You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by re...@apache.org on 2015/05/21 11:48:00 UTC
svn commit: r1680785 - in /jackrabbit/branches/2.8: ./
jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/
jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/
Author: reschke
Date: Thu May 21 09:48:00 2015
New Revision: 1680785
URL: http://svn.apache.org/r1680785
Log:
JCR-3883: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833) (ported to 2.8)
Added:
jackrabbit/branches/2.8/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
- copied unchanged from r1680757, jackrabbit/trunk/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
jackrabbit/branches/2.8/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
- copied unchanged from r1680757, jackrabbit/trunk/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
Modified:
jackrabbit/branches/2.8/ (props changed)
jackrabbit/branches/2.8/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
jackrabbit/branches/2.8/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
Propchange: jackrabbit/branches/2.8/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu May 21 09:48:00 2015
@@ -1,3 +1,3 @@
/jackrabbit/branches/JCR-2272:1173165-1176545
/jackrabbit/sandbox/JCR-2415-lucene-3.0:1060860-1064038
-/jackrabbit/trunk:1592881,1597717,1597799,1597806,1598035,1598058,1603769,1603934,1609712,1625561,1634584,1667787
+/jackrabbit/trunk:1592881,1597717,1597799,1597806,1598035,1598058,1603769,1603934,1609712,1625561,1634584,1667787,1680757
Modified: jackrabbit/branches/2.8/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.8/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java?rev=1680785&r1=1680784&r2=1680785&view=diff
==============================================================================
--- jackrabbit/branches/2.8/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java (original)
+++ jackrabbit/branches/2.8/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java Thu May 21 09:48:00 2015
@@ -28,9 +28,7 @@ import org.w3c.dom.NodeList;
import org.w3c.dom.Text;
import org.w3c.dom.NamedNodeMap;
import org.xml.sax.SAXException;
-import org.xml.sax.helpers.DefaultHandler;
-import javax.xml.XMLConstants;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
@@ -56,26 +54,10 @@ public class DomUtil {
private static Logger log = LoggerFactory.getLogger(DomUtil.class);
/**
- * Constant for <code>DocumentBuilderFactory</code> which is used
+ * Constant for <code>DavDocumentBuilderFactory</code> which is used
* to create and parse DOM documents.
*/
- private static DocumentBuilderFactory BUILDER_FACTORY = createFactory();
-
- private static DocumentBuilderFactory createFactory() {
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
- factory.setNamespaceAware(true);
- factory.setIgnoringComments(true);
- factory.setIgnoringElementContentWhitespace(true);
- factory.setCoalescing(true);
- try {
- factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
- } catch (ParserConfigurationException e) {
- log.warn("Secure XML processing is not supported", e);
- } catch (AbstractMethodError e) {
- log.warn("Secure XML processing is not supported", e);
- }
- return factory;
- }
+ private static final DavDocumentBuilderFactory BUILDER_FACTORY = new DavDocumentBuilderFactory();
/**
* Support the replacement of {@link #BUILDER_FACTORY}. This is useful
@@ -88,7 +70,7 @@ public class DomUtil {
*/
public static void setBuilderFactory(
DocumentBuilderFactory documentBuilderFactory) {
- BUILDER_FACTORY = documentBuilderFactory;
+ BUILDER_FACTORY.setFactory(documentBuilderFactory);
}
/**
@@ -119,11 +101,6 @@ public class DomUtil {
public static Document parseDocument(InputStream stream)
throws ParserConfigurationException, SAXException, IOException {
DocumentBuilder docBuilder = BUILDER_FACTORY.newDocumentBuilder();
-
- // Set an error handler to prevent parsers from printing error messages
- // to standard output!
- docBuilder.setErrorHandler(new DefaultHandler());
-
return docBuilder.parse(stream);
}
Modified: jackrabbit/branches/2.8/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.8/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java?rev=1680785&r1=1680784&r2=1680785&view=diff
==============================================================================
--- jackrabbit/branches/2.8/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java (original)
+++ jackrabbit/branches/2.8/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java Thu May 21 09:48:00 2015
@@ -33,6 +33,7 @@ public class TestAll extends TestCase {
TestSuite suite = new TestSuite("org.apache.jackrabbit.webdav.xml tests");
suite.addTestSuite(NamespaceTest.class);
+ suite.addTestSuite(ParserTest.class);
return suite;
}