You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@santuario.apache.org by sc...@apache.org on 2013/06/18 00:32:42 UTC
svn commit: r1493962 - in /santuario/xml-security-cpp/trunk: CHANGELOG.txt xsec/framework/XSECDefs.hpp xsec/transformers/TXFMParser.cpp xsec/transformers/TXFMXSL.cpp xsec/utils/XSECSOAPRequestorSimple.cpp xsec/xenc/impl/XENCCipherImpl.cpp

Author: scantor
Date: Mon Jun 17 22:32:41 2013
New Revision: 1493962

URL: http://svn.apache.org/r1493962
Log:
Tighten up entity expansion limits

Modified:
    santuario/xml-security-cpp/trunk/CHANGELOG.txt
    santuario/xml-security-cpp/trunk/xsec/framework/XSECDefs.hpp
    santuario/xml-security-cpp/trunk/xsec/transformers/TXFMParser.cpp
    santuario/xml-security-cpp/trunk/xsec/transformers/TXFMXSL.cpp
    santuario/xml-security-cpp/trunk/xsec/utils/XSECSOAPRequestorSimple.cpp
    santuario/xml-security-cpp/trunk/xsec/xenc/impl/XENCCipherImpl.cpp

Modified: santuario/xml-security-cpp/trunk/CHANGELOG.txt
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/CHANGELOG.txt?rev=1493962&r1=1493961&r2=1493962&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/CHANGELOG.txt (original)
+++ santuario/xml-security-cpp/trunk/CHANGELOG.txt Mon Jun 17 22:32:41 2013
@@ -1,3 +1,8 @@
+Changes since 1.7.0
+=====================================
+* Fixes for CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156
+* Reduced entity expansion limits when parsing
+
 Changes since 1.6.1
 =====================================
 * [SANTUARIO-314] - AES-GCM support

Modified: santuario/xml-security-cpp/trunk/xsec/framework/XSECDefs.hpp
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/framework/XSECDefs.hpp?rev=1493962&r1=1493961&r2=1493962&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/xsec/framework/XSECDefs.hpp (original)
+++ santuario/xml-security-cpp/trunk/xsec/framework/XSECDefs.hpp Mon Jun 17 22:32:41 2013
@@ -69,6 +69,9 @@
     typedef unsigned int xsecsize_t;
 #endif
 
+// Pending API change, compile in a limit for Xerces SecurityManager entity expansion
+#define XSEC_ENTITY_EXPANSION_LIMIT 1000
+
 
 // --------------------------------------------------------------------------------
 //           Namespace Handling

Modified: santuario/xml-security-cpp/trunk/xsec/transformers/TXFMParser.cpp
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/transformers/TXFMParser.cpp?rev=1493962&r1=1493961&r2=1493962&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/xsec/transformers/TXFMParser.cpp (original)
+++ santuario/xml-security-cpp/trunk/xsec/transformers/TXFMParser.cpp Mon Jun 17 22:32:41 2013
@@ -114,8 +114,11 @@ void TXFMParser::setInput(TXFMBase *newI
 	XercesDOMParser parser;
 
 	parser.setDoNamespaces(true);
-	parser.setCreateEntityReferenceNodes(true);
-	parser.setDoSchema(true);
+	parser.setLoadExternalDTD(false);
+
+	SecurityManager securityManager;
+	securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT);
+	parser.setSecurityManager(&securityManager);
 
 	parser.parse(is);
     xsecsize_t errorCount = parser.getErrorCount();

Modified: santuario/xml-security-cpp/trunk/xsec/transformers/TXFMXSL.cpp
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/transformers/TXFMXSL.cpp?rev=1493962&r1=1493961&r2=1493962&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/xsec/transformers/TXFMXSL.cpp (original)
+++ santuario/xml-security-cpp/trunk/xsec/transformers/TXFMXSL.cpp Mon Jun 17 22:32:41 2013
@@ -187,8 +187,12 @@ void TXFMXSL::evaluateStyleSheet(const s
 
 	parser->setDoNamespaces(true);
 	parser->setCreateEntityReferenceNodes(true);
+	parser->setLoadExternalDTD(false);
 	parser->setDoSchema(true);
 
+	SecurityManager securityManager;
+	parser->setSecurityManager(&securityManager);
+
 	// Create an input source
 
 	MemBufInputSource* memIS = new MemBufInputSource ((const XMLByte*) txoh.buffer.rawBuffer(), txoh.offset, "XSECMem");

Modified: santuario/xml-security-cpp/trunk/xsec/utils/XSECSOAPRequestorSimple.cpp
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/utils/XSECSOAPRequestorSimple.cpp?rev=1493962&r1=1493961&r2=1493962&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/xsec/utils/XSECSOAPRequestorSimple.cpp (original)
+++ santuario/xml-security-cpp/trunk/xsec/utils/XSECSOAPRequestorSimple.cpp Mon Jun 17 22:32:41 2013
@@ -218,31 +218,31 @@ char * XSECSOAPRequestorSimple::wrapAndS
 
 DOMDocument * XSECSOAPRequestorSimple::parseAndUnwrap(const char * buf, unsigned int len) {
 
-	XercesDOMParser * parser = new XercesDOMParser;
-	Janitor<XercesDOMParser> j_parser(parser);
-
-	parser->setDoNamespaces(true);
-	parser->setCreateEntityReferenceNodes(true);
-	parser->setDoSchema(true);
+	XercesDOMParser parser;
+	parser.setDoNamespaces(true);
+	parser.setLoadExternalDTD(false);
+
+	SecurityManager securityManager;
+	securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT);
+	parser.setSecurityManager(&securityManager);
 
 	// Create an input source
 
-	MemBufInputSource* memIS = new MemBufInputSource ((const XMLByte*) buf, len, "XSECMem");
-	Janitor<MemBufInputSource> j_memIS(memIS);
+	MemBufInputSource memIS((const XMLByte*) buf, len, "XSECMem");
 
-	parser->parse(*memIS);
-    xsecsize_t errorCount = parser->getErrorCount();
+	parser.parse(memIS);
+	xsecsize_t errorCount = parser.getErrorCount();
     if (errorCount > 0)
 		throw XSECException(XSECException::HTTPURIInputStreamError,
 							"Error parsing response message");
 
 	if (m_envelopeType == ENVELOPE_NONE) {
 
-		return parser->adoptDocument();
+		return parser.adoptDocument();
 
 	}
 
-    DOMDocument * responseDoc = parser->getDocument();
+	DOMDocument * responseDoc = parser.getDocument();
 
 	// Must be a SOAP message of some kind - so lets remove the wrapper.
 	// First create a new document for the Response message

Modified: santuario/xml-security-cpp/trunk/xsec/xenc/impl/XENCCipherImpl.cpp
URL: http://svn.apache.org/viewvc/santuario/xml-security-cpp/trunk/xsec/xenc/impl/XENCCipherImpl.cpp?rev=1493962&r1=1493961&r2=1493962&view=diff
==============================================================================
--- santuario/xml-security-cpp/trunk/xsec/xenc/impl/XENCCipherImpl.cpp (original)
+++ santuario/xml-security-cpp/trunk/xsec/xenc/impl/XENCCipherImpl.cpp Mon Jun 17 22:32:41 2013
@@ -270,8 +270,9 @@ DOMDocumentFragment * XENCCipherImpl::de
     sb.sbXMLChAppendCh(chCloseAngle);
 
     char* prefix = transcodeToUTF8(sb.rawXMLChBuffer());
-
     sbt = prefix;
+    XSEC_RELEASE_XMLCH(prefix);
+
     const char * crcb = content.rawCharBuffer();
     int offset = 0;
     if (crcb[0] == '<' && crcb[1] == '?') {
@@ -286,9 +287,6 @@ DOMDocumentFragment * XENCCipherImpl::de
 
     sbt.sbStrcatIn(&crcb[offset]);
 
-    // Now transform the content to UTF-8
-    //sb.sbXMLChCat8(content.rawCharBuffer());
-
     // Terminate the string
     sb.sbXMLChIn(DSIGConstants::s_unicodeStrEmpty);
     sb.sbXMLChAppendCh(chOpenAngle);
@@ -300,37 +298,24 @@ DOMDocumentFragment * XENCCipherImpl::de
     sbt.sbStrcatIn(trailer);
     XSEC_RELEASE_XMLCH(trailer);
 
-    // Now we need to parse the document
-    XercesDOMParser* parser = NULL;
-    MemBufInputSource* memIS = NULL;
-    try {
-        parser = new XercesDOMParser;
-
-        parser->setDoNamespaces(true);
-        parser->setCreateEntityReferenceNodes(true);
-        parser->setDoSchema(false);
-
-        // Create an input source
-        xsecsize_t bytes = XMLString::stringLen(sbt.rawCharBuffer());
-        memIS = new MemBufInputSource((const XMLByte*) sbt.rawBuffer(), bytes, "XSECMem");
-    }
-    catch (...) {
-        delete memIS;
-        delete parser;
-        XSEC_RELEASE_XMLCH(prefix);
-        throw;
-    }
-
-    XSEC_RELEASE_XMLCH(prefix);
-    Janitor<XercesDOMParser> j_parser(parser);
-    Janitor<MemBufInputSource> j_memIS(memIS);
+    // Create an input source
+    xsecsize_t bytes = XMLString::stringLen(sbt.rawCharBuffer());
+    MemBufInputSource memIS((const XMLByte*) sbt.rawBuffer(), bytes, "XSECMem");
+
+    XercesDOMParser parser;
+    parser.setDoNamespaces(true);
+    parser.setLoadExternalDTD(false);
+
+    SecurityManager securityManager;
+    securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT);
+    parser.setSecurityManager(&securityManager);
 
-    parser->parse(*memIS);
-    xsecsize_t errorCount = parser->getErrorCount();
+    parser.parse(memIS);
+    xsecsize_t errorCount = parser.getErrorCount();
     if (errorCount > 0)
         throw XSECException(XSECException::CipherError, "Errors occured during de-serialisation of decrypted element content");
 
-    DOMDocument * doc = parser->getDocument();
+    DOMDocument * doc = parser.getDocument();
 
     // Create a DocumentFragment to hold the children of the parsed doc element
     DOMDocument *ctxDocument = ctx->getOwnerDocument();