jackrabbit/branches/2.4: ./ jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/ jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/
Date Thu, 21 May 2015 09:59:26 GMT
Author: reschke
Date: Thu May 21 09:59:26 2015
New Revision: 1680798

URL: http://svn.apache.org/r1680798
Log:
JCR-3883: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833) (ported to
2.4)

Added:
    jackrabbit/branches/2.4/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
      - copied unchanged from r1680757, jackrabbit/trunk/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
    jackrabbit/branches/2.4/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
      - copied unchanged from r1680757, jackrabbit/trunk/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
Modified:
    jackrabbit/branches/2.4/   (props changed)
    jackrabbit/branches/2.4/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
    jackrabbit/branches/2.4/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java

Propchange: jackrabbit/branches/2.4/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu May 21 09:59:26 2015
@@ -1,3 +1,3 @@
 /jackrabbit/branches/JCR-2272:1173165-1176545
 /jackrabbit/sandbox/JCR-2415-lucene-3.0:1060860-1064038
-/jackrabbit/trunk:1221447,1221579,1221593,1221789,1221818,1225179,1225191,1225196,1225207,1225525,1225528,1226452,1226472,1226515,1226750,1226863,1227171,1227240,1227590,1227593,1227615,1228058,1228149,1228155,1228160,1230507,1230681,1230688,1231204,1232035,1232100,1232404,1232831,1232920,1232922,1233069,1233344,1233446,1233468,1233471,1233544,1234807,1235192,1235375,1235423,1236709,1236775,1236819-1236821,1240053,1241461,1242775,1245443,1291424,1296202,1296226,1297526,1298428,1301046,1301397,1302401,1303438,1304323,1304382,1306337,1307456,1309908,1311861,1324713,1327180,1327432,1327926,1329198,1334998,1335017,1335030,1336017,1336252,1338172,1341373,1346045,1348860,1349185,1352440,1352791,1353920,1354499,1358543,1360013,1360571,1361941,1362796,1362924,1367057,1368796,1399576,1400843,1400935,1403408,1403768,1415093,1415574,1416387,1416863,1418236,1437374,1437384,1437618,1437963,1438158,1439346,1439797,1444755,1445122,1461064,1461137,1461613,1462115,1462153,1462205,1462211,1466060,146
 6085,1466938,1467255,1467363,1469312,1469799,1469892,1469940,1470573,1471286,1475718,1478684,1479518,1487803,1497492,1498840,1498850,1499285,1505795,1505907,1505942,1506594,1508053,1509101,1517602,1517627,1517711,1519376,1526945,1530005,1535539,1556248,1634584
+/jackrabbit/trunk:1221447,1221579,1221593,1221789,1221818,1225179,1225191,1225196,1225207,1225525,1225528,1226452,1226472,1226515,1226750,1226863,1227171,1227240,1227590,1227593,1227615,1228058,1228149,1228155,1228160,1230507,1230681,1230688,1231204,1232035,1232100,1232404,1232831,1232920,1232922,1233069,1233344,1233446,1233468,1233471,1233544,1234807,1235192,1235375,1235423,1236709,1236775,1236819-1236821,1240053,1241461,1242775,1245443,1291424,1296202,1296226,1297526,1298428,1301046,1301397,1302401,1303438,1304323,1304382,1306337,1307456,1309908,1311861,1324713,1327180,1327432,1327926,1329198,1334998,1335017,1335030,1336017,1336252,1338172,1341373,1346045,1348860,1349185,1352440,1352791,1353920,1354499,1358543,1360013,1360571,1361941,1362796,1362924,1367057,1368796,1399576,1400843,1400935,1403408,1403768,1415093,1415574,1416387,1416863,1418236,1437374,1437384,1437618,1437963,1438158,1439346,1439797,1444755,1445122,1461064,1461137,1461613,1462115,1462153,1462205,1462211,1466060,146
 6085,1466938,1467255,1467363,1469312,1469799,1469892,1469940,1470573,1471286,1475718,1478684,1479518,1487803,1497492,1498840,1498850,1499285,1505795,1505907,1505942,1506594,1508053,1509101,1517602,1517627,1517711,1519376,1526945,1530005,1535539,1556248,1634584,1680757

Modified: jackrabbit/branches/2.4/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.4/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java?rev=1680798&r1=1680797&r2=1680798&view=diff
==============================================================================
--- jackrabbit/branches/2.4/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
(original)
+++ jackrabbit/branches/2.4/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
Thu May 21 09:59:26 2015
@@ -28,9 +28,7 @@ import org.w3c.dom.NodeList;
 import org.w3c.dom.Text;
 import org.w3c.dom.NamedNodeMap;
 import org.xml.sax.SAXException;
-import org.xml.sax.helpers.DefaultHandler;
 
-import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -56,26 +54,10 @@ public class DomUtil {
     private static Logger log = LoggerFactory.getLogger(DomUtil.class);
 
     /**
-     * Constant for <code>DocumentBuilderFactory</code> which is used
+     * Constant for <code>DavDocumentBuilderFactory</code> which is used
      * to create and parse DOM documents.
      */
-    private static DocumentBuilderFactory BUILDER_FACTORY = createFactory();
-
-    private static DocumentBuilderFactory createFactory() {
-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-        factory.setNamespaceAware(true);
-        factory.setIgnoringComments(true);
-        factory.setIgnoringElementContentWhitespace(true);
-        factory.setCoalescing(true);
-        try {
-            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-        } catch (ParserConfigurationException e) {
-            log.warn("Secure XML processing is not supported", e);
-        } catch (AbstractMethodError e) {
-            log.warn("Secure XML processing is not supported", e);
-        }
-        return factory;
-    }
+    private static final DavDocumentBuilderFactory BUILDER_FACTORY = new DavDocumentBuilderFactory();
 
     /**
      * Support the replacement of {@link #BUILDER_FACTORY}. This is useful
@@ -88,7 +70,7 @@ public class DomUtil {
      */
     public static void setBuilderFactory(
             DocumentBuilderFactory documentBuilderFactory) {
-        BUILDER_FACTORY = documentBuilderFactory;
+        BUILDER_FACTORY.setFactory(documentBuilderFactory);
     }
 
     /**
@@ -119,11 +101,6 @@ public class DomUtil {
     public static Document parseDocument(InputStream stream)
             throws ParserConfigurationException, SAXException, IOException {
         DocumentBuilder docBuilder = BUILDER_FACTORY.newDocumentBuilder();
-
-        // Set an error handler to prevent parsers from printing error messages
-        // to standard output!
-        docBuilder.setErrorHandler(new DefaultHandler());
-
         return docBuilder.parse(stream);
     }
 

Modified: jackrabbit/branches/2.4/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.4/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java?rev=1680798&r1=1680797&r2=1680798&view=diff
==============================================================================
--- jackrabbit/branches/2.4/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
(original)
+++ jackrabbit/branches/2.4/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
Thu May 21 09:59:26 2015
@@ -33,6 +33,7 @@ public class TestAll extends TestCase {
         TestSuite suite = new TestSuite("org.apache.jackrabbit.webdav.xml tests");
 
         suite.addTestSuite(NamespaceTest.class);
+        suite.addTestSuite(ParserTest.class);
 
         return suite;
     }



Mime
View raw message