You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by re...@apache.org on 2015/05/21 11:56:36 UTC

svn commit: r1680794 - in /jackrabbit/branches/2.6: ./ jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/ jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/

Author: reschke
Date: Thu May 21 09:56:35 2015
New Revision: 1680794

URL: http://svn.apache.org/r1680794
Log:
JCR-3883: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833) (ported to 2.6)

Added:
    jackrabbit/branches/2.6/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
      - copied unchanged from r1680757, jackrabbit/trunk/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
    jackrabbit/branches/2.6/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
      - copied unchanged from r1680757, jackrabbit/trunk/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
Modified:
    jackrabbit/branches/2.6/   (props changed)
    jackrabbit/branches/2.6/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
    jackrabbit/branches/2.6/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java

Propchange: jackrabbit/branches/2.6/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu May 21 09:56:35 2015
@@ -1,3 +1,3 @@
 /jackrabbit/branches/JCR-2272:1173165-1176545
 /jackrabbit/sandbox/JCR-2415-lucene-3.0:1060860-1064038
-/jackrabbit/trunk:1437334,1437374,1437384,1437618,1437928,1437933,1437963,1438158,1438541,1439296,1439312,1439346,1439768,1439797,1439927,1440059,1440336,1440456,1440908,1440917,1442061,1443652,1443876,1443885,1443943,1444501,1444515,1444654,1444666,1444683,1444755,1445122,1445134,1453907,1460995,1461064,1461137,1461613,1461646,1462115,1462153,1462205,1462211,1465974,1466060,1466085,1466938,1467255,1467363,1468965,1469312,1469799,1469892,1469940,1470573,1470957,1471286,1475718,1478684,1478719,1478757,1479518,1479527,1479533,1479536,1479691,1479809,1479908,1480574,1481964,1483276,1483286,1484440,1484442,1484444,1484727,1487803,1497243,1497492,1497787,1498840,1498850,1499285,1505795,1505907,1505942,1506594,1506877,1508053,1509101,1513144,1516281,1517602,1517627,1519376,1525629,1525633,1526928,1526945,1530005,1535539,1537027,1539030,1539045,1539050,1556248,1566668-1566669,1582373,1587619,1590030,1590733,1598035,1598058,1603934,1634584
+/jackrabbit/trunk:1437334,1437374,1437384,1437618,1437928,1437933,1437963,1438158,1438541,1439296,1439312,1439346,1439768,1439797,1439927,1440059,1440336,1440456,1440908,1440917,1442061,1443652,1443876,1443885,1443943,1444501,1444515,1444654,1444666,1444683,1444755,1445122,1445134,1453907,1460995,1461064,1461137,1461613,1461646,1462115,1462153,1462205,1462211,1465974,1466060,1466085,1466938,1467255,1467363,1468965,1469312,1469799,1469892,1469940,1470573,1470957,1471286,1475718,1478684,1478719,1478757,1479518,1479527,1479533,1479536,1479691,1479809,1479908,1480574,1481964,1483276,1483286,1484440,1484442,1484444,1484727,1487803,1497243,1497492,1497787,1498840,1498850,1499285,1505795,1505907,1505942,1506594,1506877,1508053,1509101,1513144,1516281,1517602,1517627,1519376,1525629,1525633,1526928,1526945,1530005,1535539,1537027,1539030,1539045,1539050,1556248,1566668-1566669,1582373,1587619,1590030,1590733,1598035,1598058,1603934,1634584,1680757

Modified: jackrabbit/branches/2.6/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.6/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java?rev=1680794&r1=1680793&r2=1680794&view=diff
==============================================================================
--- jackrabbit/branches/2.6/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java (original)
+++ jackrabbit/branches/2.6/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java Thu May 21 09:56:35 2015
@@ -28,9 +28,7 @@ import org.w3c.dom.NodeList;
 import org.w3c.dom.Text;
 import org.w3c.dom.NamedNodeMap;
 import org.xml.sax.SAXException;
-import org.xml.sax.helpers.DefaultHandler;
 
-import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -56,26 +54,10 @@ public class DomUtil {
     private static Logger log = LoggerFactory.getLogger(DomUtil.class);
 
     /**
-     * Constant for <code>DocumentBuilderFactory</code> which is used
+     * Constant for <code>DavDocumentBuilderFactory</code> which is used
      * to create and parse DOM documents.
      */
-    private static DocumentBuilderFactory BUILDER_FACTORY = createFactory();
-
-    private static DocumentBuilderFactory createFactory() {
-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-        factory.setNamespaceAware(true);
-        factory.setIgnoringComments(true);
-        factory.setIgnoringElementContentWhitespace(true);
-        factory.setCoalescing(true);
-        try {
-            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-        } catch (ParserConfigurationException e) {
-            log.warn("Secure XML processing is not supported", e);
-        } catch (AbstractMethodError e) {
-            log.warn("Secure XML processing is not supported", e);
-        }
-        return factory;
-    }
+    private static final DavDocumentBuilderFactory BUILDER_FACTORY = new DavDocumentBuilderFactory();
 
     /**
      * Support the replacement of {@link #BUILDER_FACTORY}. This is useful
@@ -88,7 +70,7 @@ public class DomUtil {
      */
     public static void setBuilderFactory(
             DocumentBuilderFactory documentBuilderFactory) {
-        BUILDER_FACTORY = documentBuilderFactory;
+        BUILDER_FACTORY.setFactory(documentBuilderFactory);
     }
 
     /**
@@ -119,11 +101,6 @@ public class DomUtil {
     public static Document parseDocument(InputStream stream)
             throws ParserConfigurationException, SAXException, IOException {
         DocumentBuilder docBuilder = BUILDER_FACTORY.newDocumentBuilder();
-
-        // Set an error handler to prevent parsers from printing error messages
-        // to standard output!
-        docBuilder.setErrorHandler(new DefaultHandler());
-
         return docBuilder.parse(stream);
     }
 

Modified: jackrabbit/branches/2.6/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.6/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java?rev=1680794&r1=1680793&r2=1680794&view=diff
==============================================================================
--- jackrabbit/branches/2.6/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java (original)
+++ jackrabbit/branches/2.6/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java Thu May 21 09:56:35 2015
@@ -33,6 +33,7 @@ public class TestAll extends TestCase {
         TestSuite suite = new TestSuite("org.apache.jackrabbit.webdav.xml tests");
 
         suite.addTestSuite(NamespaceTest.class);
+        suite.addTestSuite(ParserTest.class);
 
         return suite;
     }