You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@continuum.apache.org by Brent Atkinson <ba...@apache.org> on 2013/06/22 17:58:56 UTC

Patching javadocs

Greetings,

I have some time to patch frame injection vulnerability in the project
javadocs. Since this is the first time publishing the docs, I'd like
someone to verify the process for me. From
http://continuum.apache.org/development/publishing-site.html it appears
that I:

  * check out the source under
http://svn.apache.org/repos/asf/continuum/site-publish
  * patch the docs
  * run "mvn site site:stage scm-publish:publish-scm"

That should update the existing docs.

How should we ensure new docs don't get published with the vulnerability?
Would that be something we'd do with enforcer and require versions?

Brent

Re: Patching javadocs

Posted by Brent Atkinson <br...@gmail.com>.

That explains why there were no vulnerabilities found.

Thanks Olivier!


On Thu, Jun 27, 2013 at 1:05 AM, Olivier Lamy <ol...@apache.org> wrote:

> I did it already :-)
> See http://svn.apache.org/viewvc?view=revision&revision=1494942
> I checkout the site tree and apply the tool provided by Oracle.
>
> 2013/6/23 Brent Atkinson <br...@gmail.com>:
> > Hi Louis,
> >
> > Frame injection sounds technical, it's basically that someone can hijack
> > someone's site that uses frames to present their own content and try a
> > social engineering attack that takes advantage of a user's trust of the
> > sites authenticity. Someone can essentially put their own content in your
> > html frameset and try to convince the user to do things.
> >
> > Using enforcer would be to prevent people from publishing docs using java
> > versions that produce vulnerable docs.
> >
> > Brent
> >
> >
> > On Sat, Jun 22, 2013 at 12:06 PM, Louis Smith <dr.louis.smith@gmail.com
> >wrote:
> >
> >> You're a braver man than I - I wouldn't attempt it... not even sure how
> >> enforcer could be used, or how to deal with the frame injection.  I
> need to
> >> go study up on that one...
> >>
> >> Good Luck!!
> >>
> >>
> >> On Sat, Jun 22, 2013 at 11:58 AM, Brent Atkinson <batkinson@apache.org
> >> >wrote:
> >>
> >> > Greetings,
> >> >
> >> > I have some time to patch frame injection vulnerability in the project
> >> > javadocs. Since this is the first time publishing the docs, I'd like
> >> > someone to verify the process for me. From
> >> > http://continuum.apache.org/development/publishing-site.html it
> appears
> >> > that I:
> >> >
> >> >   * check out the source under
> >> > http://svn.apache.org/repos/asf/continuum/site-publish
> >> >   * patch the docs
> >> >   * run "mvn site site:stage scm-publish:publish-scm"
> >> >
> >> > That should update the existing docs.
> >> >
> >> > How should we ensure new docs don't get published with the
> vulnerability?
> >> > Would that be something we'd do with enforcer and require versions?
> >> >
> >> > Brent
> >> >
> >>
> >>
> >>
> >> --
> >> Dr. Louis Smith, ThD
> >> Chief Technology Officer, Kyra InfoTech
> >> Museum Director, Veterans Memorial Railroad
> >>
>
>
>
> --
> Olivier Lamy
> Ecetera: http://ecetera.com.au
> http://twitter.com/olamy | http://linkedin.com/in/olamy
>

Re: Patching javadocs

Posted by Olivier Lamy <ol...@apache.org>.

I did it already :-)
See http://svn.apache.org/viewvc?view=revision&revision=1494942
I checkout the site tree and apply the tool provided by Oracle.

2013/6/23 Brent Atkinson <br...@gmail.com>:
> Hi Louis,
>
> Frame injection sounds technical, it's basically that someone can hijack
> someone's site that uses frames to present their own content and try a
> social engineering attack that takes advantage of a user's trust of the
> sites authenticity. Someone can essentially put their own content in your
> html frameset and try to convince the user to do things.
>
> Using enforcer would be to prevent people from publishing docs using java
> versions that produce vulnerable docs.
>
> Brent
>
>
> On Sat, Jun 22, 2013 at 12:06 PM, Louis Smith <dr...@gmail.com>wrote:
>
>> You're a braver man than I - I wouldn't attempt it... not even sure how
>> enforcer could be used, or how to deal with the frame injection.  I need to
>> go study up on that one...
>>
>> Good Luck!!
>>
>>
>> On Sat, Jun 22, 2013 at 11:58 AM, Brent Atkinson <batkinson@apache.org
>> >wrote:
>>
>> > Greetings,
>> >
>> > I have some time to patch frame injection vulnerability in the project
>> > javadocs. Since this is the first time publishing the docs, I'd like
>> > someone to verify the process for me. From
>> > http://continuum.apache.org/development/publishing-site.html it appears
>> > that I:
>> >
>> >   * check out the source under
>> > http://svn.apache.org/repos/asf/continuum/site-publish
>> >   * patch the docs
>> >   * run "mvn site site:stage scm-publish:publish-scm"
>> >
>> > That should update the existing docs.
>> >
>> > How should we ensure new docs don't get published with the vulnerability?
>> > Would that be something we'd do with enforcer and require versions?
>> >
>> > Brent
>> >
>>
>>
>>
>> --
>> Dr. Louis Smith, ThD
>> Chief Technology Officer, Kyra InfoTech
>> Museum Director, Veterans Memorial Railroad
>>



-- 
Olivier Lamy
Ecetera: http://ecetera.com.au
http://twitter.com/olamy | http://linkedin.com/in/olamy

Re: Patching javadocs

Posted by Brent Atkinson <br...@gmail.com>.

Hi Louis,

Frame injection sounds technical, it's basically that someone can hijack
someone's site that uses frames to present their own content and try a
social engineering attack that takes advantage of a user's trust of the
sites authenticity. Someone can essentially put their own content in your
html frameset and try to convince the user to do things.

Using enforcer would be to prevent people from publishing docs using java
versions that produce vulnerable docs.

Brent

On Sat, Jun 22, 2013 at 12:06 PM, Louis Smith <dr...@gmail.com>wrote:

> You're a braver man than I - I wouldn't attempt it... not even sure how
> enforcer could be used, or how to deal with the frame injection.  I need to
> go study up on that one...
>
> Good Luck!!
>
>
> On Sat, Jun 22, 2013 at 11:58 AM, Brent Atkinson <batkinson@apache.org
> >wrote:
>
> > Greetings,
> >
> > I have some time to patch frame injection vulnerability in the project
> > javadocs. Since this is the first time publishing the docs, I'd like
> > someone to verify the process for me. From
> > http://continuum.apache.org/development/publishing-site.html it appears
> > that I:
> >
> >   * check out the source under
> > http://svn.apache.org/repos/asf/continuum/site-publish
> >   * patch the docs
> >   * run "mvn site site:stage scm-publish:publish-scm"
> >
> > That should update the existing docs.
> >
> > How should we ensure new docs don't get published with the vulnerability?
> > Would that be something we'd do with enforcer and require versions?
> >
> > Brent
> >
>
>
>
> --
> Dr. Louis Smith, ThD
> Chief Technology Officer, Kyra InfoTech
> Museum Director, Veterans Memorial Railroad
>

Re: Patching javadocs

Posted by Louis Smith <dr...@gmail.com>.

You're a braver man than I - I wouldn't attempt it... not even sure how
enforcer could be used, or how to deal with the frame injection.  I need to
go study up on that one...

Good Luck!!


On Sat, Jun 22, 2013 at 11:58 AM, Brent Atkinson <ba...@apache.org>wrote:

> Greetings,
>
> I have some time to patch frame injection vulnerability in the project
> javadocs. Since this is the first time publishing the docs, I'd like
> someone to verify the process for me. From
> http://continuum.apache.org/development/publishing-site.html it appears
> that I:
>
>   * check out the source under
> http://svn.apache.org/repos/asf/continuum/site-publish
>   * patch the docs
>   * run "mvn site site:stage scm-publish:publish-scm"
>
> That should update the existing docs.
>
> How should we ensure new docs don't get published with the vulnerability?
> Would that be something we'd do with enforcer and require versions?
>
> Brent
>



-- 
Dr. Louis Smith, ThD
Chief Technology Officer, Kyra InfoTech
Museum Director, Veterans Memorial Railroad

Re: Patching javadocs

Posted by Brett Porter <br...@apache.org>.

Hi Brent,

That Maven command would be if you were generating for a particular release, from the main Continuum tree.

If you are adjusting site-publish using the fix tool, you just need to check in the results.

It sounds like there's some work going on in Maven land to do some prevention of bad Javadoc being published in the future.

Cheers,
Brett

On 23/06/2013, at 1:58 AM, Brent Atkinson <ba...@apache.org> wrote:

> Greetings,
> 
> I have some time to patch frame injection vulnerability in the project
> javadocs. Since this is the first time publishing the docs, I'd like
> someone to verify the process for me. From
> http://continuum.apache.org/development/publishing-site.html it appears
> that I:
> 
>  * check out the source under
> http://svn.apache.org/repos/asf/continuum/site-publish
>  * patch the docs
>  * run "mvn site site:stage scm-publish:publish-scm"
> 
> That should update the existing docs.
> 
> How should we ensure new docs don't get published with the vulnerability?
> Would that be something we'd do with enforcer and require versions?
> 
> Brent

--
Brett Porter
brett@apache.org
http://brettporter.wordpress.com/
http://au.linkedin.com/in/brettporter
http://twitter.com/brettporter