jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From resc...@apache.org
Subject svn commit: r1680800 - in /jackrabbit/branches/2.2: ./ jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/ jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/
Date Thu, 21 May 2015 10:07:10 GMT
Author: reschke
Date: Thu May 21 10:07:10 2015
New Revision: 1680800

URL: http://svn.apache.org/r1680800
Log:
JCR-3883: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833) (ported to
2.2)

Added:
    jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
  (with props)
    jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
  (with props)
Modified:
    jackrabbit/branches/2.2/   (props changed)
    jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
    jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java

Propchange: jackrabbit/branches/2.2/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu May 21 10:07:10 2015
@@ -4,4 +4,4 @@
 /jackrabbit/sandbox/JCR-1456:774917-886178
 /jackrabbit/sandbox/JCR-2170:812417-816332
 /jackrabbit/sandbox/tripod-JCR-2209:795441-795863
-/jackrabbit/trunk:1038201,1038203,1038205,1038657,1039064,1039347,1039408,1039422-1039423,1039888,1039946,1040033,1040090,1040459,1040601,1040606,1040661,1040958,1041379,1041439,1041761,1042643,1042647,1042978-1042982,1043084-1043086,1043088,1043343,1043357-1043358,1043430,1043554,1043616,1043618,1043637,1043656,1043893,1043897,1044239,1044312,1044451,1044613,1049473,1049491,1049514,1049518,1049520,1049859,1049870,1049874,1049878,1049880,1049883,1049889,1049891,1049894-1049895,1049899-1049901,1049909-1049911,1049915-1049916,1049919,1049923,1049925,1049931,1049936,1049939,1050212,1050298,1050346,1050551,1055068,1055070-1055071,1055116-1055117,1055127,1055134,1055164,1055498,1060431,1060434,1060753,1063756,1064213,1064670,1064760,1065599,1065622,1066059,1066071,1066794,1069831,1071562,1071573,1071680,1072087,1074140,1077927,1077970,1079314,1079317,1080186,1080540,1082599,1082611,1082620,1087304,1088991,1089032,1089053,1089436,1092106,1092117,1092683,1097363,1097513-1097514,1098963-109
 8964,1099033,1099172,1100242,1100286,1101046,1102262,1102268-1102270,1102299,1102601,1104027,1126987,1128175,1129206,1130192,1130228,1132993,1136353,1136360,1138511,1141141,1141717,1143396,1143738,1144332,1144338,1144695,1152258,1155431,1157175,1165609,1169801,1173196,1174822,1174887,1175988,1176423,1176465,1176515,1176546,1177249,1177340,1178251,1178892,1179124,1179548,1180922,1181712,1182281,1182667,1182761,1182824,1182929,1183409,1185691,1186285,1186802,1187344,1188541,1188590,1198827,1202144,1202192,1209581,1213276,1213289,1232100,1236709,1298428,1301046,1301397,1303438,1307456,1309908,1311861,1327180,1327432,1327926,1336252,1348860,1349365,1353920,1356612,1356630,1362796,1362924,1399576,1400935,1403408,1403768,1467255,1467363,1479518,1498840,1498850,1499285,1506594,1509101
+/jackrabbit/trunk:1038201,1038203,1038205,1038657,1039064,1039347,1039408,1039422-1039423,1039888,1039946,1040033,1040090,1040459,1040601,1040606,1040661,1040958,1041379,1041439,1041761,1042643,1042647,1042978-1042982,1043084-1043086,1043088,1043343,1043357-1043358,1043430,1043554,1043616,1043618,1043637,1043656,1043893,1043897,1044239,1044312,1044451,1044613,1049473,1049491,1049514,1049518,1049520,1049859,1049870,1049874,1049878,1049880,1049883,1049889,1049891,1049894-1049895,1049899-1049901,1049909-1049911,1049915-1049916,1049919,1049923,1049925,1049931,1049936,1049939,1050212,1050298,1050346,1050551,1055068,1055070-1055071,1055116-1055117,1055127,1055134,1055164,1055498,1060431,1060434,1060753,1063756,1064213,1064670,1064760,1065599,1065622,1066059,1066071,1066794,1069831,1071562,1071573,1071680,1072087,1074140,1077927,1077970,1079314,1079317,1080186,1080540,1082599,1082611,1082620,1087304,1088991,1089032,1089053,1089436,1092106,1092117,1092683,1097363,1097513-1097514,1098963-109
 8964,1099033,1099172,1100242,1100286,1101046,1102262,1102268-1102270,1102299,1102601,1104027,1126987,1128175,1129206,1130192,1130228,1132993,1136353,1136360,1138511,1141141,1141717,1143396,1143738,1144332,1144338,1144695,1152258,1155431,1157175,1165609,1169801,1173196,1174822,1174887,1175988,1176423,1176465,1176515,1176546,1177249,1177340,1178251,1178892,1179124,1179548,1180922,1181712,1182281,1182667,1182761,1182824,1182929,1183409,1185691,1186285,1186802,1187344,1188541,1188590,1198827,1202144,1202192,1209581,1213276,1213289,1232100,1236709,1298428,1301046,1301397,1303438,1307456,1309908,1311861,1327180,1327432,1327926,1336252,1348860,1349365,1353920,1356612,1356630,1362796,1362924,1399576,1400935,1403408,1403768,1467255,1467363,1479518,1498840,1498850,1499285,1506594,1509101,1680757

Added: jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java?rev=1680800&view=auto
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
(added)
+++ jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
Thu May 21 10:07:10 2015
@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.webdav.xml;
+
+import java.io.IOException;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.helpers.DefaultHandler;
+
+/**
+ * Custom {@link DocumentBuilderFactory} extended for use in WebDAV.
+ */
+public class DavDocumentBuilderFactory {
+
+    private static final Logger LOG = LoggerFactory.getLogger(DomUtil.class);
+
+    private final DocumentBuilderFactory DEFAULT_FACTORY = createFactory();
+
+    private DocumentBuilderFactory BUILDER_FACTORY = DEFAULT_FACTORY;
+
+    private DocumentBuilderFactory createFactory() {
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setNamespaceAware(true);
+        factory.setIgnoringComments(true);
+        factory.setIgnoringElementContentWhitespace(true);
+        factory.setCoalescing(true);
+        try {
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        } catch (ParserConfigurationException e) {
+            LOG.warn("Secure XML processing is not supported", e);
+        } catch (AbstractMethodError e) {
+            LOG.warn("Secure XML processing is not supported", e);
+        }
+        return factory;
+    }
+
+    public void setFactory(DocumentBuilderFactory documentBuilderFactory) {
+        LOG.debug("DocumentBuilderFactory changed to: " + documentBuilderFactory);
+        BUILDER_FACTORY = documentBuilderFactory != null ? documentBuilderFactory : DEFAULT_FACTORY;
+    }
+
+    /**
+     * An entity resolver that does not allow external entity resolution. See
+     * RFC 4918, Section 20.6
+     */
+    private static final EntityResolver DEFAULT_ENTITY_RESOLVER = new EntityResolver() {
+        public InputSource resolveEntity(String publicId, String systemId) throws IOException
{
+            LOG.debug("Resolution of external entities in XML payload not supported - publicId:
" + publicId + ", systemId: "
+                    + systemId);
+            throw new IOException("This parser does not support resolution of external entities
(publicId: " + publicId
+                    + ", systemId: " + systemId + ")");
+        }
+    };
+
+    public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
+        DocumentBuilder db = BUILDER_FACTORY.newDocumentBuilder();
+        if (BUILDER_FACTORY == DEFAULT_FACTORY) {
+            // if this is the default factory: set the default entity resolver as well
+            db.setEntityResolver(DEFAULT_ENTITY_RESOLVER);
+        }
+        db.setErrorHandler(new DefaultHandler());
+        return db;
+    }
+}

Propchange: jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java?rev=1680800&r1=1680799&r2=1680800&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
(original)
+++ jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
Thu May 21 10:07:10 2015
@@ -30,7 +30,6 @@ import org.w3c.dom.NamedNodeMap;
 import org.xml.sax.SAXException;
 import org.xml.sax.helpers.DefaultHandler;
 
-import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -48,26 +47,10 @@ public class DomUtil {
     private static Logger log = LoggerFactory.getLogger(DomUtil.class);
 
     /**
-     * Constant for <code>DocumentBuilderFactory</code> which is used
+     * Constant for <code>DavDocumentBuilderFactory</code> which is used
      * to create and parse DOM documents.
      */
-    private static DocumentBuilderFactory BUILDER_FACTORY = createFactory();
-
-    private static DocumentBuilderFactory createFactory() {
-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-        factory.setNamespaceAware(true);
-        factory.setIgnoringComments(true);
-        factory.setIgnoringElementContentWhitespace(true);
-        factory.setCoalescing(true);
-        try {
-            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-        } catch (ParserConfigurationException e) {
-            log.warn("Secure XML processing is not supported", e);
-        } catch (AbstractMethodError e) {
-            log.warn("Secure XML processing is not supported", e);
-        }
-        return factory;
-    }
+    private static DavDocumentBuilderFactory BUILDER_FACTORY = new DavDocumentBuilderFactory();
 
     /**
      * Support the replacement of {@link #BUILDER_FACTORY}. This is useful
@@ -80,7 +63,7 @@ public class DomUtil {
      */
     public static void setBuilderFactory(
             DocumentBuilderFactory documentBuilderFactory) {
-        BUILDER_FACTORY = documentBuilderFactory;
+        BUILDER_FACTORY.setFactory(documentBuilderFactory);
     }
 
     /**

Added: jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java?rev=1680800&view=auto
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
(added)
+++ jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
Thu May 21 10:07:10 2015
@@ -0,0 +1,78 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the \"License\"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an \"AS IS\" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.webdav.xml;
+
+import java.io.ByteArrayInputStream;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.UnsupportedEncodingException;
+
+import junit.framework.TestCase;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+public class ParserTest extends TestCase {
+
+    // see <http://en.wikipedia.org/wiki/Billion_laughs#Details>
+    public void testBillionLaughs() throws UnsupportedEncodingException {
+
+        String testBody = "<?xml version=\"1.0\"?>" + "<!DOCTYPE lolz [" + " <!ENTITY
lol \"lol\">" + " <!ELEMENT lolz (#PCDATA)>"
+                + " <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">"
+                + " <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">"
+                + " <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">"
+                + " <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">"
+                + " <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">"
+                + " <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">"
+                + " <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">"
+                + " <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">"
+                + " <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">"
+ "]>" + "<lolz>&lol9;</lolz>";
+        InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
+
+        try {
+            DomUtil.parseDocument(is);
+            fail("parsing this document should cause an exception");
+        } catch (Exception expected) {
+        }
+    }
+
+    public void testExternalEntities() throws IOException {
+
+        String dname = "target";
+        String fname = "test.xml";
+
+        File f = new File(dname, fname);
+        OutputStream os = new FileOutputStream(f);
+        os.write("testdata".getBytes());
+        os.close();
+
+        String testBody = "<?xml version='1.0'?>\n<!DOCTYPE foo [" + " <!ENTITY
test SYSTEM \"file:" + dname + "/" + fname + "\">"
+                + "]>\n<foo>&test;</foo>";
+        InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
+
+        try {
+            Document d = DomUtil.parseDocument(is);
+            Element root = d.getDocumentElement();
+            String text = DomUtil.getText(root);
+            fail("parsing this document should cause an exception, but the following external
content was included: " + text);
+        } catch (Exception expected) {
+        }
+    }
+}
\ No newline at end of file

Propchange: jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java?rev=1680800&r1=1680799&r2=1680800&view=diff
==============================================================================
--- jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
(original)
+++ jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
Thu May 21 10:07:10 2015
@@ -33,6 +33,7 @@ public class TestAll extends TestCase {
         TestSuite suite = new TestSuite("org.apache.jackrabbit.webdav.xml tests");
 
         suite.addTestSuite(NamespaceTest.class);
+        suite.addTestSuite(ParserTest.class);
 
         return suite;
     }



Mime
View raw message