Return-Path: X-Original-To: apmail-jackrabbit-commits-archive@www.apache.org Delivered-To: apmail-jackrabbit-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EB1B717465 for ; Thu, 21 May 2015 10:07:10 +0000 (UTC) Received: (qmail 83205 invoked by uid 500); 21 May 2015 10:07:10 -0000 Delivered-To: apmail-jackrabbit-commits-archive@jackrabbit.apache.org Received: (qmail 83150 invoked by uid 500); 21 May 2015 10:07:10 -0000 Mailing-List: contact commits-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@jackrabbit.apache.org Delivered-To: mailing list commits@jackrabbit.apache.org Received: (qmail 83141 invoked by uid 99); 21 May 2015 10:07:10 -0000 Received: from eris.apache.org (HELO hades.apache.org) (140.211.11.105) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 21 May 2015 10:07:10 +0000 Received: from hades.apache.org (localhost [127.0.0.1]) by hades.apache.org (ASF Mail Server at hades.apache.org) with ESMTP id B05D8AC0735 for ; Thu, 21 May 2015 10:07:10 +0000 (UTC) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r1680800 - in /jackrabbit/branches/2.2: ./ jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/ jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ Date: Thu, 21 May 2015 10:07:10 -0000 To: commits@jackrabbit.apache.org From: reschke@apache.org X-Mailer: svnmailer-1.0.9 Message-Id: <20150521100710.B05D8AC0735@hades.apache.org> Author: reschke Date: Thu May 21 10:07:10 2015 New Revision: 1680800 URL: http://svn.apache.org/r1680800 Log: JCR-3883: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833) (ported to 2.2) Added: jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java (with props) jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java (with props) Modified: jackrabbit/branches/2.2/ (props changed) jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java Propchange: jackrabbit/branches/2.2/ ------------------------------------------------------------------------------ --- svn:mergeinfo (original) +++ svn:mergeinfo Thu May 21 10:07:10 2015 @@ -4,4 +4,4 @@ /jackrabbit/sandbox/JCR-1456:774917-886178 /jackrabbit/sandbox/JCR-2170:812417-816332 /jackrabbit/sandbox/tripod-JCR-2209:795441-795863 -/jackrabbit/trunk:1038201,1038203,1038205,1038657,1039064,1039347,1039408,1039422-1039423,1039888,1039946,1040033,1040090,1040459,1040601,1040606,1040661,1040958,1041379,1041439,1041761,1042643,1042647,1042978-1042982,1043084-1043086,1043088,1043343,1043357-1043358,1043430,1043554,1043616,1043618,1043637,1043656,1043893,1043897,1044239,1044312,1044451,1044613,1049473,1049491,1049514,1049518,1049520,1049859,1049870,1049874,1049878,1049880,1049883,1049889,1049891,1049894-1049895,1049899-1049901,1049909-1049911,1049915-1049916,1049919,1049923,1049925,1049931,1049936,1049939,1050212,1050298,1050346,1050551,1055068,1055070-1055071,1055116-1055117,1055127,1055134,1055164,1055498,1060431,1060434,1060753,1063756,1064213,1064670,1064760,1065599,1065622,1066059,1066071,1066794,1069831,1071562,1071573,1071680,1072087,1074140,1077927,1077970,1079314,1079317,1080186,1080540,1082599,1082611,1082620,1087304,1088991,1089032,1089053,1089436,1092106,1092117,1092683,1097363,1097513-1097514,1098963-109 8964,1099033,1099172,1100242,1100286,1101046,1102262,1102268-1102270,1102299,1102601,1104027,1126987,1128175,1129206,1130192,1130228,1132993,1136353,1136360,1138511,1141141,1141717,1143396,1143738,1144332,1144338,1144695,1152258,1155431,1157175,1165609,1169801,1173196,1174822,1174887,1175988,1176423,1176465,1176515,1176546,1177249,1177340,1178251,1178892,1179124,1179548,1180922,1181712,1182281,1182667,1182761,1182824,1182929,1183409,1185691,1186285,1186802,1187344,1188541,1188590,1198827,1202144,1202192,1209581,1213276,1213289,1232100,1236709,1298428,1301046,1301397,1303438,1307456,1309908,1311861,1327180,1327432,1327926,1336252,1348860,1349365,1353920,1356612,1356630,1362796,1362924,1399576,1400935,1403408,1403768,1467255,1467363,1479518,1498840,1498850,1499285,1506594,1509101 +/jackrabbit/trunk:1038201,1038203,1038205,1038657,1039064,1039347,1039408,1039422-1039423,1039888,1039946,1040033,1040090,1040459,1040601,1040606,1040661,1040958,1041379,1041439,1041761,1042643,1042647,1042978-1042982,1043084-1043086,1043088,1043343,1043357-1043358,1043430,1043554,1043616,1043618,1043637,1043656,1043893,1043897,1044239,1044312,1044451,1044613,1049473,1049491,1049514,1049518,1049520,1049859,1049870,1049874,1049878,1049880,1049883,1049889,1049891,1049894-1049895,1049899-1049901,1049909-1049911,1049915-1049916,1049919,1049923,1049925,1049931,1049936,1049939,1050212,1050298,1050346,1050551,1055068,1055070-1055071,1055116-1055117,1055127,1055134,1055164,1055498,1060431,1060434,1060753,1063756,1064213,1064670,1064760,1065599,1065622,1066059,1066071,1066794,1069831,1071562,1071573,1071680,1072087,1074140,1077927,1077970,1079314,1079317,1080186,1080540,1082599,1082611,1082620,1087304,1088991,1089032,1089053,1089436,1092106,1092117,1092683,1097363,1097513-1097514,1098963-109 8964,1099033,1099172,1100242,1100286,1101046,1102262,1102268-1102270,1102299,1102601,1104027,1126987,1128175,1129206,1130192,1130228,1132993,1136353,1136360,1138511,1141141,1141717,1143396,1143738,1144332,1144338,1144695,1152258,1155431,1157175,1165609,1169801,1173196,1174822,1174887,1175988,1176423,1176465,1176515,1176546,1177249,1177340,1178251,1178892,1179124,1179548,1180922,1181712,1182281,1182667,1182761,1182824,1182929,1183409,1185691,1186285,1186802,1187344,1188541,1188590,1198827,1202144,1202192,1209581,1213276,1213289,1232100,1236709,1298428,1301046,1301397,1303438,1307456,1309908,1311861,1327180,1327432,1327926,1336252,1348860,1349365,1353920,1356612,1356630,1362796,1362924,1399576,1400935,1403408,1403768,1467255,1467363,1479518,1498840,1498850,1499285,1506594,1509101,1680757 Added: jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java?rev=1680800&view=auto ============================================================================== --- jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java (added) +++ jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java Thu May 21 10:07:10 2015 @@ -0,0 +1,86 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.webdav.xml; + +import java.io.IOException; + +import javax.xml.XMLConstants; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.xml.sax.EntityResolver; +import org.xml.sax.InputSource; +import org.xml.sax.helpers.DefaultHandler; + +/** + * Custom {@link DocumentBuilderFactory} extended for use in WebDAV. + */ +public class DavDocumentBuilderFactory { + + private static final Logger LOG = LoggerFactory.getLogger(DomUtil.class); + + private final DocumentBuilderFactory DEFAULT_FACTORY = createFactory(); + + private DocumentBuilderFactory BUILDER_FACTORY = DEFAULT_FACTORY; + + private DocumentBuilderFactory createFactory() { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setNamespaceAware(true); + factory.setIgnoringComments(true); + factory.setIgnoringElementContentWhitespace(true); + factory.setCoalescing(true); + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + LOG.warn("Secure XML processing is not supported", e); + } catch (AbstractMethodError e) { + LOG.warn("Secure XML processing is not supported", e); + } + return factory; + } + + public void setFactory(DocumentBuilderFactory documentBuilderFactory) { + LOG.debug("DocumentBuilderFactory changed to: " + documentBuilderFactory); + BUILDER_FACTORY = documentBuilderFactory != null ? documentBuilderFactory : DEFAULT_FACTORY; + } + + /** + * An entity resolver that does not allow external entity resolution. See + * RFC 4918, Section 20.6 + */ + private static final EntityResolver DEFAULT_ENTITY_RESOLVER = new EntityResolver() { + public InputSource resolveEntity(String publicId, String systemId) throws IOException { + LOG.debug("Resolution of external entities in XML payload not supported - publicId: " + publicId + ", systemId: " + + systemId); + throw new IOException("This parser does not support resolution of external entities (publicId: " + publicId + + ", systemId: " + systemId + ")"); + } + }; + + public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException { + DocumentBuilder db = BUILDER_FACTORY.newDocumentBuilder(); + if (BUILDER_FACTORY == DEFAULT_FACTORY) { + // if this is the default factory: set the default entity resolver as well + db.setEntityResolver(DEFAULT_ENTITY_RESOLVER); + } + db.setErrorHandler(new DefaultHandler()); + return db; + } +} Propchange: jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java ------------------------------------------------------------------------------ svn:eol-style = native Modified: jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java?rev=1680800&r1=1680799&r2=1680800&view=diff ============================================================================== --- jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java (original) +++ jackrabbit/branches/2.2/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java Thu May 21 10:07:10 2015 @@ -30,7 +30,6 @@ import org.w3c.dom.NamedNodeMap; import org.xml.sax.SAXException; import org.xml.sax.helpers.DefaultHandler; -import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -48,26 +47,10 @@ public class DomUtil { private static Logger log = LoggerFactory.getLogger(DomUtil.class); /** - * Constant for DocumentBuilderFactory which is used + * Constant for DavDocumentBuilderFactory which is used * to create and parse DOM documents. */ - private static DocumentBuilderFactory BUILDER_FACTORY = createFactory(); - - private static DocumentBuilderFactory createFactory() { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - factory.setNamespaceAware(true); - factory.setIgnoringComments(true); - factory.setIgnoringElementContentWhitespace(true); - factory.setCoalescing(true); - try { - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - } catch (ParserConfigurationException e) { - log.warn("Secure XML processing is not supported", e); - } catch (AbstractMethodError e) { - log.warn("Secure XML processing is not supported", e); - } - return factory; - } + private static DavDocumentBuilderFactory BUILDER_FACTORY = new DavDocumentBuilderFactory(); /** * Support the replacement of {@link #BUILDER_FACTORY}. This is useful @@ -80,7 +63,7 @@ public class DomUtil { */ public static void setBuilderFactory( DocumentBuilderFactory documentBuilderFactory) { - BUILDER_FACTORY = documentBuilderFactory; + BUILDER_FACTORY.setFactory(documentBuilderFactory); } /** Added: jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java?rev=1680800&view=auto ============================================================================== --- jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java (added) +++ jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java Thu May 21 10:07:10 2015 @@ -0,0 +1,78 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the \"License\"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an \"AS IS\" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.webdav.xml; + +import java.io.ByteArrayInputStream; +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.io.UnsupportedEncodingException; + +import junit.framework.TestCase; + +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +public class ParserTest extends TestCase { + + // see + public void testBillionLaughs() throws UnsupportedEncodingException { + + String testBody = "" + "" + " " + + " " + + " " + + " " + + " " + + " " + + " " + + " " + + " " + + " " + "]>" + "&lol9;"; + InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8")); + + try { + DomUtil.parseDocument(is); + fail("parsing this document should cause an exception"); + } catch (Exception expected) { + } + } + + public void testExternalEntities() throws IOException { + + String dname = "target"; + String fname = "test.xml"; + + File f = new File(dname, fname); + OutputStream os = new FileOutputStream(f); + os.write("testdata".getBytes()); + os.close(); + + String testBody = "\n" + + "]>\n&test;"; + InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8")); + + try { + Document d = DomUtil.parseDocument(is); + Element root = d.getDocumentElement(); + String text = DomUtil.getText(root); + fail("parsing this document should cause an exception, but the following external content was included: " + text); + } catch (Exception expected) { + } + } +} \ No newline at end of file Propchange: jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java ------------------------------------------------------------------------------ svn:eol-style = native Modified: jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java?rev=1680800&r1=1680799&r2=1680800&view=diff ============================================================================== --- jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java (original) +++ jackrabbit/branches/2.2/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java Thu May 21 10:07:10 2015 @@ -33,6 +33,7 @@ public class TestAll extends TestCase { TestSuite suite = new TestSuite("org.apache.jackrabbit.webdav.xml tests"); suite.addTestSuite(NamespaceTest.class); + suite.addTestSuite(ParserTest.class); return suite; }