You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by ol...@apache.org on 2013/06/24 04:50:26 UTC

svn commit: r1495909 - /maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java

Author: olamy
Date: Mon Jun 24 02:50:26 2013
New Revision: 1495909

URL: http://svn.apache.org/r1495909
Log:
add a parameter to be able to disable javadoc security fix

Modified:
    maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java

Modified: maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java
URL: http://svn.apache.org/viewvc/maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java?rev=1495909&r1=1495908&r2=1495909&view=diff
==============================================================================
--- maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java (original)
+++ maven/plugins/trunk/maven-javadoc-plugin/src/main/java/org/apache/maven/plugin/javadoc/AbstractJavadocMojo.java Mon Jun 24 02:50:26 2013
@@ -1661,6 +1661,13 @@ public abstract class AbstractJavadocMoj
     @Parameter
     private List<String> sourceFileExcludes;
 
+    /**
+     * To apply the security fix on generated javadoc see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571
+     * @since 2.10
+     */
+    @Parameter(defaultValue = "true", property = "maven.javadoc.securityfix.apply")
+    private boolean applyJavadocSecurityFix = true;
+
     // ----------------------------------------------------------------------
     // static
     // ----------------------------------------------------------------------
@@ -2018,21 +2025,27 @@ public abstract class AbstractJavadocMoj
                 scriptFile.delete();
             }
         }
-
-        // finally, patch the Javadoc vulnerability in older Javadoc tools (CVE-2013-1571):
-        try
+        if ( applyJavadocSecurityFix )
         {
-            final int patched = fixFrameInjectionBug( javadocOutputDirectory, getDocencoding() );
-            if ( patched > 0 )
+            // finally, patch the Javadoc vulnerability in older Javadoc tools (CVE-2013-1571):
+            try
             {
-                getLog().info(
-                    String.format( "Fixed Javadoc frame injection vulnerability (CVE-2013-1571) in %d files.",
-                                   patched ) );
+                final int patched = fixFrameInjectionBug( javadocOutputDirectory, getDocencoding() );
+                if ( patched > 0 )
+                {
+                    getLog().info(
+                        String.format( "Fixed Javadoc frame injection vulnerability (CVE-2013-1571) in %d files.",
+                                       patched ) );
+                }
+            }
+            catch ( IOException e )
+            {
+                throw new MavenReportException( "Failed to patch javadocs vulnerability: " + e.getMessage(), e );
             }
         }
-        catch ( IOException e )
+        else
         {
-            throw new MavenReportException( "Failed to patch javadocs vulnerability: " + e.getMessage(), e );
+          getLog().info( "applying javadoc security fix has been disabled" );
         }
     }