You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by ol...@apache.org on 2013/06/24 04:29:57 UTC
svn commit: r1495902 - in /maven/plugins/trunk/maven-javadoc-plugin/src/main:
java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java
resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt
Author: olamy
Date: Mon Jun 24 02:29:57 2013
New Revision: 1495902
URL: http://svn.apache.org/r1495902
Log:
[MJAVADOC-370] Javadoc vulnerability (CVE-2013-1571 [1], VU#225657 [2])
Submitted by Uwe Schindler
Added:
maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt (with props)
Modified:
maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java
Modified: maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java
URL: http://svn.apache.org/viewvc/maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java?rev=1495902&r1=1495901&r2=1495902&view=diff
==============================================================================
--- maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java (original)
+++ maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java Mon Jun 24 02:29:57 2013
@@ -76,6 +76,7 @@ import org.codehaus.plexus.archiver.UnAr
import org.codehaus.plexus.archiver.manager.ArchiverManager;
import org.codehaus.plexus.archiver.manager.NoSuchArchiverException;
import org.codehaus.plexus.components.io.fileselectors.IncludeExcludeFileSelector;
+import org.codehaus.plexus.util.DirectoryScanner;
import org.codehaus.plexus.util.FileUtils;
import org.codehaus.plexus.util.IOUtil;
import org.codehaus.plexus.util.ReaderFactory;
@@ -87,6 +88,7 @@ import org.codehaus.plexus.util.cli.Comm
import org.codehaus.plexus.util.xml.Xpp3Dom;
import java.io.File;
+import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
@@ -2016,6 +2018,19 @@ public abstract class AbstractJavadocMoj
scriptFile.delete();
}
}
+
+ // finally, patch the Javadoc vulnerability in older Javadoc tools (CVE-2013-1571):
+ try
+ {
+ final int patched = fixFrameInjectionBug(javadocOutputDirectory, getDocencoding());
+ if (patched > 0) {
+ getLog().info(String.format("Fixed Javadoc frame injection vulnerability (CVE-2013-1571) in %d files.", patched));
+ }
+ }
+ catch ( IOException e )
+ {
+ throw new MavenReportException( "Failed to patch javadocs vulnerability: " + e.getMessage(), e );
+ }
}
/**
@@ -5072,6 +5087,51 @@ public abstract class AbstractJavadocMoj
}
/**
+ * Patches the given Javadoc output directory to work around CVE-2013-1571
+ * (see http://www.kb.cert.org/vuls/id/225657).
+ * @param javadocOutputDirectory directory to scan for vulnerabilities
+ * @param outputEncoding encoding used by the javadoc tool (-docencoding parameter).
+ * If {@code null}, the platform's default encoding is used (like javadoc does).
+ * @return the number of patched files
+ */
+ private int fixFrameInjectionBug(File javadocOutputDirectory, String outputEncoding) throws IOException {
+ final String fixData;
+ final InputStream in = this.getClass().getResourceAsStream("frame-injection-fix.txt");
+ if (in == null) {
+ throw new FileNotFoundException("Missing resource 'frame-injection-fix.txt' in classpath.");
+ }
+ try {
+ fixData = StringUtils.unifyLineSeparators(IOUtil.toString(in, "US-ASCII")).trim();
+ } finally {
+ IOUtil.close(in);
+ }
+
+ final DirectoryScanner ds = new DirectoryScanner();
+ ds.setBasedir(javadocOutputDirectory);
+ ds.setCaseSensitive(false);
+ ds.setIncludes(new String[] { "**/index.html", "**/index.htm", "**/toc.html", "**/toc.htm" });
+ ds.addDefaultExcludes();
+ ds.scan();
+ int patched = 0;
+ for (String f : ds.getIncludedFiles()) {
+ final File file = new File(javadocOutputDirectory, f);
+ // we load the whole file as one String (toc/index files are
+ // generally small, because they only contain frameset declaration):
+ final String fileContents = FileUtils.fileRead(file, outputEncoding);
+ // check if file may be vulnerable because it was not patched with "validURL(url)":
+ if (!StringUtils.contains(fileContents, "function validURL(url) {")) {
+ // we need to patch the file!
+ final String patchedFileContents = StringUtils.replaceOnce(fileContents, "function loadFrames() {", fixData);
+ if (!patchedFileContents.equals(fileContents)) {
+ FileUtils.fileWrite(file, outputEncoding, patchedFileContents);
+ patched++;
+ }
+ }
+ }
+ return patched;
+ }
+
+ /**
* @param outputFile not nul
* @param inputResourceName a not null resource in <code>src/main/java</code>, <code>src/main/resources</code> or <code>src/main/javadoc</code>
* or in the Javadoc plugin dependencies.
Added: maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt
URL: http://svn.apache.org/viewvc/maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt?rev=1495902&view=auto
==============================================================================
--- maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt (added)
+++ maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt Mon Jun 24 02:29:57 2013
@@ -0,0 +1,37 @@
+ if (targetPage != "" && !validURL(targetPage))
+ targetPage = "undefined";
+ function validURL(url) {
+ var pos = url.indexOf(".html");
+ if (pos == -1 || pos != url.length - 5)
+ return false;
+ var allowNumber = false;
+ var allowSep = false;
+ var seenDot = false;
+ for (var i = 0; i < url.length - 5; i++) {
+ var ch = url.charAt(i);
+ if ('a' <= ch && ch <= 'z' ||
+ 'A' <= ch && ch <= 'Z' ||
+ ch == '$' ||
+ ch == '_') {
+ allowNumber = true;
+ allowSep = true;
+ } else if ('0' <= ch && ch <= '9'
+ || ch == '-') {
+ if (!allowNumber)
+ return false;
+ } else if (ch == '/' || ch == '.') {
+ if (!allowSep)
+ return false;
+ allowNumber = false;
+ allowSep = false;
+ if (ch == '.')
+ seenDot = true;
+ if (ch == '/' && seenDot)
+ return false;
+ } else {
+ return false;
+ }
+ }
+ return true;
+ }
+ function loadFrames() {
\ No newline at end of file
Propchange: maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: maven/plugins/trunk/maven-javadoc-plugin/src/main/resources/org/apache/maven/plugin/javadoc/frame-injection-fix.txt
------------------------------------------------------------------------------
svn:keywords = Author Date Id Revision