[libspring-java] 01/01: Fix CVE-2014-0054 and CVE-2014-1904
Miguel Landaeta
nomadium at moszumanska.debian.org
Mon Mar 24 20:57:08 UTC 2014
This is an automated email from the git hooks/post-receive script.
nomadium pushed a commit to branch master
in repository libspring-java.
commit b427b789df529f4766a7cfc4a78a9f3a9f6c168b
Author: Miguel Landaeta <nomadium at debian.org>
Date: Mon Mar 24 17:01:01 2014 -0300
Fix CVE-2014-0054 and CVE-2014-1904
---
debian/changelog | 8 +-
debian/patches/CVE-2014-0054.patch | 553 +++++--------------------------------
debian/patches/CVE-2014-1904.patch | 62 +----
debian/patches/series | 2 +-
4 files changed, 83 insertions(+), 542 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 40ad7e8..5c5d2f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,8 @@
-libspring-java (3.0.6.RELEASE-13) UNRELEASED; urgency=high
+libspring-java (3.0.6.RELEASE-13) unstable; urgency=high
- TO-DO: the patches doesn't apply cleanly.
+ * Fix CVE-2014-0054 and CVE-2014-1904. (Closes: #741604).
- * Fix CVE-2014-0054 and CVE-2014-1904. (Closes: #735420).
-
- -- Miguel Landaeta <nomadium at debian.org> Mon, 24 Mar 2014 14:10:52 -0300
+ -- Miguel Landaeta <nomadium at debian.org> Mon, 24 Mar 2014 17:10:32 -0300
libspring-java (3.0.6.RELEASE-12) unstable; urgency=low
diff --git a/debian/patches/CVE-2014-0054.patch b/debian/patches/CVE-2014-0054.patch
index 4ee51a7..dcb9faa 100644
--- a/debian/patches/CVE-2014-0054.patch
+++ b/debian/patches/CVE-2014-0054.patch
@@ -1,15 +1,14 @@
From: Miguel Landaeta <nomadium at debian.org>
-Date: Mon, 24 Mar 2014 14:10:00 -0300
-Subject: CVE-2013-6429
+Date: Mon, 24 Mar 2014 16:57:19 -0300
+Subject: CVE-2014-0054
Bug: http://bugs.debian.org/741604
-diff --git a/spring-oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
-index adc403c..4189c0e 100644
-./projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
+index 871075f..fea0519 100644
--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
-@@ -162,6 +162,11 @@ public class CastorMarshaller extends AbstractMarshaller implements Initializing
+@@ -120,6 +120,11 @@ public class CastorMarshaller extends AbstractMarshaller implements Initializing
this.encoding = encoding;
}
@@ -19,13 +18,13 @@ index adc403c..4189c0e 100644
+ }
+
/**
- * Set the locations of the Castor XML mapping files.
+ * Set the locations of the Castor XML Mapping files.
*/
-diff --git a/spring-oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
-index 0837695..93fa1a4 100644
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
+index 1b3412d..37d7937 100644
--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
-+++ b/projects/org.springframework.oxmsrc/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
-@@ -400,6 +400,13 @@ public class Jaxb2Marshaller implements MimeMarshaller, MimeUnmarshaller, Generi
++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
+@@ -317,6 +317,13 @@ public class Jaxb2Marshaller
this.processExternalEntities = processExternalEntities;
}
@@ -36,16 +35,16 @@ index 0837695..93fa1a4 100644
+ return this.processExternalEntities;
+ }
+
- @Override
public void setBeanClassLoader(ClassLoader classLoader) {
this.beanClassLoader = classLoader;
-diff --git a/spring-oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
-index b184560..715ef4e 100644
+ }
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
+index 5d6a053..0de00b2 100644
--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
@@ -1,5 +1,5 @@
/*
-- * Copyright 2002-2013 the original author or authors.
+- * Copyright 2002-2010 the original author or authors.
+ * Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@@ -58,7 +57,7 @@ index b184560..715ef4e 100644
import javax.xml.transform.Result;
import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
-@@ -149,6 +150,11 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+@@ -133,6 +134,11 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
this.encoding = encoding;
}
@@ -70,7 +69,7 @@ index b184560..715ef4e 100644
/**
* Set the document standalone flag for marshalling. By default, this flag is not present.
*/
-@@ -338,7 +344,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+@@ -301,7 +307,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
}
catch (TransformerException ex) {
throw new MarshallingFailureException(
@@ -79,7 +78,7 @@ index b184560..715ef4e 100644
}
}
-@@ -398,7 +404,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+@@ -367,7 +373,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
@Override
protected Object unmarshalDomNode(Node node) throws XmlMappingException {
try {
@@ -88,10 +87,10 @@ index b184560..715ef4e 100644
}
catch (IOException ex) {
throw new UnmarshallingFailureException("JiBX unmarshalling exception", ex);
-@@ -409,12 +415,15 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+@@ -377,12 +383,15 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+ @Override
protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource)
throws XmlMappingException, IOException {
-
- return transformAndUnmarshal(new SAXSource(xmlReader, inputSource));
+ return transformAndUnmarshal(new SAXSource(xmlReader, inputSource), inputSource.getEncoding());
}
@@ -99,14 +98,14 @@ index b184560..715ef4e 100644
- private Object transformAndUnmarshal(Source source) throws IOException {
+ private Object transformAndUnmarshal(Source source, String encoding) throws IOException {
try {
- Transformer transformer = this.transformerFactory.newTransformer();
+ Transformer transformer = transformerFactory.newTransformer();
+ if (encoding != null) {
+ transformer.setOutputProperty(OutputKeys.ENCODING, encoding);
+ }
ByteArrayOutputStream os = new ByteArrayOutputStream();
transformer.transform(source, new StreamResult(os));
ByteArrayInputStream is = new ByteArrayInputStream(os.toByteArray());
-@@ -422,7 +431,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+@@ -390,7 +399,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
}
catch (TransformerException ex) {
throw new MarshallingFailureException(
@@ -115,13 +114,13 @@ index b184560..715ef4e 100644
}
}
-diff --git a/spring-oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
-index a118775..2df808e 100644
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
+index cee37bb..09bc006 100644
--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
@@ -1,5 +1,5 @@
/*
-- * Copyright 2002-2013 the original author or authors.
+- * Copyright 2002-2010 the original author or authors.
+ * Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
@@ -160,8 +159,8 @@ index a118775..2df808e 100644
+
/**
- * Marshals the object graph with the given root into the provided {@code javax.xml.transform.Result}.
-@@ -133,7 +161,7 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
+ * Marshals the object graph with the given root into the provided <code>javax.xml.transform.Result</code>.
+@@ -131,7 +159,7 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
return unmarshalSaxSource((SAXSource) source);
}
else if (source instanceof StreamSource) {
@@ -170,7 +169,7 @@ index a118775..2df808e 100644
}
else {
throw new IllegalArgumentException("Unknown Source type: " + source.getClass());
-@@ -175,7 +203,9 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
+@@ -173,7 +201,9 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
* @throws SAXException if thrown by JAXP methods
*/
protected XMLReader createXmlReader() throws SAXException {
@@ -181,7 +180,7 @@ index a118775..2df808e 100644
}
-@@ -358,8 +388,42 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
+@@ -356,8 +386,42 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
}
/**
@@ -215,27 +214,27 @@ index a118775..2df808e 100644
+ }
+
+ /**
- * Template method for handling {@code StreamSource}s.
- * <p>This implementation defers to {@code unmarshalInputStream} or {@code unmarshalReader}.
+ * Template method for handling <code>StreamSource</code>s.
+ * <p>This implementation defers to <code>unmarshalInputStream</code> or <code>unmarshalReader</code>.
+ * <p>As of 3.2.8 and 4.0.2 this method is no longer invoked from
+ * {@link #unmarshal(javax.xml.transform.Source)}. The method invoked instead is
+ * {@link #unmarshalStreamSourceNoExternalEntitities(javax.xml.transform.stream.StreamSource)}.
+ *
- * @param streamSource the {@code StreamSource}
+ * @param streamSource the <code>StreamSource</code>
* @return the object graph
* @throws IOException if an I/O exception occurs
-diff --git a/spring-oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
-index 1fd4940..b3bb5cf 100644
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
+index eb5a6e6..9f06b35 100644
--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
@@ -1,5 +1,5 @@
/*
-- * Copyright 2002-2012 the original author or authors.
+- * Copyright 2002-2009 the original author or authors.
+ * Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
-@@ -113,6 +113,10 @@ public class XmlBeansMarshaller extends AbstractMarshaller {
+@@ -116,6 +116,10 @@ public class XmlBeansMarshaller extends AbstractMarshaller {
return this.validating;
}
@@ -246,11 +245,11 @@ index 1fd4940..b3bb5cf 100644
/**
* This implementation returns true if the given class is an implementation of {@link XmlObject}.
-diff --git a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
-index de42e5b..52c121e 100644
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
+index d6521ff..efa9403 100644
--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
-@@ -27,11 +27,9 @@ import java.lang.reflect.Constructor;
+@@ -26,11 +26,9 @@ import java.io.Writer;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
@@ -263,9 +262,9 @@ index de42e5b..52c121e 100644
+import javax.xml.transform.stax.StAXSource;
+import javax.xml.transform.stream.StreamSource;
- import com.thoughtworks.xstream.MarshallingStrategy;
import com.thoughtworks.xstream.XStream;
-@@ -342,6 +340,11 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
+ import com.thoughtworks.xstream.converters.ConversionException;
+@@ -349,6 +347,11 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
this.encoding = encoding;
}
@@ -277,7 +276,7 @@ index de42e5b..52c121e 100644
/**
* Set the classes supported by this marshaller.
* <p>If this property is empty (the default), all classes are supported.
-@@ -701,6 +704,13 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
+@@ -470,6 +473,13 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
// Unmarshalling
@Override
@@ -291,452 +290,30 @@ index de42e5b..52c121e 100644
protected Object unmarshalDomNode(Node node) throws XmlMappingException {
HierarchicalStreamReader streamReader;
if (node instanceof Document) {
-diff --git a/spring-oxm/src/test/java/org/springframework/oxm/castor/CastorUnmarshallerTests.java b/spring-oxm/src/test/java/org/springframework/oxm/castor/CastorUnmarshallerTests.java
-index 5856408..5500642 100644
---- a/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/castor/CastorUnmarshallerTests.java
-+++ b/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/castor/CastorUnmarshallerTests.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2013 the original author or authors.
-+ * Copyright 2002-2014 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
-@@ -19,6 +19,8 @@ package org.springframework.oxm.castor;
- import java.io.ByteArrayInputStream;
- import java.io.IOException;
- import java.io.StringReader;
-+import java.util.concurrent.atomic.AtomicReference;
-+import javax.xml.transform.sax.SAXSource;
- import javax.xml.transform.stream.StreamSource;
-
- import org.junit.Ignore;
-@@ -28,9 +30,13 @@ import org.springframework.core.io.ClassPathResource;
- import org.springframework.oxm.AbstractUnmarshallerTests;
- import org.springframework.oxm.MarshallingException;
- import org.springframework.oxm.Unmarshaller;
-+import org.xml.sax.InputSource;
-+import org.xml.sax.XMLReader;
-
-+import static junit.framework.Assert.assertNotNull;
- import static org.hamcrest.CoreMatchers.*;
- import static org.junit.Assert.*;
-+import static org.junit.Assert.assertEquals;
-
- /**
- * @author Arjen Poutsma
-@@ -203,4 +209,59 @@ public class CastorUnmarshallerTests extends AbstractUnmarshallerTests {
- StreamSource source = new StreamSource(new StringReader(xml));
- return unmarshaller.unmarshal(source);
- }
-+
-+ @Test
-+ public void unmarshalStreamSourceExternalEntities() throws Exception {
-+
-+ final AtomicReference<XMLReader> result = new AtomicReference<XMLReader>();
-+ CastorMarshaller marshaller = new CastorMarshaller() {
-+ @Override
-+ protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource) {
-+ result.set(xmlReader);
-+ return null;
-+ }
-+ };
-+
-+ // 1. external-general-entities disabled (default)
-+
-+ marshaller.unmarshal(new StreamSource("1"));
-+ assertNotNull(result.get());
-+ assertEquals(false, result.get().getFeature("http://xml.org/sax/features/external-general-entities"));
-+
-+ // 2. external-general-entities disabled (default)
-+
-+ result.set(null);
-+ marshaller.setProcessExternalEntities(true);
-+ marshaller.unmarshal(new StreamSource("1"));
-+ assertNotNull(result.get());
-+ assertEquals(true, result.get().getFeature("http://xml.org/sax/features/external-general-entities"));
-+ }
-+
-+ @Test
-+ public void unmarshalSaxSourceExternalEntities() throws Exception {
-+
-+ final AtomicReference<XMLReader> result = new AtomicReference<XMLReader>();
-+ CastorMarshaller marshaller = new CastorMarshaller() {
-+ @Override
-+ protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource) {
-+ result.set(xmlReader);
-+ return null;
-+ }
-+ };
-+
-+ // 1. external-general-entities disabled (default)
-+
-+ marshaller.unmarshal(new SAXSource(new InputSource("1")));
-+ assertNotNull(result.get());
-+ assertEquals(false, result.get().getFeature("http://xml.org/sax/features/external-general-entities"));
-+
-+ // 2. external-general-entities disabled (default)
-+
-+ result.set(null);
-+ marshaller.setProcessExternalEntities(true);
-+ marshaller.unmarshal(new SAXSource(new InputSource("1")));
-+ assertNotNull(result.get());
-+ assertEquals(true, result.get().getFeature("http://xml.org/sax/features/external-general-entities"));
-+ }
-+
- }
-diff --git a/spring-oxm/src/test/java/org/springframework/oxm/jaxb/Jaxb2MarshallerTests.java b/spring-oxm/src/test/java/org/springframework/oxm/jaxb/Jaxb2MarshallerTests.java
-index af99408..921a4b2 100644
---- a/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jaxb/Jaxb2MarshallerTests.java
-+++ b/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jaxb/Jaxb2MarshallerTests.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2013 the original author or authors.
-+ * Copyright 2002-2014 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
-@@ -31,9 +31,12 @@ import javax.xml.bind.annotation.XmlType;
- import javax.xml.namespace.QName;
- import javax.xml.transform.Result;
- import javax.xml.transform.sax.SAXResult;
-+import javax.xml.transform.sax.SAXSource;
- import javax.xml.transform.stream.StreamResult;
-+import javax.xml.transform.stream.StreamSource;
-
- import org.junit.Test;
-+import org.mockito.ArgumentCaptor;
- import org.mockito.InOrder;
- import org.springframework.core.io.ClassPathResource;
- import org.springframework.core.io.Resource;
-@@ -47,9 +50,7 @@ import org.springframework.oxm.jaxb.test.ObjectFactory;
- import org.springframework.oxm.mime.MimeContainer;
- import org.springframework.util.FileCopyUtils;
- import org.springframework.util.ReflectionUtils;
--import org.xml.sax.Attributes;
--import org.xml.sax.ContentHandler;
--import org.xml.sax.Locator;
-+import org.xml.sax.*;
-
- import static org.junit.Assert.*;
- import static org.custommonkey.xmlunit.XMLAssert.assertXMLEqual;
-@@ -289,7 +290,7 @@ public class Jaxb2MarshallerTests extends AbstractMarshallerTests {
- public void marshalAWrappedObjectHoldingAnXmlElementDeclElement() throws Exception {
- // SPR-10714
- marshaller = new Jaxb2Marshaller();
-- marshaller.setPackagesToScan(new String[] { "org.springframework.oxm.jaxb" });
-+ marshaller.setPackagesToScan(new String[]{"org.springframework.oxm.jaxb"});
- marshaller.afterPropertiesSet();
- Airplane airplane = new Airplane();
- airplane.setName("test");
-@@ -300,6 +301,75 @@ public class Jaxb2MarshallerTests extends AbstractMarshallerTests {
- writer.toString(), "<airplane><name>test</name></airplane>");
- }
-
-+ // SPR-10806
-+
-+ @Test
-+ public void unmarshalStreamSourceExternalEntities() throws Exception {
-+
-+ final javax.xml.bind.Unmarshaller unmarshaller = mock(javax.xml.bind.Unmarshaller.class);
-+ Jaxb2Marshaller marshaller = new Jaxb2Marshaller() {
-+ @Override
-+ protected javax.xml.bind.Unmarshaller createUnmarshaller() {
-+ return unmarshaller;
-+ }
-+ };
-+
-+ // 1. external-general-entities disabled (default)
-+
-+ marshaller.unmarshal(new StreamSource("1"));
-+ ArgumentCaptor<SAXSource> sourceCaptor = ArgumentCaptor.forClass(SAXSource.class);
-+ verify(unmarshaller).unmarshal(sourceCaptor.capture());
-+
-+ SAXSource result = sourceCaptor.getValue();
-+ assertEquals(false, result.getXMLReader().getFeature("http://xml.org/sax/features/external-general-entities"));
-+
-+ // 2. external-general-entities enabled
-+
-+ reset(unmarshaller);
-+ marshaller.setProcessExternalEntities(true);
-+
-+ marshaller.unmarshal(new StreamSource("1"));
-+ verify(unmarshaller).unmarshal(sourceCaptor.capture());
-+
-+ result = sourceCaptor.getValue();
-+ assertEquals(true, result.getXMLReader().getFeature("http://xml.org/sax/features/external-general-entities"));
-+ }
-+
-+ // SPR-10806
-+
-+ @Test
-+ public void unmarshalSaxSourceExternalEntities() throws Exception {
-+
-+ final javax.xml.bind.Unmarshaller unmarshaller = mock(javax.xml.bind.Unmarshaller.class);
-+ Jaxb2Marshaller marshaller = new Jaxb2Marshaller() {
-+ @Override
-+ protected javax.xml.bind.Unmarshaller createUnmarshaller() {
-+ return unmarshaller;
-+ }
-+ };
-+
-+ // 1. external-general-entities disabled (default)
-+
-+ marshaller.unmarshal(new SAXSource(new InputSource("1")));
-+ ArgumentCaptor<SAXSource> sourceCaptor = ArgumentCaptor.forClass(SAXSource.class);
-+ verify(unmarshaller).unmarshal(sourceCaptor.capture());
-+
-+ SAXSource result = sourceCaptor.getValue();
-+ assertEquals(false, result.getXMLReader().getFeature("http://xml.org/sax/features/external-general-entities"));
-+
-+ // 2. external-general-entities enabled
-+
-+ reset(unmarshaller);
-+ marshaller.setProcessExternalEntities(true);
-+
-+ marshaller.unmarshal(new SAXSource(new InputSource("1")));
-+ verify(unmarshaller).unmarshal(sourceCaptor.capture());
-+
-+ result = sourceCaptor.getValue();
-+ assertEquals(true, result.getXMLReader().getFeature("http://xml.org/sax/features/external-general-entities"));
-+ }
-+
-+
- @XmlRootElement
- @SuppressWarnings("unused")
- public static class DummyRootElement {
-diff --git a/spring-oxm/src/test/java/org/springframework/oxm/jibx/JibxMarshallerTests.java b/spring-oxm/src/test/java/org/springframework/oxm/jibx/JibxMarshallerTests.java
-index 14ab19c..f7d26af 100644
---- a/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jibx/JibxMarshallerTests.java
-+++ b/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jibx/JibxMarshallerTests.java
-@@ -16,21 +16,34 @@
-
- package org.springframework.oxm.jibx;
-
-+import java.io.IOException;
- import java.io.StringWriter;
-+import java.util.concurrent.atomic.AtomicReference;
-+import javax.xml.transform.sax.SAXSource;
- import javax.xml.transform.stream.StreamResult;
-+import javax.xml.transform.stream.StreamSource;
-
- import org.custommonkey.xmlunit.XMLUnit;
- import org.junit.BeforeClass;
- import org.junit.Test;
-
-+import org.mockito.ArgumentCaptor;
- import org.springframework.oxm.AbstractMarshallerTests;
- import org.springframework.oxm.Marshaller;
-+import org.springframework.oxm.XmlMappingException;
-+import org.springframework.oxm.jaxb.Jaxb2Marshaller;
- import org.springframework.tests.Assume;
- import org.springframework.tests.TestGroup;
-+import org.xml.sax.InputSource;
-+import org.xml.sax.XMLReader;
-
- import static org.custommonkey.xmlunit.XMLAssert.*;
-+import static org.junit.Assert.assertEquals;
- import static org.junit.Assert.assertFalse;
- import static org.junit.Assert.assertTrue;
-+import static org.mockito.Mockito.mock;
-+import static org.mockito.Mockito.reset;
-+import static org.mockito.Mockito.verify;
-
- /**
- * @author Arjen Poutsma
-@@ -107,5 +120,4 @@ public class JibxMarshallerTests extends AbstractMarshallerTests {
- assertFalse("JibxMarshaller supports illegal type", marshaller.supports(getClass()));
- }
-
--
- }
-diff --git a/spring-oxm/src/test/java/org/springframework/oxm/jibx/JibxUnmarshallerTests.java b/spring-oxm/src/test/java/org/springframework/oxm/jibx/JibxUnmarshallerTests.java
-index b1e460d..5ceeab2 100644
---- a/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jibx/JibxUnmarshallerTests.java
-+++ b/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jibx/JibxUnmarshallerTests.java
-@@ -28,7 +28,9 @@ import org.springframework.oxm.Unmarshaller;
- import org.springframework.tests.Assume;
- import org.springframework.tests.TestGroup;
-
--import static org.junit.Assert.*;
-+import static org.junit.Assert.assertEquals;
-+import static org.junit.Assert.assertNotNull;
-+
-
- /**
- * @author Arjen Poutsma
-diff --git a/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java b/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java
-index 676f6d6..ad8d7d9 100644
---- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java
-+++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2010 the original author or authors.
-+ * Copyright 2002-2014 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
-@@ -28,6 +28,9 @@ import javax.xml.bind.annotation.XmlRootElement;
- import javax.xml.bind.annotation.XmlType;
- import javax.xml.transform.Result;
- import javax.xml.transform.Source;
-+import javax.xml.transform.dom.DOMSource;
-+import javax.xml.transform.sax.SAXSource;
-+import javax.xml.transform.stream.StreamSource;
-
- import org.springframework.core.annotation.AnnotationUtils;
- import org.springframework.http.HttpHeaders;
-@@ -36,6 +39,11 @@ import org.springframework.http.converter.HttpMessageConversionException;
- import org.springframework.http.converter.HttpMessageNotReadableException;
- import org.springframework.http.converter.HttpMessageNotWritableException;
- import org.springframework.util.ClassUtils;
-+import org.springframework.util.xml.StaxUtils;
-+import org.xml.sax.InputSource;
-+import org.xml.sax.SAXException;
-+import org.xml.sax.XMLReader;
-+import org.xml.sax.helpers.XMLReaderFactory;
-
- /**
- * Implementation of {@link org.springframework.http.converter.HttpMessageConverter HttpMessageConverter} that can read
-@@ -49,6 +57,17 @@ import org.springframework.util.ClassUtils;
- */
- public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessageConverter<Object> {
-
-+ private boolean processExternalEntities = false;
-+
-+
-+ /**
-+ * Indicates whether external XML entities are processed when converting to a Source.
-+ * <p>Default is {@code false}, meaning that external entities are not resolved.
-+ */
-+ public void setProcessExternalEntities(boolean processExternalEntities) {
-+ this.processExternalEntities = processExternalEntities;
-+ }
-+
- @Override
- public boolean canRead(Class<?> clazz, MediaType mediaType) {
- return (clazz.isAnnotationPresent(XmlRootElement.class) || clazz.isAnnotationPresent(XmlType.class)) &&
-@@ -69,6 +88,7 @@ public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessa
- @Override
- protected Object readFromSource(Class<?> clazz, HttpHeaders headers, Source source) throws IOException {
- try {
-+ source = processSource(source);
- Unmarshaller unmarshaller = createUnmarshaller(clazz);
- if (clazz.isAnnotationPresent(XmlRootElement.class)) {
- return unmarshaller.unmarshal(source);
-@@ -87,6 +107,26 @@ public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessa
- }
- }
-
-+ protected Source processSource(Source source) {
-+ if (source instanceof StreamSource) {
-+ StreamSource streamSource = (StreamSource) source;
-+ InputSource inputSource = new InputSource(streamSource.getInputStream());
-+ try {
-+ XMLReader xmlReader = XMLReaderFactory.createXMLReader();
-+ String featureName = "http://xml.org/sax/features/external-general-entities";
-+ xmlReader.setFeature(featureName, this.processExternalEntities);
-+ return new SAXSource(xmlReader, inputSource);
-+ }
-+ catch (SAXException ex) {
-+ logger.warn("Processing of external entities could not be disabled", ex);
-+ return source;
-+ }
-+ }
-+ else {
-+ return source;
-+ }
-+ }
-+
- @Override
- protected void writeToResult(Object o, HttpHeaders headers, Result result) throws IOException {
- try {
-diff --git a/spring-web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/spring-web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
-index e970450..ec7daec 100644
+diff --git a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
+index 15b7d8e..3126ca4 100644
--- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
+++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
-@@ -95,6 +95,12 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
- this.processExternalEntities = processExternalEntities;
- }
-
-+ /**
-+ * @return the configured value for whether XML external entities are allowed.
-+ */
-+ public boolean isProcessExternalEntities() {
-+ return this.processExternalEntities;
-+ }
-
- @Override
+@@ -85,6 +85,13 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
+ this.processExternalEntities = processExternalEntities;
+ }
+
++ /**
++ * @return the configured value for whether XML external entities are allowed.
++ */
++ public boolean isProcessExternalEntities() {
++ return this.processExternalEntities;
++ }
++
+ @Override
public boolean supports(Class<?> clazz) {
-@@ -159,8 +165,7 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
- private Source readStAXSource(InputStream body) {
- try {
- XMLInputFactory inputFactory = XMLInputFactory.newFactory();
-- inputFactory.setProperty(
-- "javax.xml.stream.isSupportingExternalEntities", this.processExternalEntities);
-+ inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, this.processExternalEntities);
- XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body);
- return new StAXSource(streamReader);
- }
-diff --git a/spring-web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTests.java b/spring-web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTests.java
-index 30b7cc0..fe1e392 100644
---- a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTests.java
-+++ b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTests.java
-@@ -32,9 +32,13 @@ import org.junit.Test;
- import org.springframework.aop.framework.AdvisedSupport;
- import org.springframework.aop.framework.AopProxy;
- import org.springframework.aop.framework.DefaultAopProxyFactory;
-+import org.springframework.core.io.ClassPathResource;
-+import org.springframework.core.io.Resource;
- import org.springframework.http.MediaType;
- import org.springframework.http.MockHttpInputMessage;
- import org.springframework.http.MockHttpOutputMessage;
-+import org.springframework.http.converter.HttpMessageNotReadableException;
-+import org.xml.sax.SAXParseException;
-
- /** @author Arjen Poutsma */
- public class Jaxb2RootElementHttpMessageConverterTests {
-@@ -96,6 +100,33 @@ public class Jaxb2RootElementHttpMessageConverterTests {
- }
-
- @Test
-+ public void readXmlRootElementExternalEntityDisabled() throws Exception {
-+ Resource external = new ClassPathResource("external.txt", getClass());
-+ String content = "<!DOCTYPE root [" +
-+ " <!ELEMENT external ANY >\n" +
-+ " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]>" +
-+ " <rootElement><external>&ext;</external></rootElement>";
-+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
-+ RootElement rootElement = (RootElement) converter.read(RootElement.class, inputMessage);
-+
-+ assertEquals("", rootElement.external);
-+ }
-+
-+ @Test
-+ public void readXmlRootElementExternalEntityEnabled() throws Exception {
-+ Resource external = new ClassPathResource("external.txt", getClass());
-+ String content = "<!DOCTYPE root [" +
-+ " <!ELEMENT external ANY >\n" +
-+ " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]>" +
-+ " <rootElement><external>&ext;</external></rootElement>";
-+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
-+ this.converter.setProcessExternalEntities(true);
-+ RootElement rootElement = (RootElement) converter.read(RootElement.class, inputMessage);
-+
-+ assertEquals("Foo Bar", rootElement.external);
-+ }
-+
-+ @Test
- public void writeXmlRootElement() throws Exception {
- MockHttpOutputMessage outputMessage = new MockHttpOutputMessage();
- converter.write(rootElement, null, outputMessage);
-@@ -120,6 +151,9 @@ public class Jaxb2RootElementHttpMessageConverterTests {
-
- private Type type = new Type();
-
-+ @XmlElement(required=false)
-+ public String external;
-+
- public Type getType() {
- return this.type;
- }
+ return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz)
+@@ -146,7 +153,7 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
+ private Source readStAXSource(InputStream body) {
+ try {
+ XMLInputFactory inputFactory = XMLInputFactory.newFactory();
+- inputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", processExternalEntities);
++ inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, this.processExternalEntities);
+ XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body);
+ return StaxUtils.createStaxSource(streamReader);
+ }
diff --git a/debian/patches/CVE-2014-1904.patch b/debian/patches/CVE-2014-1904.patch
index e59e02d..d9274d1 100644
--- a/debian/patches/CVE-2014-1904.patch
+++ b/debian/patches/CVE-2014-1904.patch
@@ -1,37 +1,36 @@
From: Miguel Landaeta <nomadium at debian.org>
-Date: Mon, 24 Mar 2014 14:35:39 -0300
-Subject: CVE-2013-6429
+Date: Mon, 24 Mar 2014 17:07:58 -0300
+Subject: CVE-2014-1904
Bug: http://bugs.debian.org/741604
-diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
-index a6aa59c..8c50bde 100644
+diff --git a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
+index 2e9cc84..b416084 100644
--- a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
+++ b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
@@ -1,5 +1,5 @@
/*
-- * Copyright 2002-2013 the original author or authors.
+- * Copyright 2002-2010 the original author or authors.
+ * Copyright 2002-2014 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
-@@ -16,6 +16,7 @@
-
- package org.springframework.web.servlet.tags.form;
+@@ -21,11 +21,14 @@ import javax.servlet.http.HttpServletResponse;
+ import javax.servlet.jsp.JspException;
+ import javax.servlet.jsp.PageContext;
+import java.io.UnsupportedEncodingException;
- import java.util.Map;
-
- import javax.servlet.ServletRequest;
-@@ -32,6 +33,7 @@ import org.springframework.util.ObjectUtils;
++
+ import org.springframework.beans.PropertyAccessor;
+ import org.springframework.core.Conventions;
+ import org.springframework.util.ObjectUtils;
import org.springframework.util.StringUtils;
- import org.springframework.web.servlet.support.RequestDataValueProcessor;
import org.springframework.web.util.HtmlUtils;
+import org.springframework.web.util.UriUtils;
/**
- * Databinding-aware JSP tag for rendering an HTML '{@code form}' whose
-@@ -442,6 +444,13 @@ public class FormTag extends AbstractHtmlElementTag {
+ * Databinding-aware JSP tag for rendering an HTML '<code>form</code>' whose
+@@ -397,6 +400,13 @@ public class FormTag extends AbstractHtmlElementTag {
}
else {
String requestUri = getRequestContext().getRequestUri();
@@ -45,36 +44,3 @@ index a6aa59c..8c50bde 100644
ServletResponse response = this.pageContext.getResponse();
if (response instanceof HttpServletResponse) {
requestUri = ((HttpServletResponse) response).encodeURL(requestUri);
-diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java
-index 8fdcc1c..2612761 100644
---- a/projects/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java
-+++ b/projects/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2013 the original author or authors.
-+ * Copyright 2002-2014 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
-@@ -340,6 +340,21 @@ public class FormTagTests extends AbstractHtmlElementTagTests {
- assertFormTagClosed(output);
- }
-
-+ public void testDefaultActionEncoded() throws Exception {
-+
-+ this.request.setRequestURI("/a b c");
-+ request.setQueryString("");
-+
-+ this.tag.doStartTag();
-+ this.tag.doEndTag();
-+ this.tag.doFinally();
-+
-+ String output = getOutput();
-+ String formOutput = getFormTag(output);
-+
-+ assertContainsAttribute(formOutput, "action", "/a%20b%20c");
-+ }
-+
- private String getFormTag(String output) {
- int inputStart = output.indexOf("<", 1);
- int inputEnd = output.lastIndexOf(">", output.length() - 2);
diff --git a/debian/patches/series b/debian/patches/series
index 36fe668..be7dad9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,5 +12,5 @@
Add-processExternalEntities-to-JAXB2Marshaller.patch
CVE-2013-6429.patch
CVE-2013-6430.patch
-#CVE-2014-0054.patch
+CVE-2014-0054.patch
CVE-2014-1904.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libspring-java.git
More information about the pkg-java-commits
mailing list