You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by sc...@apache.org on 2013/06/18 00:32:42 UTC
svn commit: r1493962 - in /santuario/xml-security-cpp/trunk: CHANGELOG.txt
xsec/framework/XSECDefs.hpp xsec/transformers/TXFMParser.cpp
xsec/transformers/TXFMXSL.cpp xsec/utils/XSECSOAPRequestorSimple.cpp
xsec/xenc/impl/XENCCipherImpl.cpp
Author: scantor
Date: Mon Jun 17 22:32:41 2013
New Revision: 1493962
URL: http://svn.apache.org/r1493962
Log:
Tighten up entity expansion limits
Modified:
santuario/xml-security-cpp/trunk/CHANGELOG.txt
santuario/xml-security-cpp/trunk/xsec/framework/XSECDefs.hpp
santuario/xml-security-cpp/trunk/xsec/transformers/TXFMParser.cpp
santuario/xml-security-cpp/trunk/xsec/transformers/TXFMXSL.cpp
santuario/xml-security-cpp/trunk/xsec/utils/XSECSOAPRequestorSimple.cpp
santuario/xml-security-cpp/trunk/xsec/xenc/impl/XENCCipherImpl.cpp
Modified: santuario/xml-security-cpp/trunk/CHANGELOG.txt
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/CHANGELOG.txt?rev=1493962&r1=1493961&r2=1493962&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/CHANGELOG.txt (original)
+++ santuario/xml-security-cpp/trunk/CHANGELOG.txt Mon Jun 17 22:32:41 2013
@@ -1,3 +1,8 @@
+Changes since 1.7.0
+=====================================
+* Fixes for CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156
+* Reduced entity expansion limits when parsing
+
Changes since 1.6.1
=====================================
* [SANTUARIO-314] - AES-GCM support
Modified: santuario/xml-security-cpp/trunk/xsec/framework/XSECDefs.hpp
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/framework/XSECDefs.hpp?rev=1493962&r1=1493961&r2=1493962&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/xsec/framework/XSECDefs.hpp (original)
+++ santuario/xml-security-cpp/trunk/xsec/framework/XSECDefs.hpp Mon Jun 17 22:32:41 2013
@@ -69,6 +69,9 @@
typedef unsigned int xsecsize_t;
#endif
+// Pending API change, compile in a limit for Xerces SecurityManager entity expansion
+#define XSEC_ENTITY_EXPANSION_LIMIT 1000
+
// --------------------------------------------------------------------------------
// Namespace Handling
Modified: santuario/xml-security-cpp/trunk/xsec/transformers/TXFMParser.cpp
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/transformers/TXFMParser.cpp?rev=1493962&r1=1493961&r2=1493962&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/xsec/transformers/TXFMParser.cpp (original)
+++ santuario/xml-security-cpp/trunk/xsec/transformers/TXFMParser.cpp Mon Jun 17 22:32:41 2013
@@ -114,8 +114,11 @@ void TXFMParser::setInput(TXFMBase *newI
XercesDOMParser parser;
parser.setDoNamespaces(true);
- parser.setCreateEntityReferenceNodes(true);
- parser.setDoSchema(true);
+ parser.setLoadExternalDTD(false);
+
+ SecurityManager securityManager;
+ securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT);
+ parser.setSecurityManager(&securityManager);
parser.parse(is);
xsecsize_t errorCount = parser.getErrorCount();
Modified: santuario/xml-security-cpp/trunk/xsec/transformers/TXFMXSL.cpp
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/transformers/TXFMXSL.cpp?rev=1493962&r1=1493961&r2=1493962&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/xsec/transformers/TXFMXSL.cpp (original)
+++ santuario/xml-security-cpp/trunk/xsec/transformers/TXFMXSL.cpp Mon Jun 17 22:32:41 2013
@@ -187,8 +187,12 @@ void TXFMXSL::evaluateStyleSheet(const s
parser->setDoNamespaces(true);
parser->setCreateEntityReferenceNodes(true);
+ parser->setLoadExternalDTD(false);
parser->setDoSchema(true);
+ SecurityManager securityManager;
+ parser->setSecurityManager(&securityManager);
+
// Create an input source
MemBufInputSource* memIS = new MemBufInputSource ((const XMLByte*) txoh.buffer.rawBuffer(), txoh.offset, "XSECMem");
Modified: santuario/xml-security-cpp/trunk/xsec/utils/XSECSOAPRequestorSimple.cpp
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/utils/XSECSOAPRequestorSimple.cpp?rev=1493962&r1=1493961&r2=1493962&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/xsec/utils/XSECSOAPRequestorSimple.cpp (original)
+++ santuario/xml-security-cpp/trunk/xsec/utils/XSECSOAPRequestorSimple.cpp Mon Jun 17 22:32:41 2013
@@ -218,31 +218,31 @@ char * XSECSOAPRequestorSimple::wrapAndS
DOMDocument * XSECSOAPRequestorSimple::parseAndUnwrap(const char * buf, unsigned int len) {
- XercesDOMParser * parser = new XercesDOMParser;
- Janitor<XercesDOMParser> j_parser(parser);
-
- parser->setDoNamespaces(true);
- parser->setCreateEntityReferenceNodes(true);
- parser->setDoSchema(true);
+ XercesDOMParser parser;
+ parser.setDoNamespaces(true);
+ parser.setLoadExternalDTD(false);
+
+ SecurityManager securityManager;
+ securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT);
+ parser.setSecurityManager(&securityManager);
// Create an input source
- MemBufInputSource* memIS = new MemBufInputSource ((const XMLByte*) buf, len, "XSECMem");
- Janitor<MemBufInputSource> j_memIS(memIS);
+ MemBufInputSource memIS((const XMLByte*) buf, len, "XSECMem");
- parser->parse(*memIS);
- xsecsize_t errorCount = parser->getErrorCount();
+ parser.parse(memIS);
+ xsecsize_t errorCount = parser.getErrorCount();
if (errorCount > 0)
throw XSECException(XSECException::HTTPURIInputStreamError,
"Error parsing response message");
if (m_envelopeType == ENVELOPE_NONE) {
- return parser->adoptDocument();
+ return parser.adoptDocument();
}
- DOMDocument * responseDoc = parser->getDocument();
+ DOMDocument * responseDoc = parser.getDocument();
// Must be a SOAP message of some kind - so lets remove the wrapper.
// First create a new document for the Response message
Modified: santuario/xml-security-cpp/trunk/xsec/xenc/impl/XENCCipherImpl.cpp
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/xenc/impl/XENCCipherImpl.cpp?rev=1493962&r1=1493961&r2=1493962&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/xsec/xenc/impl/XENCCipherImpl.cpp (original)
+++ santuario/xml-security-cpp/trunk/xsec/xenc/impl/XENCCipherImpl.cpp Mon Jun 17 22:32:41 2013
@@ -270,8 +270,9 @@ DOMDocumentFragment * XENCCipherImpl::de
sb.sbXMLChAppendCh(chCloseAngle);
char* prefix = transcodeToUTF8(sb.rawXMLChBuffer());
-
sbt = prefix;
+ XSEC_RELEASE_XMLCH(prefix);
+
const char * crcb = content.rawCharBuffer();
int offset = 0;
if (crcb[0] == '<' && crcb[1] == '?') {
@@ -286,9 +287,6 @@ DOMDocumentFragment * XENCCipherImpl::de
sbt.sbStrcatIn(&crcb[offset]);
- // Now transform the content to UTF-8
- //sb.sbXMLChCat8(content.rawCharBuffer());
-
// Terminate the string
sb.sbXMLChIn(DSIGConstants::s_unicodeStrEmpty);
sb.sbXMLChAppendCh(chOpenAngle);
@@ -300,37 +298,24 @@ DOMDocumentFragment * XENCCipherImpl::de
sbt.sbStrcatIn(trailer);
XSEC_RELEASE_XMLCH(trailer);
- // Now we need to parse the document
- XercesDOMParser* parser = NULL;
- MemBufInputSource* memIS = NULL;
- try {
- parser = new XercesDOMParser;
-
- parser->setDoNamespaces(true);
- parser->setCreateEntityReferenceNodes(true);
- parser->setDoSchema(false);
-
- // Create an input source
- xsecsize_t bytes = XMLString::stringLen(sbt.rawCharBuffer());
- memIS = new MemBufInputSource((const XMLByte*) sbt.rawBuffer(), bytes, "XSECMem");
- }
- catch (...) {
- delete memIS;
- delete parser;
- XSEC_RELEASE_XMLCH(prefix);
- throw;
- }
-
- XSEC_RELEASE_XMLCH(prefix);
- Janitor<XercesDOMParser> j_parser(parser);
- Janitor<MemBufInputSource> j_memIS(memIS);
+ // Create an input source
+ xsecsize_t bytes = XMLString::stringLen(sbt.rawCharBuffer());
+ MemBufInputSource memIS((const XMLByte*) sbt.rawBuffer(), bytes, "XSECMem");
+
+ XercesDOMParser parser;
+ parser.setDoNamespaces(true);
+ parser.setLoadExternalDTD(false);
+
+ SecurityManager securityManager;
+ securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT);
+ parser.setSecurityManager(&securityManager);
- parser->parse(*memIS);
- xsecsize_t errorCount = parser->getErrorCount();
+ parser.parse(memIS);
+ xsecsize_t errorCount = parser.getErrorCount();
if (errorCount > 0)
throw XSECException(XSECException::CipherError, "Errors occured during de-serialisation of decrypted element content");
- DOMDocument * doc = parser->getDocument();
+ DOMDocument * doc = parser.getDocument();
// Create a DocumentFragment to hold the children of the parsed doc element
DOMDocument *ctxDocument = ctx->getOwnerDocument();