You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by ol...@apache.org on 2013/06/24 04:29:57 UTC

svn commit: r1495902 - in /maven/plugins/trunk/maven-javadoc-plugin/src/main: java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt

Author: olamy
Date: Mon Jun 24 02:29:57 2013
New Revision: 1495902

URL: http://svn.apache.org/r1495902
Log:
[MJAVADOC-370] Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2])
Submitted by Uwe Schindler

Added:
    maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt   (with props)
Modified:
    maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java

Modified: maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java
URL: http://svn.apache.org/viewvc/maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java?rev=1495902&r1=1495901&r2=1495902&view=diff
==============================================================================
--- maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java (original)
+++ maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java Mon Jun 24 02:29:57 2013
@@ -76,6 +76,7 @@ import org.codehaus.plexus.archiver.UnAr
 import org.codehaus.plexus.archiver.manager.ArchiverManager;
 import org.codehaus.plexus.archiver.manager.NoSuchArchiverException;
 import org.codehaus.plexus.components.io.fileselectors.IncludeExcludeFileSelector;
+import org.codehaus.plexus.util.DirectoryScanner;
 import org.codehaus.plexus.util.FileUtils;
 import org.codehaus.plexus.util.IOUtil;
 import org.codehaus.plexus.util.ReaderFactory;
@@ -87,6 +88,7 @@ import org.codehaus.plexus.util.cli.Comm
 import org.codehaus.plexus.util.xml.Xpp3Dom;
 
 import java.io.File;
+import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -2016,6 +2018,19 @@ public abstract class AbstractJavadocMoj
                 scriptFile.delete();
             }
         }
+        
+        // finally, patch the Javadoc vulnerability in older Javadoc tools (CVE-2013-1571):
+        try
+        {
+            final int patched = fixFrameInjectionBug(javadocOutputDirectory, getDocencoding());
+            if (patched > 0) {
+                getLog().info(String.format("Fixed Javadoc frame injection vulnerability (CVE-2013-1571) in %d files.", patched));
+            }
+        }
+        catch ( IOException e )
+        {
+            throw new MavenReportException( "Failed to patch javadocs vulnerability: " + e.getMessage(), e );
+        }
     }
 
     /**
@@ -5072,6 +5087,51 @@ public abstract class AbstractJavadocMoj
     }
 
     /**
+     * Patches the given Javadoc output directory to work around CVE-2013-1571
+     * (see http://www.kb.cert.org/vuls/id/225657).
+     * @param javadocOutputDirectory directory to scan for vulnerabilities
+     * @param outputEncoding encoding used by the javadoc tool (-docencoding parameter).
+     *     If {@code null}, the platform's default encoding is used (like javadoc does).
+     * @return the number of patched files
+     */
+    private int fixFrameInjectionBug(File javadocOutputDirectory, String outputEncoding) throws IOException {
+        final String fixData;
+        final InputStream in = this.getClass().getResourceAsStream("frame-injection-fix.txt");
+        if (in == null) {
+            throw new FileNotFoundException("Missing resource 'frame-injection-fix.txt' in classpath.");
+        }
+        try {
+            fixData = StringUtils.unifyLineSeparators(IOUtil.toString(in, "US-ASCII")).trim();
+        } finally {
+            IOUtil.close(in);
+        }
+
+        final DirectoryScanner ds = new DirectoryScanner();
+        ds.setBasedir(javadocOutputDirectory);
+        ds.setCaseSensitive(false);
+        ds.setIncludes(new String[] { "**/index.html", "**/index.htm", "**/toc.html", "**/toc.htm" });
+        ds.addDefaultExcludes();
+        ds.scan();
+        int patched = 0;
+        for (String f : ds.getIncludedFiles()) {
+            final File file = new File(javadocOutputDirectory, f);
+            // we load the whole file as one String (toc/index files are
+            // generally small, because they only contain frameset declaration):
+            final String fileContents = FileUtils.fileRead(file, outputEncoding);
+            // check if file may be vulnerable because it was not patched with "validURL(url)":
+            if (!StringUtils.contains(fileContents, "function validURL(url) {")) {
+                // we need to patch the file!
+                final String patchedFileContents = StringUtils.replaceOnce(fileContents, "function loadFrames() {", fixData);
+                if (!patchedFileContents.equals(fileContents)) {
+                    FileUtils.fileWrite(file, outputEncoding, patchedFileContents);
+                    patched++;
+                }
+            }
+        }
+        return patched;
+    }
+
+    /**
      * @param outputFile        not nul
      * @param inputResourceName a not null resource in <code>src/main/java</code>, <code>src/main/resources</code> or <code>src/main/javadoc</code>
      *                          or in the Javadoc plugin dependencies.

Added: maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt
URL: http://svn.apache.org/viewvc/maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt?rev=1495902&view=auto
==============================================================================
--- maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt (added)
+++ maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt Mon Jun 24 02:29:57 2013
@@ -0,0 +1,37 @@
+    if (targetPage != "" && !validURL(targetPage))
+        targetPage = "undefined";
+    function validURL(url) {
+        var pos = url.indexOf(".html");
+        if (pos == -1 || pos != url.length - 5)
+            return false;
+        var allowNumber = false;
+        var allowSep = false;
+        var seenDot = false;
+        for (var i = 0; i < url.length - 5; i++) {
+            var ch = url.charAt(i);
+            if ('a' <= ch && ch <= 'z' ||
+                    'A' <= ch && ch <= 'Z' ||
+                    ch == '$' ||
+                    ch == '_') {
+                allowNumber = true;
+                allowSep = true;
+            } else if ('0' <= ch && ch <= '9'
+                    || ch == '-') {
+                if (!allowNumber)
+                     return false;
+            } else if (ch == '/' || ch == '.') {
+                if (!allowSep)
+                    return false;
+                allowNumber = false;
+                allowSep = false;
+                if (ch == '.')
+                     seenDot = true;
+                if (ch == '/' && seenDot)
+                     return false;
+            } else {
+                return false;
+            }
+        }
+        return true;
+    }
+    function loadFrames() {
\ No newline at end of file

Propchange: maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt
------------------------------------------------------------------------------
    svn:keywords = Author Date Id Revision