[libspring-java] 01/02: Add patch to fix bug 720902

Markus Koschany apo-guest at moszumanska.debian.org
Thu Dec 5 12:57:19 UTC 2013

This is an automated email from the git hooks/post-receive script.

apo-guest pushed a commit to branch stable-security
in repository libspring-java.

commit 84941c7f0b521ad0f579ac2f092c88e1b7c42c8b
Author: Markus Koschany <apo at gambaru.de>
Date:   Thu Dec 5 11:09:23 2013 +0100

    Add patch to fix bug 720902
 ...rocessExternalEntities-to-JAXB2Marshaller.patch | 116 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 2 files changed, 117 insertions(+)

diff --git a/debian/patches/Add-processExternalEntities-to-JAXB2Marshaller.patch b/debian/patches/Add-processExternalEntities-to-JAXB2Marshaller.patch
new file mode 100644
index 0000000..77afb93
--- /dev/null
+++ b/debian/patches/Add-processExternalEntities-to-JAXB2Marshaller.patch
@@ -0,0 +1,116 @@
+From: Markus Koschany <apo at gambaru.de>
+Date: Thu, 5 Dec 2013 10:59:47 +0100
+Subject: Add 'processExternalEntities to JAXB2Marshaller
+Added 'processExternalEntities' property to the JAXB2Marshaller, which
+indicates whether external XML entities are processed when
+Default is false, meaning that external entities are not resolved.
+Processing of external entities will only be enabled/disabled when the
+Source} passed to #unmarshal(Source) is a SAXSource or StreamSource. It
+has no effect for DOMSource or StAXSource instances.
+Original patch by Arjen Poutsma.
+Bug: http://bugs.debian.org/720902
+ .../springframework/oxm/jaxb/Jaxb2Marshaller.java  | 56 ++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
+index 890ce18..1b3412d 100644
+--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
+@@ -61,7 +61,9 @@ import javax.xml.stream.XMLStreamReader;
+ import javax.xml.stream.XMLStreamWriter;
+ import javax.xml.transform.Result;
+ import javax.xml.transform.Source;
++import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.sax.SAXSource;
++import javax.xml.transform.stream.StreamSource;
+ import javax.xml.validation.Schema;
+ import javax.xml.validation.SchemaFactory;
+@@ -158,6 +160,8 @@ public class Jaxb2Marshaller
+ 	private boolean lazyInit = false;
++	private boolean processExternalEntities = false;
+ 	/**
+ 	 * Set multiple JAXB context paths. The given array of context paths is converted to a
+@@ -301,6 +305,18 @@ public class Jaxb2Marshaller
+ 		this.lazyInit = lazyInit;
+ 	}
++	/**
++	 * Indicates whether external XML entities are processed when unmarshalling.
++	 * <p>Default is {@code false}, meaning that external entities are not resolved.
++	 * Note that processing of external entities will only be enabled/disabled when the
++	 * {@code Source} passed to {@link #unmarshal(Source)} is a {@link SAXSource} or
++	 * {@link StreamSource}. It has no effect for {@link DOMSource} or {@link StAXSource}
++	 * instances.
++	 */
++	public void setProcessExternalEntities(boolean processExternalEntities) {
++		this.processExternalEntities = processExternalEntities;
++	}
+ 	public void setBeanClassLoader(ClassLoader classLoader) {
+ 		this.beanClassLoader = classLoader;
+ 	}
+@@ -569,6 +585,8 @@ public class Jaxb2Marshaller
+ 	}
+ 	public Object unmarshal(Source source, MimeContainer mimeContainer) throws XmlMappingException {
++		source = processSource(source);
+ 		try {
+ 			Unmarshaller unmarshaller = createUnmarshaller();
+ 			if (this.mtomEnabled && mimeContainer != null) {
+@@ -616,6 +634,44 @@ public class Jaxb2Marshaller
+ 		}
+ 	}
++	private Source processSource(Source source) {
++		if (StaxUtils.isStaxSource(source) || source instanceof DOMSource) {
++			return source;
++		}
++		XMLReader xmlReader = null;
++		InputSource inputSource = null;
++		if (source instanceof SAXSource) {
++			SAXSource saxSource = (SAXSource) source;
++			xmlReader = saxSource.getXMLReader();
++			inputSource = saxSource.getInputSource();
++		}
++		else if (source instanceof StreamSource) {
++			StreamSource streamSource = (StreamSource) source;
++			if (streamSource.getInputStream() != null) {
++				inputSource = new InputSource(streamSource.getInputStream());
++			}
++			else if (streamSource.getReader() != null) {
++				inputSource = new InputSource(streamSource.getReader());
++			}
++		}
++		try {
++			if (xmlReader == null) {
++				xmlReader = XMLReaderFactory.createXMLReader();
++			}
++			xmlReader.setFeature("http://xml.org/sax/features/external-general-entities",
++					this.processExternalEntities);
++			return new SAXSource(xmlReader, inputSource);
++		}
++		catch (SAXException ex) {
++			logger.warn("Processing of external entities could not be disabled", ex);
++			return source;
++		}
++	}
+ 	/**
+ 	 * Template method that can be overridden by concrete JAXB marshallers for custom initialization behavior.
+ 	 * Gets called after creation of JAXB <code>Marshaller</code>, and after the respective properties have been set.
diff --git a/debian/patches/series b/debian/patches/series
index ed8c1dd..ca5006b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@

