[jackrabbit] 01/02: Add CVE-2015-1833.patch.
Markus Koschany
apo-guest at moszumanska.debian.org
Wed Jun 24 14:07:13 UTC 2015
This is an automated email from the git hooks/post-receive script.
apo-guest pushed a commit to branch jessie
in repository jackrabbit.
commit 2720203735a9eff3ae42a83ee760ad24dc8a6408
Author: Markus Koschany <apo at gambaru.de>
Date: Wed Jun 24 03:17:45 2015 +0200
Add CVE-2015-1833.patch.
Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle.
When processing a WebDAV request body containing XML, the XML parser can be
instructed to read content from network resources accessible to the host,
identified by URI schemes such as "http(s)" or "file". Depending on the
WebDAV request, this can not only be used to trigger internal network
requests, but might also be used to insert said content into the request,
potentially exposing it to the attacker and others.
Closes: #787316
---
debian/patches/CVE-2015-1833.patch | 244 +++++++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
2 files changed, 245 insertions(+)
diff --git a/debian/patches/CVE-2015-1833.patch b/debian/patches/CVE-2015-1833.patch
new file mode 100644
index 0000000..83db29d
--- /dev/null
+++ b/debian/patches/CVE-2015-1833.patch
@@ -0,0 +1,244 @@
+From: Markus Koschany <apo at gambaru.de>
+Date: Wed, 24 Jun 2015 03:16:44 +0200
+Subject: CVE-2015-1833
+
+---
+ .../webdav/xml/DavDocumentBuilderFactory.java | 86 ++++++++++++++++++++++
+ .../org/apache/jackrabbit/webdav/xml/DomUtil.java | 22 +-----
+ .../apache/jackrabbit/webdav/xml/ParserTest.java | 78 ++++++++++++++++++++
+ .../org/apache/jackrabbit/webdav/xml/TestAll.java | 1 +
+ 4 files changed, 168 insertions(+), 19 deletions(-)
+ create mode 100644 jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+ create mode 100644 jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+
+diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+new file mode 100644
+index 0000000..60660a0
+--- /dev/null
++++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
+@@ -0,0 +1,86 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.jackrabbit.webdav.xml;
++
++import java.io.IOException;
++
++import javax.xml.XMLConstants;
++import javax.xml.parsers.DocumentBuilder;
++import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
++
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
++import org.xml.sax.EntityResolver;
++import org.xml.sax.InputSource;
++import org.xml.sax.helpers.DefaultHandler;
++
++/**
++ * Custom {@link DocumentBuilderFactory} extended for use in WebDAV.
++ */
++public class DavDocumentBuilderFactory {
++
++ private static final Logger LOG = LoggerFactory.getLogger(DomUtil.class);
++
++ private final DocumentBuilderFactory DEFAULT_FACTORY = createFactory();
++
++ private DocumentBuilderFactory BUILDER_FACTORY = DEFAULT_FACTORY;
++
++ private DocumentBuilderFactory createFactory() {
++ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
++ factory.setNamespaceAware(true);
++ factory.setIgnoringComments(true);
++ factory.setIgnoringElementContentWhitespace(true);
++ factory.setCoalescing(true);
++ try {
++ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
++ } catch (ParserConfigurationException e) {
++ LOG.warn("Secure XML processing is not supported", e);
++ } catch (AbstractMethodError e) {
++ LOG.warn("Secure XML processing is not supported", e);
++ }
++ return factory;
++ }
++
++ public void setFactory(DocumentBuilderFactory documentBuilderFactory) {
++ LOG.debug("DocumentBuilderFactory changed to: " + documentBuilderFactory);
++ BUILDER_FACTORY = documentBuilderFactory != null ? documentBuilderFactory : DEFAULT_FACTORY;
++ }
++
++ /**
++ * An entity resolver that does not allow external entity resolution. See
++ * RFC 4918, Section 20.6
++ */
++ private static final EntityResolver DEFAULT_ENTITY_RESOLVER = new EntityResolver() {
++ public InputSource resolveEntity(String publicId, String systemId) throws IOException {
++ LOG.debug("Resolution of external entities in XML payload not supported - publicId: " + publicId + ", systemId: "
++ + systemId);
++ throw new IOException("This parser does not support resolution of external entities (publicId: " + publicId
++ + ", systemId: " + systemId + ")");
++ }
++ };
++
++ public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
++ DocumentBuilder db = BUILDER_FACTORY.newDocumentBuilder();
++ if (BUILDER_FACTORY == DEFAULT_FACTORY) {
++ // if this is the default factory: set the default entity resolver as well
++ db.setEntityResolver(DEFAULT_ENTITY_RESOLVER);
++ }
++ db.setErrorHandler(new DefaultHandler());
++ return db;
++ }
++}
+diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
+index 70508cc..ad77c97 100644
+--- a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
++++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
+@@ -56,26 +56,10 @@ public class DomUtil {
+ private static Logger log = LoggerFactory.getLogger(DomUtil.class);
+
+ /**
+- * Constant for <code>DocumentBuilderFactory</code> which is used
++ * Constant for <code>DavDocumentBuilderFactory</code> which is used
+ * to create and parse DOM documents.
+ */
+- private static DocumentBuilderFactory BUILDER_FACTORY = createFactory();
+-
+- private static DocumentBuilderFactory createFactory() {
+- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+- factory.setNamespaceAware(true);
+- factory.setIgnoringComments(true);
+- factory.setIgnoringElementContentWhitespace(true);
+- factory.setCoalescing(true);
+- try {
+- factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+- } catch (ParserConfigurationException e) {
+- log.warn("Secure XML processing is not supported", e);
+- } catch (AbstractMethodError e) {
+- log.warn("Secure XML processing is not supported", e);
+- }
+- return factory;
+- }
++ private static DavDocumentBuilderFactory BUILDER_FACTORY = new DavDocumentBuilderFactory();
+
+ /**
+ * Support the replacement of {@link #BUILDER_FACTORY}. This is useful
+@@ -88,7 +72,7 @@ public class DomUtil {
+ */
+ public static void setBuilderFactory(
+ DocumentBuilderFactory documentBuilderFactory) {
+- BUILDER_FACTORY = documentBuilderFactory;
++ BUILDER_FACTORY.setFactory(documentBuilderFactory);
+ }
+
+ /**
+diff --git a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+new file mode 100644
+index 0000000..19aaa1b
+--- /dev/null
++++ b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java
+@@ -0,0 +1,78 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the \"License\"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an \"AS IS\" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.jackrabbit.webdav.xml;
++
++import java.io.ByteArrayInputStream;
++import java.io.File;
++import java.io.FileOutputStream;
++import java.io.IOException;
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.io.UnsupportedEncodingException;
++
++import junit.framework.TestCase;
++
++import org.w3c.dom.Document;
++import org.w3c.dom.Element;
++
++public class ParserTest extends TestCase {
++
++ // see <http://en.wikipedia.org/wiki/Billion_laughs#Details>
++ public void testBillionLaughs() throws UnsupportedEncodingException {
++
++ String testBody = "<?xml version=\"1.0\"?>" + "<!DOCTYPE lolz [" + " <!ENTITY lol \"lol\">" + " <!ELEMENT lolz (#PCDATA)>"
++ + " <!ENTITY lol1 \"&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;\">"
++ + " <!ENTITY lol2 \"&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;\">"
++ + " <!ENTITY lol3 \"&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;\">"
++ + " <!ENTITY lol4 \"&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;\">"
++ + " <!ENTITY lol5 \"&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;\">"
++ + " <!ENTITY lol6 \"&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;\">"
++ + " <!ENTITY lol7 \"&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;\">"
++ + " <!ENTITY lol8 \"&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;\">"
++ + " <!ENTITY lol9 \"&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;\">" + "]>" + "<lolz>&lol9;</lolz>";
++ InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
++
++ try {
++ DomUtil.parseDocument(is);
++ fail("parsing this document should cause an exception");
++ } catch (Exception expected) {
++ }
++ }
++
++ public void testExternalEntities() throws IOException {
++
++ String dname = "target";
++ String fname = "test.xml";
++
++ File f = new File(dname, fname);
++ OutputStream os = new FileOutputStream(f);
++ os.write("testdata".getBytes());
++ os.close();
++
++ String testBody = "<?xml version='1.0'?>\n<!DOCTYPE foo [" + " <!ENTITY test SYSTEM \"file:" + dname + "/" + fname + "\">"
++ + "]>\n<foo>&test;</foo>";
++ InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8"));
++
++ try {
++ Document d = DomUtil.parseDocument(is);
++ Element root = d.getDocumentElement();
++ String text = DomUtil.getText(root);
++ fail("parsing this document should cause an exception, but the following external content was included: " + text);
++ } catch (Exception expected) {
++ }
++ }
++}
+\ No newline at end of file
+diff --git a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
+index 1ca395a..f3ff354 100644
+--- a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
++++ b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java
+@@ -33,6 +33,7 @@ public class TestAll extends TestCase {
+ TestSuite suite = new TestSuite("org.apache.jackrabbit.webdav.xml tests");
+
+ suite.addTestSuite(NamespaceTest.class);
++ suite.addTestSuite(ParserTest.class);
+
+ return suite;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index 1ed02cd..7c77d0f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
modules.diff
servlet_api_25.diff
+CVE-2015-1833.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/jackrabbit.git
More information about the pkg-java-commits
mailing list