[libspring-java] 01/01: Fix CVE-2013-6429 CVE-2013-6430.
Markus Koschany
apo-guest at moszumanska.debian.org
Fri Jan 24 23:05:06 UTC 2014
This is an automated email from the git hooks/post-receive script.
apo-guest pushed a commit to branch master
in repository libspring-java.
commit a8fbd23b3048058d221c01004ff187262d6c5a7b
Author: Markus Koschany <apo at gambaru.de>
Date: Fri Jan 24 18:00:09 2014 +0100
Fix CVE-2013-6429 CVE-2013-6430.
---
debian/changelog | 18 +
debian/patches/CVE-2013-6429.patch | 712 +++++++++++++++++++++++++++++++++++++
debian/patches/CVE-2013-6430.patch | 151 ++++++++
debian/patches/series | 2 +
4 files changed, 883 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index b2876ce..4883ed5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,21 @@
+libspring-java (3.0.6.RELEASE-11) unstable; urgency=high
+
+ * Team upload.
+ * Fix CVE-2013-6429 and CVE-2013-6430. (Closes: #735420)
+ - New patches: CVE-2013-6429.patch and CVE-2013-6430.patch.
+ - Spring MVC's SourceHttpMessageConverter also processed user provided XML
+ and neither disabled XML external entities nor provided an option to
+ disable them. SourceHttpMessageConverter has been modified to provide an
+ option to control the processing of XML external entities and that
+ processing is now disabled by default.
+ - The JavaScriptUtils.javaScriptEscape() method did not escape all
+ characters that are sensitive within either a JS single quoted string, JS
+ double quoted string, or HTML script data context. In most cases this
+ will result in an unexploitable parse error but in some cases it could
+ result in an XSS vulnerability.
+
+ -- Markus Koschany <apo at gambaru.de> Fri, 24 Jan 2014 19:22:14 +0100
+
libspring-java (3.0.6.RELEASE-10) unstable; urgency=high
* Team upload.
diff --git a/debian/patches/CVE-2013-6429.patch b/debian/patches/CVE-2013-6429.patch
new file mode 100644
index 0000000..3334c0e
--- /dev/null
+++ b/debian/patches/CVE-2013-6429.patch
@@ -0,0 +1,712 @@
+From: Markus Koschany <apo at gambaru.de>
+Date: Fri, 24 Jan 2014 16:46:07 +0100
+Subject: CVE-2013-6429
+
+Bug: http://bugs.debian.org/735420
+---
+ .../java/org/springframework/util/StreamUtils.java | 183 ++++++++++++++++++++
+ .../org/springframework/util/xml/StaxUtils.java | 15 +-
+ .../converter/xml/SourceHttpMessageConverter.java | 190 +++++++++++++++++----
+ .../xml/SourceHttpMessageConverterTests.java | 145 +++++++++++++---
+ .../http/converter/xml/external.txt | 1 +
+ 5 files changed, 478 insertions(+), 56 deletions(-)
+ create mode 100644 projects/org.springframework.core/src/main/java/org/springframework/util/StreamUtils.java
+ create mode 100644 projects/org.springframework.web/src/test/resources/org/springframework/http/converter/xml/external.txt
+
+diff --git a/projects/org.springframework.core/src/main/java/org/springframework/util/StreamUtils.java b/projects/org.springframework.core/src/main/java/org/springframework/util/StreamUtils.java
+new file mode 100644
+index 0000000..cc3107d
+--- /dev/null
++++ b/projects/org.springframework.core/src/main/java/org/springframework/util/StreamUtils.java
+@@ -0,0 +1,183 @@
++/*
++ * Copyright 2002-2013 the original author or authors.
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package org.springframework.util;
++
++import java.io.ByteArrayOutputStream;
++import java.io.FilterInputStream;
++import java.io.FilterOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.InputStreamReader;
++import java.io.OutputStream;
++import java.io.OutputStreamWriter;
++import java.io.Writer;
++import java.nio.charset.Charset;
++
++
++/**
++ * Simple utility methods for dealing with streams. The copy methods of this class are
++ * similar to those defined in {@link FileCopyUtils} except that all affected streams are
++ * left open when done. All copy methods use a block size of 4096 bytes.
++ *
++ * <p>Mainly for use within the framework, but also useful for application code.
++ *
++ * @author Juergen Hoeller
++ * @author Phillip Webb
++ * @since 3.2.2
++ * @see FileCopyUtils
++ */
++public abstract class StreamUtils {
++
++ public static final int BUFFER_SIZE = 4096;
++
++
++ /**
++ * Copy the contents of the given InputStream into a new byte array.
++ * Leaves the stream open when done.
++ * @param in the stream to copy from
++ * @return the new byte array that has been copied to
++ * @throws IOException in case of I/O errors
++ */
++ public static byte[] copyToByteArray(InputStream in) throws IOException {
++ ByteArrayOutputStream out = new ByteArrayOutputStream(BUFFER_SIZE);
++ copy(in, out);
++ return out.toByteArray();
++ }
++
++ /**
++ * Copy the contents of the given InputStream into a String.
++ * Leaves the stream open when done.
++ * @param in the InputStream to copy from
++ * @return the String that has been copied to
++ * @throws IOException in case of I/O errors
++ */
++ public static String copyToString(InputStream in, Charset charset) throws IOException {
++ Assert.notNull(in, "No InputStream specified");
++ StringBuilder out = new StringBuilder();
++ InputStreamReader reader = new InputStreamReader(in, charset);
++ char[] buffer = new char[BUFFER_SIZE];
++ int bytesRead = -1;
++ while ((bytesRead = reader.read(buffer)) != -1) {
++ out.append(buffer, 0, bytesRead);
++ }
++ return out.toString();
++ }
++
++ /**
++ * Copy the contents of the given byte array to the given OutputStream.
++ * Leaves the stream open when done.
++ * @param in the byte array to copy from
++ * @param out the OutputStream to copy to
++ * @throws IOException in case of I/O errors
++ */
++ public static void copy(byte[] in, OutputStream out) throws IOException {
++ Assert.notNull(in, "No input byte array specified");
++ Assert.notNull(out, "No OutputStream specified");
++ out.write(in);
++ }
++
++ /**
++ * Copy the contents of the given String to the given output OutputStream.
++ * Leaves the stream open when done.
++ * @param in the String to copy from
++ * @param charset the Charset
++ * @param out the OutputStream to copy to
++ * @throws IOException in case of I/O errors
++ */
++ public static void copy(String in, Charset charset, OutputStream out) throws IOException {
++ Assert.notNull(in, "No input String specified");
++ Assert.notNull(charset, "No charset specified");
++ Assert.notNull(out, "No OutputStream specified");
++ Writer writer = new OutputStreamWriter(out, charset);
++ writer.write(in);
++ writer.flush();
++ }
++
++ /**
++ * Copy the contents of the given InputStream to the given OutputStream.
++ * Leaves both streams open when done.
++ * @param in the InputStream to copy from
++ * @param out the OutputStream to copy to
++ * @return the number of bytes copied
++ * @throws IOException in case of I/O errors
++ */
++ public static int copy(InputStream in, OutputStream out) throws IOException {
++ Assert.notNull(in, "No InputStream specified");
++ Assert.notNull(out, "No OutputStream specified");
++ int byteCount = 0;
++ byte[] buffer = new byte[BUFFER_SIZE];
++ int bytesRead = -1;
++ while ((bytesRead = in.read(buffer)) != -1) {
++ out.write(buffer, 0, bytesRead);
++ byteCount += bytesRead;
++ }
++ out.flush();
++ return byteCount;
++ }
++
++ /**
++ * Returns a variant of the given {@link InputStream} where calling
++ * {@link InputStream#close() close()} has no effect.
++ * @param in the InputStream to decorate
++ * @return a version of the InputStream that ignores calls to close
++ */
++ public static InputStream nonClosing(InputStream in) {
++ Assert.notNull(in, "No InputStream specified");
++ return new NonClosingInputStream(in);
++ }
++
++ /**
++ * Returns a variant of the given {@link OutputStream} where calling
++ * {@link OutputStream#close() close()} has no effect.
++ * @param out the OutputStream to decorate
++ * @return a version of the OutputStream that ignores calls to close
++ */
++ public static OutputStream nonClosing(OutputStream out) {
++ Assert.notNull(out, "No OutputStream specified");
++ return new NonClosingOutputStream(out);
++ }
++
++
++ private static class NonClosingInputStream extends FilterInputStream {
++
++ public NonClosingInputStream(InputStream in) {
++ super(in);
++ }
++
++ @Override
++ public void close() throws IOException {
++ }
++ }
++
++
++ private static class NonClosingOutputStream extends FilterOutputStream {
++
++ public NonClosingOutputStream(OutputStream out) {
++ super(out);
++ }
++
++ @Override
++ public void write(byte[] b, int off, int let) throws IOException {
++ // It is critical that we override this method for performance
++ out.write(b, off, let);
++ }
++
++ @Override
++ public void close() throws IOException {
++ }
++ }
++}
+diff --git a/projects/org.springframework.core/src/main/java/org/springframework/util/xml/StaxUtils.java b/projects/org.springframework.core/src/main/java/org/springframework/util/xml/StaxUtils.java
+index 4bd4a7a..dee73ca 100644
+--- a/projects/org.springframework.core/src/main/java/org/springframework/util/xml/StaxUtils.java
++++ b/projects/org.springframework.core/src/main/java/org/springframework/util/xml/StaxUtils.java
+@@ -113,7 +113,16 @@ public abstract class StaxUtils {
+ * 1.4 {@link StAXSource}; {@code false} otherwise.
+ */
+ public static boolean isStaxSource(Source source) {
+- return (source instanceof StaxSource || (jaxp14Available && Jaxp14StaxHandler.isStaxSource(source)));
++ return ((source instanceof StaxSource) || (jaxp14Available && Jaxp14StaxHandler.isStaxSource(source)));
++ }
++
++ /**
++ * Indicate whether the given class is a StAX Source class.
++ * @return {@code true} if {@code source} is a custom StAX source or JAXP
++ * 1.4 {@link StAXSource} class; {@code false} otherwise.
++ */
++ public static boolean isStaxSourceClass(Class<? extends Source> clazz) {
++ return (StaxSource.class.equals(clazz) || (jaxp14Available && Jaxp14StaxHandler.isStaxSourceClass(clazz)));
+ }
+
+ // Stax Result
+@@ -343,6 +352,10 @@ public abstract class StaxUtils {
+ return source instanceof StAXSource;
+ }
+
++ private static boolean isStaxSourceClass(Class<? extends Source> clazz) {
++ return StAXSource.class.equals(clazz);
++ }
++
+ private static boolean isStaxResult(Result result) {
+ return result instanceof StAXResult;
+ }
+diff --git a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
+index 4ba1aac..15b7d8e 100644
+--- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
++++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2002-2010 the original author or authors.
++ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+@@ -19,21 +19,40 @@ package org.springframework.http.converter.xml;
+ import java.io.ByteArrayInputStream;
+ import java.io.ByteArrayOutputStream;
+ import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import javax.xml.parsers.DocumentBuilder;
++import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
++import javax.xml.stream.XMLInputFactory;
++import javax.xml.stream.XMLStreamException;
++import javax.xml.stream.XMLStreamReader;
+ import javax.xml.transform.Result;
+ import javax.xml.transform.Source;
+ import javax.xml.transform.TransformerException;
++import javax.xml.transform.TransformerFactory;
+ import javax.xml.transform.dom.DOMResult;
+ import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.sax.SAXSource;
+ import javax.xml.transform.stream.StreamResult;
+ import javax.xml.transform.stream.StreamSource;
+
++import org.w3c.dom.Document;
+ import org.xml.sax.InputSource;
++import org.xml.sax.SAXException;
++import org.xml.sax.XMLReader;
++import org.xml.sax.helpers.XMLReaderFactory;
+
+ import org.springframework.http.HttpHeaders;
++import org.springframework.http.HttpInputMessage;
++import org.springframework.http.HttpOutputMessage;
++import org.springframework.http.MediaType;
++import org.springframework.http.converter.AbstractHttpMessageConverter;
+ import org.springframework.http.converter.HttpMessageConversionException;
+ import org.springframework.http.converter.HttpMessageNotReadableException;
+ import org.springframework.http.converter.HttpMessageNotWritableException;
++import org.springframework.util.StreamUtils;
++import org.springframework.util.xml.StaxUtils;
+
+ /**
+ * Implementation of {@link org.springframework.http.converter.HttpMessageConverter}
+@@ -42,55 +61,154 @@ import org.springframework.http.converter.HttpMessageNotWritableException;
+ * @author Arjen Poutsma
+ * @since 3.0
+ */
+-public class SourceHttpMessageConverter<T extends Source> extends AbstractXmlHttpMessageConverter<T> {
++public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMessageConverter<T> {
+
+- @Override
++ private final TransformerFactory transformerFactory = TransformerFactory.newInstance();
++
++ private boolean processExternalEntities = false;
++
++ /**
++ * Sets the {@link #setSupportedMediaTypes(java.util.List) supportedMediaTypes}
++ * to {@code text/xml} and {@code application/xml}, and {@code application/*-xml}.
++ */
++ public SourceHttpMessageConverter() {
++ super(MediaType.APPLICATION_XML, MediaType.TEXT_XML, new MediaType("application", "*+xml"));
++ }
++
++
++ /**
++ * Indicates whether external XML entities are processed when converting
++ * to a Source.
++ * <p>Default is {@code false}, meaning that external entities are not resolved.
++ */
++ public void setProcessExternalEntities(boolean processExternalEntities) {
++ this.processExternalEntities = processExternalEntities;
++ }
++
++ @Override
+ public boolean supports(Class<?> clazz) {
+- return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz) || StreamSource.class.equals(clazz) ||
+- Source.class.equals(clazz);
++ return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz)
++ || StreamSource.class.equals(clazz) || Source.class.equals(clazz);
+ }
+
++ @Override
++ protected T readInternal(Class<? extends T> clazz, HttpInputMessage inputMessage)
++ throws IOException, HttpMessageNotReadableException {
++
++ InputStream body = inputMessage.getBody();
++ if (DOMSource.class.equals(clazz)) {
++ return (T) readDOMSource(body);
++ }
++ else if (StaxUtils.isStaxSourceClass(clazz)) {
++ return (T) readStAXSource(body);
++ }
++ else if (SAXSource.class.equals(clazz)) {
++ return (T) readSAXSource(body);
++ }
++ else if (StreamSource.class.equals(clazz) || Source.class.equals(clazz)) {
++ return (T) readStreamSource(body);
++ }
++ else {
++ throw new HttpMessageConversionException("Could not read class [" + clazz +
++ "]. Only DOMSource, SAXSource, and StreamSource are supported.");
++ }
++ }
++
++ private DOMSource readDOMSource(InputStream body) throws IOException {
++ try {
++ DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
++ documentBuilderFactory.setNamespaceAware(true);
++ documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", processExternalEntities);
++ DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
++ Document document = documentBuilder.parse(body);
++ return new DOMSource(document);
++ }
++ catch (ParserConfigurationException ex) {
++ throw new HttpMessageNotReadableException("Could not set feature: " + ex.getMessage(), ex);
++ }
++ catch (SAXException ex) {
++ throw new HttpMessageNotReadableException("Could not parse document: " + ex.getMessage(), ex);
++ }
++ }
++
++ private SAXSource readSAXSource(InputStream body) throws IOException {
++ try {
++ XMLReader reader = XMLReaderFactory.createXMLReader();
++ reader.setFeature("http://xml.org/sax/features/external-general-entities", processExternalEntities);
++ byte[] bytes = StreamUtils.copyToByteArray(body);
++ return new SAXSource(reader, new InputSource(new ByteArrayInputStream(bytes)));
++ }
++ catch (SAXException ex) {
++ throw new HttpMessageNotReadableException("Could not parse document: " + ex.getMessage(), ex);
++ }
++ }
++
++ private Source readStAXSource(InputStream body) {
++ try {
++ XMLInputFactory inputFactory = XMLInputFactory.newFactory();
++ inputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", processExternalEntities);
++ XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body);
++ return StaxUtils.createStaxSource(streamReader);
++ }
++ catch (XMLStreamException ex) {
++ throw new HttpMessageNotReadableException("Could not parse document: " + ex.getMessage(), ex);
++ }
++ }
++
++ private StreamSource readStreamSource(InputStream body) throws IOException {
++ byte[] bytes = StreamUtils.copyToByteArray(body);
++ return new StreamSource(new ByteArrayInputStream(bytes));
++ }
++
+ @Override
+- @SuppressWarnings("unchecked")
+- protected T readFromSource(Class clazz, HttpHeaders headers, Source source) throws IOException {
+- try {
+- if (DOMSource.class.equals(clazz)) {
+- DOMResult domResult = new DOMResult();
+- transform(source, domResult);
+- return (T) new DOMSource(domResult.getNode());
+- }
+- else if (SAXSource.class.equals(clazz)) {
+- ByteArrayInputStream bis = transformToByteArrayInputStream(source);
+- return (T) new SAXSource(new InputSource(bis));
++ protected Long getContentLength(T t, MediaType contentType) {
++ if (t instanceof DOMSource) {
++ try {
++ CountingOutputStream os = new CountingOutputStream();
++ transform(t, new StreamResult(os));
++ return os.count;
+ }
+- else if (StreamSource.class.equals(clazz) || Source.class.equals(clazz)) {
+- ByteArrayInputStream bis = transformToByteArrayInputStream(source);
+- return (T) new StreamSource(bis);
+- }
+- else {
+- throw new HttpMessageConversionException("Could not read class [" + clazz +
+- "]. Only DOMSource, SAXSource, and StreamSource are supported.");
++ catch (TransformerException ex) {
++ // ignore
+ }
+ }
+- catch (TransformerException ex) {
+- throw new HttpMessageNotReadableException("Could not transform from [" + source + "] to [" + clazz + "]",
+- ex);
+- }
+- }
+-
+- private ByteArrayInputStream transformToByteArrayInputStream(Source source) throws TransformerException {
+- ByteArrayOutputStream bos = new ByteArrayOutputStream();
+- transform(source, new StreamResult(bos));
+- return new ByteArrayInputStream(bos.toByteArray());
++ return null;
+ }
+
+- @Override
+- protected void writeToResult(T t, HttpHeaders headers, Result result) throws IOException {
++ @Override
++ protected void writeInternal(T t, HttpOutputMessage outputMessage)
++ throws IOException, HttpMessageNotWritableException {
+ try {
++ Result result = new StreamResult(outputMessage.getBody());
+ transform(t, result);
+ }
+ catch (TransformerException ex) {
+- throw new HttpMessageNotWritableException("Could not transform [" + t + "] to [" + result + "]", ex);
++ throw new HttpMessageNotWritableException("Could not transform [" + t + "] to output message", ex);
++ }
++ }
++
++ private void transform(Source source, Result result) throws TransformerException {
++ this.transformerFactory.newTransformer().transform(source, result);
++ }
++
++
++ private static class CountingOutputStream extends OutputStream {
++
++ private long count = 0;
++
++ @Override
++ public void write(int b) throws IOException {
++ count++;
++ }
++
++ @Override
++ public void write(byte[] b) throws IOException {
++ count += b.length;
++ }
++
++ @Override
++ public void write(byte[] b, int off, int len) throws IOException {
++ count += len;
+ }
+ }
+
+diff --git a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java
+index bb20f8a..8d47c22 100644
+--- a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java
++++ b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2002-2010 the original author or authors.
++ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+@@ -16,35 +16,60 @@
+
+ package org.springframework.http.converter.xml;
+
++import static org.custommonkey.xmlunit.XMLAssert.assertXMLEqual;
++import static org.junit.Assert.*;
++import static org.junit.Assert.assertNotEquals;
++
++import java.io.IOException;
++import java.io.InputStream;
+ import java.io.InputStreamReader;
++import java.io.StringReader;
+ import java.nio.charset.Charset;
++
+ import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.stream.XMLStreamException;
++import javax.xml.stream.XMLStreamReader;
+ import javax.xml.transform.Source;
+ import javax.xml.transform.dom.DOMSource;
+ import javax.xml.transform.sax.SAXSource;
++import javax.xml.transform.stax.StAXSource;
+ import javax.xml.transform.stream.StreamSource;
+
+-import static org.custommonkey.xmlunit.XMLAssert.*;
+ import org.junit.Before;
+ import org.junit.Test;
+-import org.w3c.dom.Document;
+-import org.w3c.dom.Element;
+-import org.xml.sax.InputSource;
+
++import org.springframework.core.io.ClassPathResource;
++import org.springframework.core.io.Resource;
+ import org.springframework.http.MediaType;
+ import org.springframework.http.MockHttpInputMessage;
+ import org.springframework.http.MockHttpOutputMessage;
+ import org.springframework.util.FileCopyUtils;
++import org.w3c.dom.Document;
++import org.w3c.dom.Element;
++import org.xml.sax.InputSource;
++import org.xml.sax.SAXException;
++import org.xml.sax.XMLReader;
++import org.xml.sax.helpers.DefaultHandler;
+
+-/** @author Arjen Poutsma */
+- at SuppressWarnings("unchecked")
++/**
++ * @author Arjen Poutsma
++ */
+ public class SourceHttpMessageConverterTests {
+
++ private static final String BODY = "<root>Hello World</root>";
++
+ private SourceHttpMessageConverter<Source> converter;
+
++ private String bodyExternal;
++
+ @Before
+- public void setUp() {
++ public void setUp() throws IOException {
+ converter = new SourceHttpMessageConverter<Source>();
++ Resource external = new ClassPathResource("external.txt", getClass());
++
++ bodyExternal = "<!DOCTYPE root [" +
++ " <!ELEMENT root ANY >\n" +
++ " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]><root>&ext;</root>";
+ }
+
+ @Test
+@@ -62,45 +87,100 @@ public class SourceHttpMessageConverterTests {
+
+ @Test
+ public void readDOMSource() throws Exception {
+- String body = "<root>Hello World</root>";
+- MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8"));
++ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8"));
++ inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
++ DOMSource result = (DOMSource) converter.read(DOMSource.class, inputMessage);
++ Document document = (Document) result.getNode();
++ assertEquals("Invalid result", "root", document.getDocumentElement().getLocalName());
++ }
++
++ @Test
++ public void readDOMSourceExternal() throws Exception {
++ MockHttpInputMessage inputMessage = new MockHttpInputMessage(bodyExternal.getBytes("UTF-8"));
+ inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
+ DOMSource result = (DOMSource) converter.read(DOMSource.class, inputMessage);
+ Document document = (Document) result.getNode();
+ assertEquals("Invalid result", "root", document.getDocumentElement().getLocalName());
++ assertNotEquals("Invalid result", "Foo Bar", document.getDocumentElement().getTextContent());
+ }
+
+ @Test
+ public void readSAXSource() throws Exception {
+- String body = "<root>Hello World</root>";
+- MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8"));
++ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8"));
+ inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
+ SAXSource result = (SAXSource) converter.read(SAXSource.class, inputMessage);
+ InputSource inputSource = result.getInputSource();
+ String s = FileCopyUtils.copyToString(new InputStreamReader(inputSource.getByteStream()));
+- assertXMLEqual("Invalid result", body, s);
++ assertXMLEqual("Invalid result", BODY, s);
+ }
+
+ @Test
++ public void readSAXSourceExternal() throws Exception {
++ MockHttpInputMessage inputMessage = new MockHttpInputMessage(bodyExternal.getBytes("UTF-8"));
++ inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
++ SAXSource result = (SAXSource) converter.read(SAXSource.class, inputMessage);
++ InputSource inputSource = result.getInputSource();
++ XMLReader reader = result.getXMLReader();
++ reader.setContentHandler(new DefaultHandler() {
++ @Override
++ public void characters(char[] ch, int start, int length) throws SAXException {
++ String s = new String(ch, start, length);
++ assertNotEquals("Invalid result", "Foo Bar", s);
++ }
++ });
++ reader.parse(inputSource);
++ }
++
++ @Test
++ public void readStAXSource() throws Exception {
++ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8"));
++ inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
++ StAXSource result = (StAXSource) converter.read(StAXSource.class, inputMessage);
++ XMLStreamReader streamReader = result.getXMLStreamReader();
++ assertTrue(streamReader.hasNext());
++ streamReader.nextTag();
++ String s = streamReader.getLocalName();
++ assertEquals("root", s);
++ s = streamReader.getElementText();
++ assertEquals("Hello World", s);
++ streamReader.close();
++ }
++
++ @Test
++ public void readStAXSourceExternal() throws Exception {
++ MockHttpInputMessage inputMessage = new MockHttpInputMessage(bodyExternal.getBytes("UTF-8"));
++ inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
++ StAXSource result = (StAXSource) converter.read(StAXSource.class, inputMessage);
++ XMLStreamReader streamReader = result.getXMLStreamReader();
++ assertTrue(streamReader.hasNext());
++ streamReader.next();
++ streamReader.next();
++ String s = streamReader.getLocalName();
++ assertEquals("root", s);
++ s = streamReader.getElementText();
++ assertNotEquals("Foo Bar", s);
++ streamReader.close();
++ }
++
++
++ @Test
+ public void readStreamSource() throws Exception {
+- String body = "<root>Hello World</root>";
+- MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8"));
++ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8"));
+ inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
+ StreamSource result = (StreamSource) converter.read(StreamSource.class, inputMessage);
+ String s = FileCopyUtils.copyToString(new InputStreamReader(result.getInputStream()));
+- assertXMLEqual("Invalid result", body, s);
++ assertXMLEqual("Invalid result", BODY, s);
+ }
+
+ @Test
+ public void readSource() throws Exception {
+- String body = "<root>Hello World</root>";
+- MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8"));
++ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8"));
+ inputMessage.getHeaders().setContentType(new MediaType("application", "xml"));
+ converter.read(Source.class, inputMessage);
+ }
+
+ @Test
+- public void write() throws Exception {
++ public void writeDOMSource() throws Exception {
+ DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+ documentBuilderFactory.setNamespaceAware(true);
+ Document document = documentBuilderFactory.newDocumentBuilder().newDocument();
+@@ -115,7 +195,34 @@ public class SourceHttpMessageConverterTests {
+ outputMessage.getBodyAsString(Charset.forName("UTF-8")));
+ assertEquals("Invalid content-type", new MediaType("application", "xml"),
+ outputMessage.getHeaders().getContentType());
++ assertEquals("Invalid content-length", outputMessage.getBodyAsBytes().length,
++ outputMessage.getHeaders().getContentLength());
+ }
+
++ @Test
++ public void writeSAXSource() throws Exception {
++ String xml = "<root>Hello World</root>";
++ SAXSource saxSource = new SAXSource(new InputSource(new StringReader(xml)));
++
++ MockHttpOutputMessage outputMessage = new MockHttpOutputMessage();
++ converter.write(saxSource, null, outputMessage);
++ assertXMLEqual("Invalid result", "<root>Hello World</root>",
++ outputMessage.getBodyAsString(Charset.forName("UTF-8")));
++ assertEquals("Invalid content-type", new MediaType("application", "xml"),
++ outputMessage.getHeaders().getContentType());
++ }
++
++ @Test
++ public void writeStreamSource() throws Exception {
++ String xml = "<root>Hello World</root>";
++ StreamSource streamSource = new StreamSource(new StringReader(xml));
++
++ MockHttpOutputMessage outputMessage = new MockHttpOutputMessage();
++ converter.write(streamSource, null, outputMessage);
++ assertXMLEqual("Invalid result", "<root>Hello World</root>",
++ outputMessage.getBodyAsString(Charset.forName("UTF-8")));
++ assertEquals("Invalid content-type", new MediaType("application", "xml"),
++ outputMessage.getHeaders().getContentType());
++ }
+
+ }
+diff --git a/projects/org.springframework.web/src/test/resources/org/springframework/http/converter/xml/external.txt b/projects/org.springframework.web/src/test/resources/org/springframework/http/converter/xml/external.txt
+new file mode 100644
+index 0000000..76c7ac2
+--- /dev/null
++++ b/projects/org.springframework.web/src/test/resources/org/springframework/http/converter/xml/external.txt
+@@ -0,0 +1 @@
++Foo Bar
diff --git a/debian/patches/CVE-2013-6430.patch b/debian/patches/CVE-2013-6430.patch
new file mode 100644
index 0000000..7c4c362
--- /dev/null
+++ b/debian/patches/CVE-2013-6430.patch
@@ -0,0 +1,151 @@
+From: Markus Koschany <apo at gambaru.de>
+Date: Thu, 23 Jan 2014 00:03:13 +0100
+Subject: CVE-2013-6430
+
+Bug: http://bugs.debian.org/735420
+---
+ .../springframework/web/util/JavaScriptUtils.java | 35 ++++++++---
+ .../web/util/JavaScriptUtilsTests.java | 67 ++++++++++++++++++++++
+ 2 files changed, 95 insertions(+), 7 deletions(-)
+ create mode 100644 projects/org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java
+
+diff --git a/projects/org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java b/projects/org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java
+index b28d398..861b46f 100644
+--- a/projects/org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java
++++ b/projects/org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright 2002-2008 the original author or authors.
++ * Copyright 2002-2013 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+@@ -21,21 +21,21 @@ package org.springframework.web.util;
+ * Escapes based on the JavaScript 1.5 recommendation.
+ *
+ * <p>Reference:
+- * <a href="http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Guide:Literals#String_Literals">
+- * Core JavaScript 1.5 Guide
+- * </a>
++ * <a href="https://developer.mozilla.org/en-US/docs/JavaScript/Guide/Values,_variables,_and_literals#String_literals">
++ * JavaScript Guide</a> on Mozilla Developer Network.
+ *
+ * @author Juergen Hoeller
+ * @author Rob Harrop
++ * @author Rossen Stoyanchev
+ * @since 1.1.1
+ */
+ public class JavaScriptUtils {
+
+ /**
+- * Turn special characters into escaped characters conforming to JavaScript.
+- * Handles complete character set defined in HTML 4.01 recommendation.
++ * Turn JavaScript special characters into escaped characters.
++ *
+ * @param input the input string
+- * @return the escaped string
++ * @return the string with escaped characters
+ */
+ public static String javaScriptEscape(String input) {
+ if (input == null) {
+@@ -73,6 +73,27 @@ public class JavaScriptUtils {
+ else if (c == '\f') {
+ filtered.append("\\f");
+ }
++ else if (c == '\b') {
++ filtered.append("\\b");
++ }
++ // No '\v' in Java, use octal value for VT ascii char
++ else if (c == '\013') {
++ filtered.append("\\v");
++ }
++ else if (c == '<') {
++ filtered.append("\\u003C");
++ }
++ else if (c == '>') {
++ filtered.append("\\u003E");
++ }
++ // Unicode for PS (line terminator in ECMA-262)
++ else if (c == '\u2028') {
++ filtered.append("\\u2028");
++ }
++ // Unicode for LS (line terminator in ECMA-262)
++ else if (c == '\u2029') {
++ filtered.append("\\u2029");
++ }
+ else {
+ filtered.append(c);
+ }
+diff --git a/projects/org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java b/projects/org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java
+new file mode 100644
+index 0000000..182f18e
+--- /dev/null
++++ b/projects/org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java
+@@ -0,0 +1,67 @@
++/*
++ * Copyright 2004-2013 the original author or authors.
++ *
++ * Licensed under the Apache License, Version 2.0 (the "License");
++ * you may not use this file except in compliance with the License.
++ * You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++
++package org.springframework.web.util;
++
++import static org.junit.Assert.*;
++
++import java.io.UnsupportedEncodingException;
++
++import org.junit.Test;
++
++/**
++ * Test fixture for {@link JavaScriptUtils}.
++ *
++ * @author Rossen Stoyanchev
++ */
++public class JavaScriptUtilsTests {
++
++ @Test
++ public void escape() {
++ StringBuilder sb = new StringBuilder();
++ sb.append('"');
++ sb.append("'");
++ sb.append("\\");
++ sb.append("/");
++ sb.append("\t");
++ sb.append("\n");
++ sb.append("\r");
++ sb.append("\f");
++ sb.append("\b");
++ sb.append("\013");
++ assertEquals("\\\"\\'\\\\\\/\\t\\n\\n\\f\\b\\v", JavaScriptUtils.javaScriptEscape(sb.toString()));
++ }
++
++ // SPR-9983
++
++ @Test
++ public void escapePsLsLineTerminators() {
++ StringBuilder sb = new StringBuilder();
++ sb.append('\u2028');
++ sb.append('\u2029');
++ String result = JavaScriptUtils.javaScriptEscape(sb.toString());
++
++ assertEquals("\\u2028\\u2029", result);
++ }
++
++ // SPR-9983
++
++ @Test
++ public void escapeLessThanGreaterThanSigns() throws UnsupportedEncodingException {
++ assertEquals("\\u003C\\u003E", JavaScriptUtils.javaScriptEscape("<>"));
++ }
++
++}
diff --git a/debian/patches/series b/debian/patches/series
index 533ec80..c989a84 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -10,3 +10,5 @@
0010_velocity_17.diff
0011-java7-compat.patch
Add-processExternalEntities-to-JAXB2Marshaller.patch
+CVE-2013-6429.patch
+CVE-2013-6430.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libspring-java.git
More information about the pkg-java-commits
mailing list