[libspring-java] 01/02: Fix CVE-2013-4152

Markus Koschany apo-guest at moszumanska.debian.org
Thu Dec 5 12:57:05 UTC 2013 

This is an automated email from the git hooks/post-receive script.

apo-guest pushed a commit to branch master
in repository libspring-java.

commit d4ca951bb6aeee75602ea7542a1cd487380d91a0
Author: Markus Koschany <apo at gambaru.de>
Date:   Thu Dec 5 13:43:14 2013 +0100

    Fix CVE-2013-4152
---
 ...rocessExternalEntities-to-JAXB2Marshaller.patch | 116 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 2 files changed, 117 insertions(+)

diff --git a/debian/patches/Add-processExternalEntities-to-JAXB2Marshaller.patch b/debian/patches/Add-processExternalEntities-to-JAXB2Marshaller.patch
new file mode 100644
index 0000000..77afb93
--- /dev/null
+++ b/debian/patches/Add-processExternalEntities-to-JAXB2Marshaller.patch
@@ -0,0 +1,116 @@
+From: Markus Koschany <apo at gambaru.de>
+Date: Thu, 5 Dec 2013 10:59:47 +0100
+Subject: Add 'processExternalEntities to JAXB2Marshaller
+
+Added 'processExternalEntities' property to the JAXB2Marshaller, which
+indicates whether external XML entities are processed when
+unmarshalling.
+
+Default is false, meaning that external entities are not resolved.
+Processing of external entities will only be enabled/disabled when the
+Source} passed to #unmarshal(Source) is a SAXSource or StreamSource. It
+has no effect for DOMSource or StAXSource instances.
+
+Original patch by Arjen Poutsma.
+
+Bug: http://bugs.debian.org/720902
+---
+ .../springframework/oxm/jaxb/Jaxb2Marshaller.java  | 56 ++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
+index 890ce18..1b3412d 100644
+--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
+@@ -61,7 +61,9 @@ import javax.xml.stream.XMLStreamReader;
+ import javax.xml.stream.XMLStreamWriter;
+ import javax.xml.transform.Result;
+ import javax.xml.transform.Source;
++import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.sax.SAXSource;
++import javax.xml.transform.stream.StreamSource;
+ import javax.xml.validation.Schema;
+ import javax.xml.validation.SchemaFactory;
+ 
+@@ -158,6 +160,8 @@ public class Jaxb2Marshaller
+ 
+ 	private boolean lazyInit = false;
+ 
++	private boolean processExternalEntities = false;
++
+ 
+ 	/**
+ 	 * Set multiple JAXB context paths. The given array of context paths is converted to a
+@@ -301,6 +305,18 @@ public class Jaxb2Marshaller
+ 		this.lazyInit = lazyInit;
+ 	}
+ 
++	/**
++	 * Indicates whether external XML entities are processed when unmarshalling.
++	 * <p>Default is {@code false}, meaning that external entities are not resolved.
++	 * Note that processing of external entities will only be enabled/disabled when the
++	 * {@code Source} passed to {@link #unmarshal(Source)} is a {@link SAXSource} or
++	 * {@link StreamSource}. It has no effect for {@link DOMSource} or {@link StAXSource}
++	 * instances.
++	 */
++	public void setProcessExternalEntities(boolean processExternalEntities) {
++		this.processExternalEntities = processExternalEntities;
++	}
++
+ 	public void setBeanClassLoader(ClassLoader classLoader) {
+ 		this.beanClassLoader = classLoader;
+ 	}
+@@ -569,6 +585,8 @@ public class Jaxb2Marshaller
+ 	}
+ 
+ 	public Object unmarshal(Source source, MimeContainer mimeContainer) throws XmlMappingException {
++		source = processSource(source);
++
+ 		try {
+ 			Unmarshaller unmarshaller = createUnmarshaller();
+ 			if (this.mtomEnabled && mimeContainer != null) {
+@@ -616,6 +634,44 @@ public class Jaxb2Marshaller
+ 		}
+ 	}
+ 
++	private Source processSource(Source source) {
++		if (StaxUtils.isStaxSource(source) || source instanceof DOMSource) {
++			return source;
++		}
++
++		XMLReader xmlReader = null;
++		InputSource inputSource = null;
++
++		if (source instanceof SAXSource) {
++			SAXSource saxSource = (SAXSource) source;
++			xmlReader = saxSource.getXMLReader();
++			inputSource = saxSource.getInputSource();
++		}
++		else if (source instanceof StreamSource) {
++			StreamSource streamSource = (StreamSource) source;
++			if (streamSource.getInputStream() != null) {
++				inputSource = new InputSource(streamSource.getInputStream());
++			}
++			else if (streamSource.getReader() != null) {
++				inputSource = new InputSource(streamSource.getReader());
++			}
++		}
++
++		try {
++			if (xmlReader == null) {
++				xmlReader = XMLReaderFactory.createXMLReader();
++			}
++			xmlReader.setFeature("http://xml.org/sax/features/external-general-entities",
++					this.processExternalEntities);
++
++			return new SAXSource(xmlReader, inputSource);
++		}
++		catch (SAXException ex) {
++			logger.warn("Processing of external entities could not be disabled", ex);
++			return source;
++		}
++	}
++
+ 	/**
+ 	 * Template method that can be overridden by concrete JAXB marshallers for custom initialization behavior.
+ 	 * Gets called after creation of JAXB <code>Marshaller</code>, and after the respective properties have been set.
diff --git a/debian/patches/series b/debian/patches/series
index 6365123..533ec80 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -9,3 +9,4 @@
 0009_hibernate_validator_41.diff
 0010_velocity_17.diff
 0011-java7-compat.patch
+Add-processExternalEntities-to-JAXB2Marshaller.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libspring-java.git

More information about the pkg-java-commits mailing list