jmeter-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Philippe Mouawad <philippe.moua...@gmail.com>
Subject Re: svn commit: r1761294 - in /jmeter/trunk: LICENSE build.properties eclipse.classpath lib/ lib/aareadme.txt licenses/bin/xstream-1.4.8.txt licenses/bin/xstream-1.4.9.txt res/maven/ApacheJMeter_parent.pom xdocs/changes.xml
Date Sun, 02 Oct 2016 19:31:09 GMT
Hello,
I applied the second option of the article and reverted the DTD.

In the future XSD might be a better option.
Regards

On Sun, Oct 2, 2016 at 8:52 PM, Felix Schumacher <
felix.schumacher@internetallee.de> wrote:

> Am 20.09.2016 um 21:29 schrieb Philippe Mouawad:
>
>> On Tue, Sep 20, 2016 at 9:16 PM, Felix Schumacher <
>> felix.schumacher@internetallee.de> wrote:
>>
>> Am 20.09.2016 um 21:13 schrieb Philippe Mouawad:
>>>
>>> On Tue, Sep 20, 2016 at 8:56 PM, Felix Schumacher <felix.schumacher@
>>>> internetallee.de> wrote:
>>>>
>>>> Am 20.09.2016 um 20:33 schrieb Philippe Mouawad:
>>>>
>>>>> Hi Felix,
>>>>>
>>>>>> Yes issue seems to come from this:
>>>>>> https://github.com/x-stream/xstream/blob/f66bbea1b383e705988
>>>>>> abf8d06ea9782a73f24d4/xstream/src/java/com/thoughtworks/xstr
>>>>>> eam/io/xml/DomDriver.java#L147
>>>>>>
>>>>>> How do you reproduce it ?
>>>>>> I don't see it fail on my laptop nor on jenkins build.
>>>>>>
>>>>>> ant clean install test
>>>>>>
>>>>> Thanks I reproduced.
>>>>>
>>>> Why isn't it failing on Jenkins build ?
>>>>
>>>>
>>>>
>>>> With my followup commit, the errors are gone.
>>>>
>>>>> Sounds ok to me but we lose the DTD.
>>>>>
>>>> I wonder, if we could use a xsd schema instead. But I haven't looked
>>> that
>>> up, yet. On the other hand, how many people actually use a DTD anyways?
>>>
>>>
>>> Maybe we can customize the creation like this:
>>>
>>>>      private XStream initXStream() {
>>>>           XStream xstream = new XStream(new DomDriver(){
>>>>               /**
>>>>                * Create the DocumentBuilderFactory instance without
>>>> setting
>>>> http://apache.org/xml/features/disallow-doctype-decl to true
>>>>                *
>>>>                * @return the new instance
>>>>                */
>>>>               @Override
>>>>               protected DocumentBuilderFactory
>>>> createDocumentBuilderFactory()
>>>> {
>>>>                   final DocumentBuilderFactory factory =
>>>> DocumentBuilderFactory.newInstance();
>>>>                   factory.setExpandEntityReferences(false);
>>>>                   return factory;
>>>>               }
>>>>           });
>>>>
>>>> Do we introduce the problem, that 1.4.9 wants to protect us from, with
>>> this, or is just telling the parser to ignore the dtd?
>>>
>>> Possibly as per:
>> https://blog.compass-security.com/2012/08/secure-xml-parser-
>> configuration/
>> Do you think the second solution exposed above works for a
>> DocumentBuilderFactory ?
>>
> Seems to be valid then. I haven't tried it, though. If it works for you, I
> am OK with it.
>
>>
>> Anyway what is the real risk for JMeter ? files are loaded locally based
>> on
>> what users configures, if a local file has been corrupt, doesn't it mean
>> computer has already been attacked successfully ?
>>
> Probably, but you never know :)
>
> Felix
>
>
>>
>>
>> Felix
>>>
>>>
>>>
>>>
>>>> Felix
>>>>
>>>>> Thanks
>>>>>
>>>>>>
>>>>>> On Tue, Sep 20, 2016 at 8:10 PM, Felix Schumacher <
>>>>>> felix.schumacher@internetallee.de> wrote:
>>>>>>
>>>>>> Am 18.09.2016 um 00:17 schrieb pmouawad@apache.org:
>>>>>>
>>>>>> Author: pmouawad
>>>>>>>
>>>>>>> Date: Sat Sep 17 22:17:53 2016
>>>>>>>> New Revision: 1761294
>>>>>>>>
>>>>>>>> URL: http://svn.apache.org/viewvc?rev=1761294&view=rev
>>>>>>>> Log:
>>>>>>>> Updated to xstream 1.4.9 (from 1.4.8)
>>>>>>>>
>>>>>>>> This change seems to break the tests with:
>>>>>>>>
>>>>>>>> ...
>>>>>>> [java] Last error=java.lang.NullPointerException
>>>>>>>         [java] [Fatal Error] templates.xml:21:10: DOCTYPE is
>>>>>>> disallowed
>>>>>>> when
>>>>>>> the feature "http://apache.org/xml/features/disallow-doctype-decl"
>>>>>>> set
>>>>>>> to
>>>>>>> true.
>>>>>>> ...
>>>>>>>      [java] There was 1 failure:
>>>>>>>         [java] 1) initializationError(org.apache
>>>>>>> .jmeter.junit.JMeterTest)
>>>>>>>         [java] java.lang.Exception: Error creating
>>>>>>> org.apache.jmeter.gui.action.SelectTemplatesDialog
>>>>>>>         [java]     at org.apache.jmeter.junit.JMeter
>>>>>>> Test.getObjects(JMeterTest.java:485)
>>>>>>>         [java]     at org.apache.jmeter.junit.JMeter
>>>>>>> Test.suiteSerializableElements(JMeterTest.java:388)
>>>>>>>         [java]     at org.apache.jmeter.junit.JMeter
>>>>>>> Test.suite(JMeterTest.java:133)
>>>>>>>         [java]     at sun.reflect.NativeMethodAccess
>>>>>>> orImpl.invoke0(Native
>>>>>>> Method)
>>>>>>> ...
>>>>>>>         [java] Caused by: java.lang.NullPointerException
>>>>>>>         [java]     at org.apache.jmeter.gui.action.S
>>>>>>> electTemplatesDialog.populateTemplatePage(SelectTemplatesDia
>>>>>>> log.java:227)
>>>>>>>         [java]     at org.apache.jmeter.gui.action.S
>>>>>>> electTemplatesDialog.init(SelectTemplatesDialog.java:199)
>>>>>>>         [java]     at org.apache.jmeter.gui.action.S
>>>>>>> electTemplatesDialog.<init>(SelectTemplatesDialog.java:90)
>>>>>>>         [java]     at sun.reflect.NativeConstructorA
>>>>>>> ccessorImpl.newInstance0(Native
>>>>>>> Method)
>>>>>>>         [java]     at sun.reflect.NativeConstructorA
>>>>>>> ccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>>>>>>         [java]     at sun.reflect.DelegatingConstruc
>>>>>>> torAccessorImpl.newInstance(DelegatingConstructorAccessorImp
>>>>>>> l.java:45)
>>>>>>>         [java]     at java.lang.reflect.Constructor.
>>>>>>> newInstance(Constructor.java:423)
>>>>>>>         [java]     at java.lang.Class.newInstance(Class.java:442)
>>>>>>>         [java]     at org.apache.jmeter.junit.JMeter
>>>>>>> Test.getObjects(JMeterTest.java:456)
>>>>>>>         [java]     ... 20 more
>>>>>>>         [java]
>>>>>>>
>>>>>>> Templates are read through xstream, that is probably why this
error
>>>>>>> came
>>>>>>> up.
>>>>>>>
>>>>>>> The "offending" change is probably https://github.com/x-stream/xs
>>>>>>> tream/issues/25
>>>>>>>
>>>>>>> Has anyone else noticed this, too? What shall we do?
>>>>>>>
>>>>>>> Regards,
>>>>>>>     Felix
>>>>>>>
>>>>>>>
>>>>>>> Added:
>>>>>>>
>>>>>>>         jmeter/trunk/licenses/bin/xstream-1.4.9.txt
>>>>>>>>           - copied unchanged from r1761222,
>>>>>>>> jmeter/trunk/licenses/bin/xstr
>>>>>>>> eam-1.4.8.txt
>>>>>>>> Removed:
>>>>>>>>         jmeter/trunk/licenses/bin/xstream-1.4.8.txt
>>>>>>>> Modified:
>>>>>>>>         jmeter/trunk/LICENSE
>>>>>>>>         jmeter/trunk/build.properties
>>>>>>>>         jmeter/trunk/eclipse.classpath
>>>>>>>>         jmeter/trunk/lib/   (props changed)
>>>>>>>>         jmeter/trunk/lib/aareadme.txt
>>>>>>>>         jmeter/trunk/res/maven/ApacheJMeter_parent.pom
>>>>>>>>         jmeter/trunk/xdocs/changes.xml
>>>>>>>>
>>>>>>>> Modified: jmeter/trunk/LICENSE
>>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/LICENSE?rev=176129
>>>>>>>> 4&r1=1761293&r2=1761294&view=diff
>>>>>>>> ============================================================
>>>>>>>> ==================
>>>>>>>> --- jmeter/trunk/LICENSE [utf-8] (original)
>>>>>>>> +++ jmeter/trunk/LICENSE [utf-8] Sat Sep 17 22:17:53 2016
>>>>>>>> @@ -271,4 +271,4 @@ For details, please see the files under:
>>>>>>>>      * slf4j-api-1.7.21.jar (MIT)
>>>>>>>>      * xmlpull-1.1.3.1.jar (Public Domain)
>>>>>>>>      * xpp3-1.1.4c.jar (Indiana University Extreme! Lab Software
>>>>>>>> License
>>>>>>>> 1.1.1)
>>>>>>>> -* xstream-1.4.8.jar (BSD)
>>>>>>>> +* xstream-1.4.9.jar (BSD)
>>>>>>>>
>>>>>>>> Modified: jmeter/trunk/build.properties
>>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/build.properties?r
>>>>>>>> ev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>>>> ============================================================
>>>>>>>> ==================
>>>>>>>> --- jmeter/trunk/build.properties (original)
>>>>>>>> +++ jmeter/trunk/build.properties Sat Sep 17 22:17:53 2016
>>>>>>>> @@ -301,10 +301,10 @@ tika-parsers.loc            = ${maven2.r
>>>>>>>>      tika-parsers.md5            = 6858c2989b5f19b4b4aed0b9ff83e548
>>>>>>>>        # XStream can be found at: http://x-stream.github.io
>>>>>>>> -xstream.version             = 1.4.8
>>>>>>>> +xstream.version             = 1.4.9
>>>>>>>>      xstream.jar                 = xstream-${xstream.version}.jar
>>>>>>>>      xstream.loc                 = ${maven2.repo}/com/thoughtwork
>>>>>>>> s/xstream/xstream/${xstream.version}
>>>>>>>> -xstream.md5                 = 4551a29c38f22ed25eaf109eda50ff03
>>>>>>>> +xstream.md5                 = 17f5ef61f6225a86ac39fc3dab45d755
>>>>>>>>        # XMLPull is required by XStream 1.4.x
>>>>>>>>      xmlpull.version             = 1.1.3.1
>>>>>>>>
>>>>>>>> Modified: jmeter/trunk/eclipse.classpath
>>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/eclipse.classpath?
>>>>>>>> rev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>>>> ============================================================
>>>>>>>> ==================
>>>>>>>> --- jmeter/trunk/eclipse.classpath (original)
>>>>>>>> +++ jmeter/trunk/eclipse.classpath Sat Sep 17 22:17:53 2016
>>>>>>>> @@ -99,7 +99,7 @@
>>>>>>>>            <classpathentry kind="lib" path="lib/xmlgraphics-commons-
>>>>>>>> 2.0.1.jar"/>
>>>>>>>>            <classpathentry kind="lib" path="lib/xmlpull-1.1.3.1.jar"
>>>>>>>> />
>>>>>>>>            <classpathentry kind="lib" path="lib/xpp3_min-1.1.4c.jar"
>>>>>>>> />
>>>>>>>> -       <classpathentry kind="lib" path="lib/xstream-1.4.8.jar"/>
>>>>>>>> +       <classpathentry kind="lib" path="lib/xstream-1.4.9.jar"/>
>>>>>>>>            <!-- Needed for build and test -->
>>>>>>>>            <classpathentry kind="lib" path="lib/api/bcmail-jdk15on-1
>>>>>>>> .49.jar"/>
>>>>>>>>            <classpathentry kind="lib" path="lib/api/bcprov-jdk15on-1
>>>>>>>> .49.jar"/>
>>>>>>>>
>>>>>>>> Propchange: jmeter/trunk/lib/
>>>>>>>> ------------------------------------------------------------
>>>>>>>>
>>>>>>>> ------------------
>>>>>>>> --- svn:ignore (original)
>>>>>>>> +++ svn:ignore Sat Sep 17 22:17:53 2016
>>>>>>>> @@ -59,4 +59,4 @@ xml-apis-1.4.01.jar
>>>>>>>>      xmlgraphics-commons-2.0.1.jar
>>>>>>>>      xmlpull-1.1.3.1.jar
>>>>>>>>      xpp3_min-1.1.4c.jar
>>>>>>>> -xstream-1.4.8.jar
>>>>>>>> +xstream-1.4.9.jar
>>>>>>>>
>>>>>>>> Modified: jmeter/trunk/lib/aareadme.txt
>>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/lib/aareadme.txt?r
>>>>>>>> ev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>>>> ============================================================
>>>>>>>> ==================
>>>>>>>> --- jmeter/trunk/lib/aareadme.txt (original)
>>>>>>>> +++ jmeter/trunk/lib/aareadme.txt Sat Sep 17 22:17:53 2016
>>>>>>>> @@ -279,7 +279,7 @@ or
>>>>>>>>      http://www.extreme.indiana.edu/dist/java-repository/xpp3/di
>>>>>>>> stributions/
>>>>>>>>      - xstream
>>>>>>>>      -xstream-1.4.8
>>>>>>>> +xstream-1.4.9
>>>>>>>>      -------------
>>>>>>>>      http://x-stream.github.io/download.html
>>>>>>>>      - SaveService
>>>>>>>>
>>>>>>>> Modified: jmeter/trunk/res/maven/ApacheJMeter_parent.pom
>>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/res/maven/ApacheJM
>>>>>>>> eter_parent.pom?rev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>>>> ============================================================
>>>>>>>> ==================
>>>>>>>> --- jmeter/trunk/res/maven/ApacheJMeter_parent.pom (original)
>>>>>>>> +++ jmeter/trunk/res/maven/ApacheJMeter_parent.pom Sat Sep
17
>>>>>>>> 22:17:53
>>>>>>>> 2016
>>>>>>>> @@ -101,7 +101,7 @@ under the License.
>>>>>>>>            <tika-core.version>1.13</tika-core.version>
>>>>>>>>            <tika-parsers.version>1.13</tika-parsers.version>
>>>>>>>>            <xmlpull.version>1.1.3.1</xmlpull.version>
>>>>>>>> -      <xstream.version>1.4.8</xstream.version>
>>>>>>>> +      <xstream.version>1.4.9</xstream.version>
>>>>>>>>            <xpp3.version>1.1.4c</xpp3.version>
>>>>>>>>            <xalan.version>2.7.2</xalan.version>
>>>>>>>>            <serializer.version>2.7.2</serializer.version>
>>>>>>>>
>>>>>>>> Modified: jmeter/trunk/xdocs/changes.xml
>>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/xdocs/changes.xml?
>>>>>>>> rev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>>>> ============================================================
>>>>>>>> ==================
>>>>>>>> --- jmeter/trunk/xdocs/changes.xml [utf-8] (original)
>>>>>>>> +++ jmeter/trunk/xdocs/changes.xml [utf-8] Sat Sep 17 22:17:53
2016
>>>>>>>> @@ -170,6 +170,7 @@ Summary
>>>>>>>>          <li>Updated to httpcore 4.4.5 (from 4.4.4)</li>
>>>>>>>>          <li>Updated to slf4j-api 1.7.21 (from 1.7.13)</li>
>>>>>>>>          <li>Updated to rsyntaxtextarea-2.6.0 (from
2.5.8)</li>
>>>>>>>> +    <li>Updated to xstream 1.4.9 (from 1.4.8)</li>
>>>>>>>>          <li><pr>215</pr>Reduce duplicated
code by using the newly
>>>>>>>> added
>>>>>>>> method <code>GuiUtils#cancelEditing</code>.
>>>>>>>>          Contributed by Benoit Wiart (b.wiart at
>>>>>>>> ubik-ingenierie.com
>>>>>>>> )</li>
>>>>>>>>          <li><pr>218</pr>Misc cleanup.
Contributed by Benoit Wiart
>>>>>>>> (b.wiart
>>>>>>>> at ubik-ingenierie.com)</li>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>
>


-- 
Cordialement.
Philippe Mouawad.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message