[libspring-java] 01/01: Fix CVE-2014-0054 and CVE-2014-1904

Miguel Landaeta nomadium at moszumanska.debian.org
Mon Mar 24 20:57:08 UTC 2014


This is an automated email from the git hooks/post-receive script.

nomadium pushed a commit to branch master
in repository libspring-java.

commit b427b789df529f4766a7cfc4a78a9f3a9f6c168b
Author: Miguel Landaeta <nomadium at debian.org>
Date:   Mon Mar 24 17:01:01 2014 -0300

    Fix CVE-2014-0054 and CVE-2014-1904
---
 debian/changelog                   |   8 +-
 debian/patches/CVE-2014-0054.patch | 553 +++++--------------------------------
 debian/patches/CVE-2014-1904.patch |  62 +----
 debian/patches/series              |   2 +-
 4 files changed, 83 insertions(+), 542 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 40ad7e8..5c5d2f9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,8 @@
-libspring-java (3.0.6.RELEASE-13) UNRELEASED; urgency=high
+libspring-java (3.0.6.RELEASE-13) unstable; urgency=high
 
-  TO-DO: the patches doesn't apply cleanly.
+  * Fix CVE-2014-0054 and CVE-2014-1904. (Closes: #741604).
 
-  * Fix CVE-2014-0054 and CVE-2014-1904. (Closes: #735420).
-
- -- Miguel Landaeta <nomadium at debian.org>  Mon, 24 Mar 2014 14:10:52 -0300
+ -- Miguel Landaeta <nomadium at debian.org>  Mon, 24 Mar 2014 17:10:32 -0300
 
 libspring-java (3.0.6.RELEASE-12) unstable; urgency=low
 
diff --git a/debian/patches/CVE-2014-0054.patch b/debian/patches/CVE-2014-0054.patch
index 4ee51a7..dcb9faa 100644
--- a/debian/patches/CVE-2014-0054.patch
+++ b/debian/patches/CVE-2014-0054.patch
@@ -1,15 +1,14 @@
 From: Miguel Landaeta <nomadium at debian.org>
-Date: Mon, 24 Mar 2014 14:10:00 -0300
-Subject: CVE-2013-6429
+Date: Mon, 24 Mar 2014 16:57:19 -0300
+Subject: CVE-2014-0054
 
 Bug: http://bugs.debian.org/741604
 
-diff --git a/spring-oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
-index adc403c..4189c0e 100644
-./projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
+index 871075f..fea0519 100644
 --- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
 +++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java
-@@ -162,6 +162,11 @@ public class CastorMarshaller extends AbstractMarshaller implements Initializing
+@@ -120,6 +120,11 @@ public class CastorMarshaller extends AbstractMarshaller implements Initializing
  		this.encoding = encoding;
  	}
  
@@ -19,13 +18,13 @@ index adc403c..4189c0e 100644
 +	}
 +
  	/**
- 	 * Set the locations of the Castor XML mapping files.
+ 	 * Set the locations of the Castor XML Mapping files.
  	 */
-diff --git a/spring-oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
-index 0837695..93fa1a4 100644
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
+index 1b3412d..37d7937 100644
 --- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
-+++ b/projects/org.springframework.oxmsrc/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
-@@ -400,6 +400,13 @@ public class Jaxb2Marshaller implements MimeMarshaller, MimeUnmarshaller, Generi
++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java
+@@ -317,6 +317,13 @@ public class Jaxb2Marshaller
  		this.processExternalEntities = processExternalEntities;
  	}
  
@@ -36,16 +35,16 @@ index 0837695..93fa1a4 100644
 +		return this.processExternalEntities;
 +	}
 +
- 	@Override
  	public void setBeanClassLoader(ClassLoader classLoader) {
  		this.beanClassLoader = classLoader;
-diff --git a/spring-oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
-index b184560..715ef4e 100644
+ 	}
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
+index 5d6a053..0de00b2 100644
 --- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
 +++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java
 @@ -1,5 +1,5 @@
  /*
-- * Copyright 2002-2013 the original author or authors.
+- * Copyright 2002-2010 the original author or authors.
 + * Copyright 2002-2014 the original author or authors.
   *
   * Licensed under the Apache License, Version 2.0 (the "License");
@@ -58,7 +57,7 @@ index b184560..715ef4e 100644
  import javax.xml.transform.Result;
  import javax.xml.transform.Source;
  import javax.xml.transform.Transformer;
-@@ -149,6 +150,11 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+@@ -133,6 +134,11 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
  		this.encoding = encoding;
  	}
  
@@ -70,7 +69,7 @@ index b184560..715ef4e 100644
  	/**
  	 * Set the document standalone flag for marshalling. By default, this flag is not present.
  	 */
-@@ -338,7 +344,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+@@ -301,7 +307,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
  		}
  		catch (TransformerException ex) {
  			throw new MarshallingFailureException(
@@ -79,7 +78,7 @@ index b184560..715ef4e 100644
  		}
  
  	}
-@@ -398,7 +404,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+@@ -367,7 +373,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
  	@Override
  	protected Object unmarshalDomNode(Node node) throws XmlMappingException {
  		try {
@@ -88,10 +87,10 @@ index b184560..715ef4e 100644
  		}
  		catch (IOException ex) {
  			throw new UnmarshallingFailureException("JiBX unmarshalling exception", ex);
-@@ -409,12 +415,15 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+@@ -377,12 +383,15 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+ 	@Override
  	protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource)
  			throws XmlMappingException, IOException {
- 
 -		return transformAndUnmarshal(new SAXSource(xmlReader, inputSource));
 +		return transformAndUnmarshal(new SAXSource(xmlReader, inputSource), inputSource.getEncoding());
  	}
@@ -99,14 +98,14 @@ index b184560..715ef4e 100644
 -	private Object transformAndUnmarshal(Source source) throws IOException {
 +	private Object transformAndUnmarshal(Source source, String encoding) throws IOException {
  		try {
- 			Transformer transformer = this.transformerFactory.newTransformer();
+ 			Transformer transformer = transformerFactory.newTransformer();
 +			if (encoding != null) {
 +				transformer.setOutputProperty(OutputKeys.ENCODING, encoding);
 +			}
  			ByteArrayOutputStream os = new ByteArrayOutputStream();
  			transformer.transform(source, new StreamResult(os));
  			ByteArrayInputStream is = new ByteArrayInputStream(os.toByteArray());
-@@ -422,7 +431,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
+@@ -390,7 +399,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe
  		}
  		catch (TransformerException ex) {
  			throw new MarshallingFailureException(
@@ -115,13 +114,13 @@ index b184560..715ef4e 100644
  		}
  	}
  
-diff --git a/spring-oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
-index a118775..2df808e 100644
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
+index cee37bb..09bc006 100644
 --- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
 +++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java
 @@ -1,5 +1,5 @@
  /*
-- * Copyright 2002-2013 the original author or authors.
+- * Copyright 2002-2010 the original author or authors.
 + * Copyright 2002-2014 the original author or authors.
   *
   * Licensed under the Apache License, Version 2.0 (the "License");
@@ -160,8 +159,8 @@ index a118775..2df808e 100644
 +
  
  	/**
- 	 * Marshals the object graph with the given root into the provided {@code javax.xml.transform.Result}.
-@@ -133,7 +161,7 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
+ 	 * Marshals the object graph with the given root into the provided <code>javax.xml.transform.Result</code>.
+@@ -131,7 +159,7 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
  			return unmarshalSaxSource((SAXSource) source);
  		}
  		else if (source instanceof StreamSource) {
@@ -170,7 +169,7 @@ index a118775..2df808e 100644
  		}
  		else {
  			throw new IllegalArgumentException("Unknown Source type: " + source.getClass());
-@@ -175,7 +203,9 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
+@@ -173,7 +201,9 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
  	 * @throws SAXException if thrown by JAXP methods
  	 */
  	protected XMLReader createXmlReader() throws SAXException {
@@ -181,7 +180,7 @@ index a118775..2df808e 100644
  	}
  
  
-@@ -358,8 +388,42 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
+@@ -356,8 +386,42 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller {
  	}
  
  	/**
@@ -215,27 +214,27 @@ index a118775..2df808e 100644
 +	}
 +
 +	/**
- 	 * Template method for handling {@code StreamSource}s.
- 	 * <p>This implementation defers to {@code unmarshalInputStream} or {@code unmarshalReader}.
+ 	 * Template method for handling <code>StreamSource</code>s.
+ 	 * <p>This implementation defers to <code>unmarshalInputStream</code> or <code>unmarshalReader</code>.
 +	 * <p>As of 3.2.8 and 4.0.2 this method is no longer invoked from
 +	 * {@link #unmarshal(javax.xml.transform.Source)}. The method invoked instead is
 +	 * {@link #unmarshalStreamSourceNoExternalEntitities(javax.xml.transform.stream.StreamSource)}.
 +	 *
- 	 * @param streamSource the {@code StreamSource}
+ 	 * @param streamSource the <code>StreamSource</code>
  	 * @return the object graph
  	 * @throws IOException if an I/O exception occurs
-diff --git a/spring-oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
-index 1fd4940..b3bb5cf 100644
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
+index eb5a6e6..9f06b35 100644
 --- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
 +++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java
 @@ -1,5 +1,5 @@
  /*
-- * Copyright 2002-2012 the original author or authors.
+- * Copyright 2002-2009 the original author or authors.
 + * Copyright 2002-2014 the original author or authors.
   *
   * Licensed under the Apache License, Version 2.0 (the "License");
   * you may not use this file except in compliance with the License.
-@@ -113,6 +113,10 @@ public class XmlBeansMarshaller extends AbstractMarshaller {
+@@ -116,6 +116,10 @@ public class XmlBeansMarshaller extends AbstractMarshaller {
  		return this.validating;
  	}
  
@@ -246,11 +245,11 @@ index 1fd4940..b3bb5cf 100644
  
  	/**
  	 * This implementation returns true if the given class is an implementation of {@link XmlObject}.
-diff --git a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
-index de42e5b..52c121e 100644
+diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
+index d6521ff..efa9403 100644
 --- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
 +++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
-@@ -27,11 +27,9 @@ import java.lang.reflect.Constructor;
+@@ -26,11 +26,9 @@ import java.io.Writer;
  import java.util.LinkedHashMap;
  import java.util.List;
  import java.util.Map;
@@ -263,9 +262,9 @@ index de42e5b..52c121e 100644
 +import javax.xml.transform.stax.StAXSource;
 +import javax.xml.transform.stream.StreamSource;
  
- import com.thoughtworks.xstream.MarshallingStrategy;
  import com.thoughtworks.xstream.XStream;
-@@ -342,6 +340,11 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
+ import com.thoughtworks.xstream.converters.ConversionException;
+@@ -349,6 +347,11 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
  		this.encoding = encoding;
  	}
  
@@ -277,7 +276,7 @@ index de42e5b..52c121e 100644
  	/**
  	 * Set the classes supported by this marshaller.
  	 * <p>If this property is empty (the default), all classes are supported.
-@@ -701,6 +704,13 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
+@@ -470,6 +473,13 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin
  	// Unmarshalling
  
  	@Override
@@ -291,452 +290,30 @@ index de42e5b..52c121e 100644
  	protected Object unmarshalDomNode(Node node) throws XmlMappingException {
  		HierarchicalStreamReader streamReader;
  		if (node instanceof Document) {
-diff --git a/spring-oxm/src/test/java/org/springframework/oxm/castor/CastorUnmarshallerTests.java b/spring-oxm/src/test/java/org/springframework/oxm/castor/CastorUnmarshallerTests.java
-index 5856408..5500642 100644
---- a/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/castor/CastorUnmarshallerTests.java
-+++ b/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/castor/CastorUnmarshallerTests.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2013 the original author or authors.
-+ * Copyright 2002-2014 the original author or authors.
-  *
-  * Licensed under the Apache License, Version 2.0 (the "License");
-  * you may not use this file except in compliance with the License.
-@@ -19,6 +19,8 @@ package org.springframework.oxm.castor;
- import java.io.ByteArrayInputStream;
- import java.io.IOException;
- import java.io.StringReader;
-+import java.util.concurrent.atomic.AtomicReference;
-+import javax.xml.transform.sax.SAXSource;
- import javax.xml.transform.stream.StreamSource;
- 
- import org.junit.Ignore;
-@@ -28,9 +30,13 @@ import org.springframework.core.io.ClassPathResource;
- import org.springframework.oxm.AbstractUnmarshallerTests;
- import org.springframework.oxm.MarshallingException;
- import org.springframework.oxm.Unmarshaller;
-+import org.xml.sax.InputSource;
-+import org.xml.sax.XMLReader;
- 
-+import static junit.framework.Assert.assertNotNull;
- import static org.hamcrest.CoreMatchers.*;
- import static org.junit.Assert.*;
-+import static org.junit.Assert.assertEquals;
- 
- /**
-  * @author Arjen Poutsma
-@@ -203,4 +209,59 @@ public class CastorUnmarshallerTests extends AbstractUnmarshallerTests {
- 		StreamSource source = new StreamSource(new StringReader(xml));
- 		return unmarshaller.unmarshal(source);
- 	}
-+
-+	@Test
-+	public void unmarshalStreamSourceExternalEntities() throws Exception {
-+
-+		final AtomicReference<XMLReader> result = new AtomicReference<XMLReader>();
-+		CastorMarshaller marshaller = new CastorMarshaller() {
-+			@Override
-+			protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource) {
-+				result.set(xmlReader);
-+				return null;
-+			}
-+		};
-+
-+		// 1. external-general-entities disabled (default)
-+
-+		marshaller.unmarshal(new StreamSource("1"));
-+		assertNotNull(result.get());
-+		assertEquals(false, result.get().getFeature("http://xml.org/sax/features/external-general-entities"));
-+
-+		// 2. external-general-entities disabled (default)
-+
-+		result.set(null);
-+		marshaller.setProcessExternalEntities(true);
-+		marshaller.unmarshal(new StreamSource("1"));
-+		assertNotNull(result.get());
-+		assertEquals(true, result.get().getFeature("http://xml.org/sax/features/external-general-entities"));
-+	}
-+
-+	@Test
-+	public void unmarshalSaxSourceExternalEntities() throws Exception {
-+
-+		final AtomicReference<XMLReader> result = new AtomicReference<XMLReader>();
-+		CastorMarshaller marshaller = new CastorMarshaller() {
-+			@Override
-+			protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource) {
-+				result.set(xmlReader);
-+				return null;
-+			}
-+		};
-+
-+		// 1. external-general-entities disabled (default)
-+
-+		marshaller.unmarshal(new SAXSource(new InputSource("1")));
-+		assertNotNull(result.get());
-+		assertEquals(false, result.get().getFeature("http://xml.org/sax/features/external-general-entities"));
-+
-+		// 2. external-general-entities disabled (default)
-+
-+		result.set(null);
-+		marshaller.setProcessExternalEntities(true);
-+		marshaller.unmarshal(new SAXSource(new InputSource("1")));
-+		assertNotNull(result.get());
-+		assertEquals(true, result.get().getFeature("http://xml.org/sax/features/external-general-entities"));
-+	}
-+
- }
-diff --git a/spring-oxm/src/test/java/org/springframework/oxm/jaxb/Jaxb2MarshallerTests.java b/spring-oxm/src/test/java/org/springframework/oxm/jaxb/Jaxb2MarshallerTests.java
-index af99408..921a4b2 100644
---- a/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jaxb/Jaxb2MarshallerTests.java
-+++ b/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jaxb/Jaxb2MarshallerTests.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2013 the original author or authors.
-+ * Copyright 2002-2014 the original author or authors.
-  *
-  * Licensed under the Apache License, Version 2.0 (the "License");
-  * you may not use this file except in compliance with the License.
-@@ -31,9 +31,12 @@ import javax.xml.bind.annotation.XmlType;
- import javax.xml.namespace.QName;
- import javax.xml.transform.Result;
- import javax.xml.transform.sax.SAXResult;
-+import javax.xml.transform.sax.SAXSource;
- import javax.xml.transform.stream.StreamResult;
-+import javax.xml.transform.stream.StreamSource;
- 
- import org.junit.Test;
-+import org.mockito.ArgumentCaptor;
- import org.mockito.InOrder;
- import org.springframework.core.io.ClassPathResource;
- import org.springframework.core.io.Resource;
-@@ -47,9 +50,7 @@ import org.springframework.oxm.jaxb.test.ObjectFactory;
- import org.springframework.oxm.mime.MimeContainer;
- import org.springframework.util.FileCopyUtils;
- import org.springframework.util.ReflectionUtils;
--import org.xml.sax.Attributes;
--import org.xml.sax.ContentHandler;
--import org.xml.sax.Locator;
-+import org.xml.sax.*;
- 
- import static org.junit.Assert.*;
- import static org.custommonkey.xmlunit.XMLAssert.assertXMLEqual;
-@@ -289,7 +290,7 @@ public class Jaxb2MarshallerTests extends AbstractMarshallerTests {
- 	public void marshalAWrappedObjectHoldingAnXmlElementDeclElement() throws Exception {
- 		// SPR-10714
- 		marshaller = new Jaxb2Marshaller();
--		marshaller.setPackagesToScan(new String[] { "org.springframework.oxm.jaxb" });
-+		marshaller.setPackagesToScan(new String[]{"org.springframework.oxm.jaxb"});
- 		marshaller.afterPropertiesSet();
- 		Airplane airplane = new Airplane();
- 		airplane.setName("test");
-@@ -300,6 +301,75 @@ public class Jaxb2MarshallerTests extends AbstractMarshallerTests {
- 				writer.toString(), "<airplane><name>test</name></airplane>");
- 	}
- 
-+	// SPR-10806
-+
-+	@Test
-+	public void unmarshalStreamSourceExternalEntities() throws Exception {
-+
-+		final javax.xml.bind.Unmarshaller unmarshaller = mock(javax.xml.bind.Unmarshaller.class);
-+		Jaxb2Marshaller marshaller = new Jaxb2Marshaller() {
-+			@Override
-+			protected javax.xml.bind.Unmarshaller createUnmarshaller() {
-+				return unmarshaller;
-+			}
-+		};
-+
-+		// 1. external-general-entities disabled (default)
-+
-+		marshaller.unmarshal(new StreamSource("1"));
-+		ArgumentCaptor<SAXSource> sourceCaptor = ArgumentCaptor.forClass(SAXSource.class);
-+		verify(unmarshaller).unmarshal(sourceCaptor.capture());
-+
-+		SAXSource result = sourceCaptor.getValue();
-+		assertEquals(false, result.getXMLReader().getFeature("http://xml.org/sax/features/external-general-entities"));
-+
-+		// 2. external-general-entities enabled
-+
-+		reset(unmarshaller);
-+		marshaller.setProcessExternalEntities(true);
-+
-+		marshaller.unmarshal(new StreamSource("1"));
-+		verify(unmarshaller).unmarshal(sourceCaptor.capture());
-+
-+		result = sourceCaptor.getValue();
-+		assertEquals(true, result.getXMLReader().getFeature("http://xml.org/sax/features/external-general-entities"));
-+	}
-+
-+	// SPR-10806
-+
-+	@Test
-+	public void unmarshalSaxSourceExternalEntities() throws Exception {
-+
-+		final javax.xml.bind.Unmarshaller unmarshaller = mock(javax.xml.bind.Unmarshaller.class);
-+		Jaxb2Marshaller marshaller = new Jaxb2Marshaller() {
-+			@Override
-+			protected javax.xml.bind.Unmarshaller createUnmarshaller() {
-+				return unmarshaller;
-+			}
-+		};
-+
-+		// 1. external-general-entities disabled (default)
-+
-+		marshaller.unmarshal(new SAXSource(new InputSource("1")));
-+		ArgumentCaptor<SAXSource> sourceCaptor = ArgumentCaptor.forClass(SAXSource.class);
-+		verify(unmarshaller).unmarshal(sourceCaptor.capture());
-+
-+		SAXSource result = sourceCaptor.getValue();
-+		assertEquals(false, result.getXMLReader().getFeature("http://xml.org/sax/features/external-general-entities"));
-+
-+		// 2. external-general-entities enabled
-+
-+		reset(unmarshaller);
-+		marshaller.setProcessExternalEntities(true);
-+
-+		marshaller.unmarshal(new SAXSource(new InputSource("1")));
-+		verify(unmarshaller).unmarshal(sourceCaptor.capture());
-+
-+		result = sourceCaptor.getValue();
-+		assertEquals(true, result.getXMLReader().getFeature("http://xml.org/sax/features/external-general-entities"));
-+	}
-+
-+
- 	@XmlRootElement
- 	@SuppressWarnings("unused")
- 	public static class DummyRootElement {
-diff --git a/spring-oxm/src/test/java/org/springframework/oxm/jibx/JibxMarshallerTests.java b/spring-oxm/src/test/java/org/springframework/oxm/jibx/JibxMarshallerTests.java
-index 14ab19c..f7d26af 100644
---- a/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jibx/JibxMarshallerTests.java
-+++ b/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jibx/JibxMarshallerTests.java
-@@ -16,21 +16,34 @@
- 
- package org.springframework.oxm.jibx;
- 
-+import java.io.IOException;
- import java.io.StringWriter;
-+import java.util.concurrent.atomic.AtomicReference;
-+import javax.xml.transform.sax.SAXSource;
- import javax.xml.transform.stream.StreamResult;
-+import javax.xml.transform.stream.StreamSource;
- 
- import org.custommonkey.xmlunit.XMLUnit;
- import org.junit.BeforeClass;
- import org.junit.Test;
- 
-+import org.mockito.ArgumentCaptor;
- import org.springframework.oxm.AbstractMarshallerTests;
- import org.springframework.oxm.Marshaller;
-+import org.springframework.oxm.XmlMappingException;
-+import org.springframework.oxm.jaxb.Jaxb2Marshaller;
- import org.springframework.tests.Assume;
- import org.springframework.tests.TestGroup;
-+import org.xml.sax.InputSource;
-+import org.xml.sax.XMLReader;
- 
- import static org.custommonkey.xmlunit.XMLAssert.*;
-+import static org.junit.Assert.assertEquals;
- import static org.junit.Assert.assertFalse;
- import static org.junit.Assert.assertTrue;
-+import static org.mockito.Mockito.mock;
-+import static org.mockito.Mockito.reset;
-+import static org.mockito.Mockito.verify;
- 
- /**
-  * @author Arjen Poutsma
-@@ -107,5 +120,4 @@ public class JibxMarshallerTests extends AbstractMarshallerTests {
- 		assertFalse("JibxMarshaller supports illegal type", marshaller.supports(getClass()));
- 	}
- 
--
- }
-diff --git a/spring-oxm/src/test/java/org/springframework/oxm/jibx/JibxUnmarshallerTests.java b/spring-oxm/src/test/java/org/springframework/oxm/jibx/JibxUnmarshallerTests.java
-index b1e460d..5ceeab2 100644
---- a/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jibx/JibxUnmarshallerTests.java
-+++ b/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jibx/JibxUnmarshallerTests.java
-@@ -28,7 +28,9 @@ import org.springframework.oxm.Unmarshaller;
- import org.springframework.tests.Assume;
- import org.springframework.tests.TestGroup;
- 
--import static org.junit.Assert.*;
-+import static org.junit.Assert.assertEquals;
-+import static org.junit.Assert.assertNotNull;
-+
- 
- /**
-  * @author Arjen Poutsma
-diff --git a/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java b/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java
-index 676f6d6..ad8d7d9 100644
---- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java
-+++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2010 the original author or authors.
-+ * Copyright 2002-2014 the original author or authors.
-  *
-  * Licensed under the Apache License, Version 2.0 (the "License");
-  * you may not use this file except in compliance with the License.
-@@ -28,6 +28,9 @@ import javax.xml.bind.annotation.XmlRootElement;
- import javax.xml.bind.annotation.XmlType;
- import javax.xml.transform.Result;
- import javax.xml.transform.Source;
-+import javax.xml.transform.dom.DOMSource;
-+import javax.xml.transform.sax.SAXSource;
-+import javax.xml.transform.stream.StreamSource;
- 
- import org.springframework.core.annotation.AnnotationUtils;
- import org.springframework.http.HttpHeaders;
-@@ -36,6 +39,11 @@ import org.springframework.http.converter.HttpMessageConversionException;
- import org.springframework.http.converter.HttpMessageNotReadableException;
- import org.springframework.http.converter.HttpMessageNotWritableException;
- import org.springframework.util.ClassUtils;
-+import org.springframework.util.xml.StaxUtils;
-+import org.xml.sax.InputSource;
-+import org.xml.sax.SAXException;
-+import org.xml.sax.XMLReader;
-+import org.xml.sax.helpers.XMLReaderFactory;
- 
- /**
-  * Implementation of {@link org.springframework.http.converter.HttpMessageConverter HttpMessageConverter} that can read
-@@ -49,6 +57,17 @@ import org.springframework.util.ClassUtils;
-  */
- public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessageConverter<Object> {
- 
-+	private boolean processExternalEntities = false;
-+
-+
-+	/**
-+	 * Indicates whether external XML entities are processed when converting to a Source.
-+	 * <p>Default is {@code false}, meaning that external entities are not resolved.
-+	 */
-+	public void setProcessExternalEntities(boolean processExternalEntities) {
-+		this.processExternalEntities = processExternalEntities;
-+	}
-+
- 	@Override
- 	public boolean canRead(Class<?> clazz, MediaType mediaType) {
- 		return (clazz.isAnnotationPresent(XmlRootElement.class) || clazz.isAnnotationPresent(XmlType.class)) &&
-@@ -69,6 +88,7 @@ public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessa
- 	@Override
- 	protected Object readFromSource(Class<?> clazz, HttpHeaders headers, Source source) throws IOException {
- 		try {
-+			source = processSource(source);
- 			Unmarshaller unmarshaller = createUnmarshaller(clazz);
- 			if (clazz.isAnnotationPresent(XmlRootElement.class)) {
- 				return unmarshaller.unmarshal(source);
-@@ -87,6 +107,26 @@ public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessa
- 		}
- 	}
- 
-+	protected Source processSource(Source source) {
-+		if (source instanceof StreamSource) {
-+			StreamSource streamSource = (StreamSource) source;
-+			InputSource inputSource = new InputSource(streamSource.getInputStream());
-+			try {
-+				XMLReader xmlReader = XMLReaderFactory.createXMLReader();
-+				String featureName = "http://xml.org/sax/features/external-general-entities";
-+				xmlReader.setFeature(featureName, this.processExternalEntities);
-+				return new SAXSource(xmlReader, inputSource);
-+			}
-+			catch (SAXException ex) {
-+				logger.warn("Processing of external entities could not be disabled", ex);
-+				return source;
-+			}
-+		}
-+		else {
-+			return source;
-+		}
-+	}
-+
- 	@Override
- 	protected void writeToResult(Object o, HttpHeaders headers, Result result) throws IOException {
- 		try {
-diff --git a/spring-web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/spring-web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
-index e970450..ec7daec 100644
+diff --git a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
+index 15b7d8e..3126ca4 100644
 --- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
 +++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java
-@@ -95,6 +95,12 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
- 		this.processExternalEntities = processExternalEntities;
- 	}
- 
-+	/**
-+	 * @return the configured value for whether XML external entities are allowed.
-+	 */
-+	public boolean isProcessExternalEntities() {
-+		return this.processExternalEntities;
-+	}
- 
- 	@Override
+@@ -85,6 +85,13 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
+         this.processExternalEntities = processExternalEntities;
+     }
+ 
++    /**
++     * @return the configured value for whether XML external entities are allowed.
++     */
++    public boolean isProcessExternalEntities() {
++        return this.processExternalEntities;
++    }
++
+     @Override
  	public boolean supports(Class<?> clazz) {
-@@ -159,8 +165,7 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
- 	private Source readStAXSource(InputStream body) {
- 		try {
- 			XMLInputFactory inputFactory = XMLInputFactory.newFactory();
--			inputFactory.setProperty(
--					"javax.xml.stream.isSupportingExternalEntities", this.processExternalEntities);
-+			inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, this.processExternalEntities);
- 			XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body);
- 			return new StAXSource(streamReader);
- 		}
-diff --git a/spring-web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTests.java b/spring-web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTests.java
-index 30b7cc0..fe1e392 100644
---- a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTests.java
-+++ b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTests.java
-@@ -32,9 +32,13 @@ import org.junit.Test;
- import org.springframework.aop.framework.AdvisedSupport;
- import org.springframework.aop.framework.AopProxy;
- import org.springframework.aop.framework.DefaultAopProxyFactory;
-+import org.springframework.core.io.ClassPathResource;
-+import org.springframework.core.io.Resource;
- import org.springframework.http.MediaType;
- import org.springframework.http.MockHttpInputMessage;
- import org.springframework.http.MockHttpOutputMessage;
-+import org.springframework.http.converter.HttpMessageNotReadableException;
-+import org.xml.sax.SAXParseException;
- 
- /** @author Arjen Poutsma */
- public class Jaxb2RootElementHttpMessageConverterTests {
-@@ -96,6 +100,33 @@ public class Jaxb2RootElementHttpMessageConverterTests {
- 	}
- 
- 	@Test
-+	public void readXmlRootElementExternalEntityDisabled() throws Exception {
-+		Resource external = new ClassPathResource("external.txt", getClass());
-+		String content =  "<!DOCTYPE root [" +
-+				"  <!ELEMENT external ANY >\n" +
-+				"  <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]>" +
-+				"  <rootElement><external>&ext;</external></rootElement>";
-+		MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
-+		RootElement rootElement = (RootElement) converter.read(RootElement.class, inputMessage);
-+
-+		assertEquals("", rootElement.external);
-+	}
-+
-+	@Test
-+	public void readXmlRootElementExternalEntityEnabled() throws Exception {
-+		Resource external = new ClassPathResource("external.txt", getClass());
-+		String content =  "<!DOCTYPE root [" +
-+				"  <!ELEMENT external ANY >\n" +
-+				"  <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]>" +
-+				"  <rootElement><external>&ext;</external></rootElement>";
-+		MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8"));
-+		this.converter.setProcessExternalEntities(true);
-+		RootElement rootElement = (RootElement) converter.read(RootElement.class, inputMessage);
-+
-+		assertEquals("Foo Bar", rootElement.external);
-+	}
-+
-+	@Test
- 	public void writeXmlRootElement() throws Exception {
- 		MockHttpOutputMessage outputMessage = new MockHttpOutputMessage();
- 		converter.write(rootElement, null, outputMessage);
-@@ -120,6 +151,9 @@ public class Jaxb2RootElementHttpMessageConverterTests {
- 
- 		private Type type = new Type();
- 
-+		@XmlElement(required=false)
-+		public String external;
-+
- 		public Type getType() {
- 			return this.type;
- 		}
+ 		return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz)
+@@ -146,7 +153,7 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe
+     private Source readStAXSource(InputStream body) {
+         try {
+             XMLInputFactory inputFactory = XMLInputFactory.newFactory();
+-            inputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", processExternalEntities);
++            inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, this.processExternalEntities);
+             XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body);
+             return StaxUtils.createStaxSource(streamReader);
+         }
diff --git a/debian/patches/CVE-2014-1904.patch b/debian/patches/CVE-2014-1904.patch
index e59e02d..d9274d1 100644
--- a/debian/patches/CVE-2014-1904.patch
+++ b/debian/patches/CVE-2014-1904.patch
@@ -1,37 +1,36 @@
 From: Miguel Landaeta <nomadium at debian.org>
-Date: Mon, 24 Mar 2014 14:35:39 -0300
-Subject: CVE-2013-6429
+Date: Mon, 24 Mar 2014 17:07:58 -0300
+Subject: CVE-2014-1904
 
 Bug: http://bugs.debian.org/741604
 
-diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
-index a6aa59c..8c50bde 100644
+diff --git a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
+index 2e9cc84..b416084 100644
 --- a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
 +++ b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java
 @@ -1,5 +1,5 @@
  /*
-- * Copyright 2002-2013 the original author or authors.
+- * Copyright 2002-2010 the original author or authors.
 + * Copyright 2002-2014 the original author or authors.
   *
   * Licensed under the Apache License, Version 2.0 (the "License");
   * you may not use this file except in compliance with the License.
-@@ -16,6 +16,7 @@
- 
- package org.springframework.web.servlet.tags.form;
+@@ -21,11 +21,14 @@ import javax.servlet.http.HttpServletResponse;
+ import javax.servlet.jsp.JspException;
+ import javax.servlet.jsp.PageContext;
  
 +import java.io.UnsupportedEncodingException;
- import java.util.Map;
- 
- import javax.servlet.ServletRequest;
-@@ -32,6 +33,7 @@ import org.springframework.util.ObjectUtils;
++
+ import org.springframework.beans.PropertyAccessor;
+ import org.springframework.core.Conventions;
+ import org.springframework.util.ObjectUtils;
  import org.springframework.util.StringUtils;
- import org.springframework.web.servlet.support.RequestDataValueProcessor;
  import org.springframework.web.util.HtmlUtils;
 +import org.springframework.web.util.UriUtils;
  
  /**
-  * Databinding-aware JSP tag for rendering an HTML '{@code form}' whose
-@@ -442,6 +444,13 @@ public class FormTag extends AbstractHtmlElementTag {
+  * Databinding-aware JSP tag for rendering an HTML '<code>form</code>' whose
+@@ -397,6 +400,13 @@ public class FormTag extends AbstractHtmlElementTag {
  		}
  		else {
  			String requestUri = getRequestContext().getRequestUri();
@@ -45,36 +44,3 @@ index a6aa59c..8c50bde 100644
  			ServletResponse response = this.pageContext.getResponse();
  			if (response instanceof HttpServletResponse) {
  				requestUri = ((HttpServletResponse) response).encodeURL(requestUri);
-diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java
-index 8fdcc1c..2612761 100644
---- a/projects/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java
-+++ b/projects/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java
-@@ -1,5 +1,5 @@
- /*
-- * Copyright 2002-2013 the original author or authors.
-+ * Copyright 2002-2014 the original author or authors.
-  *
-  * Licensed under the Apache License, Version 2.0 (the "License");
-  * you may not use this file except in compliance with the License.
-@@ -340,6 +340,21 @@ public class FormTagTests extends AbstractHtmlElementTagTests {
- 		assertFormTagClosed(output);
- 	}
- 
-+	public void testDefaultActionEncoded() throws Exception {
-+
-+		this.request.setRequestURI("/a b c");
-+		request.setQueryString("");
-+
-+		this.tag.doStartTag();
-+		this.tag.doEndTag();
-+		this.tag.doFinally();
-+
-+		String output = getOutput();
-+		String formOutput = getFormTag(output);
-+
-+		assertContainsAttribute(formOutput, "action", "/a%20b%20c");
-+	}
-+
- 	private String getFormTag(String output) {
- 		int inputStart = output.indexOf("<", 1);
- 		int inputEnd = output.lastIndexOf(">", output.length() - 2);
diff --git a/debian/patches/series b/debian/patches/series
index 36fe668..be7dad9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,5 +12,5 @@
 Add-processExternalEntities-to-JAXB2Marshaller.patch
 CVE-2013-6429.patch
 CVE-2013-6430.patch
-#CVE-2014-0054.patch
+CVE-2014-0054.patch
 CVE-2014-1904.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libspring-java.git



More information about the pkg-java-commits mailing list