[lucene-solr] 05/11: Fix CVE-2017-12629
Markus Koschany
apo at moszumanska.debian.org
Sun Jan 14 14:29:29 UTC 2018
This is an automated email from the git hooks/post-receive script.
apo pushed a commit to branch master
in repository lucene-solr.
commit b1a7ccd489a7cc389bdb71200a424b28dfddbaef
Author: Markus Koschany <apo at debian.org>
Date: Sat Jan 13 21:30:08 2018 +0100
Fix CVE-2017-12629
---
debian/conf/solrconfig.xml | 23 ----
debian/patches/CVE-2017-12629.patch | 130 ++++++++++++++++++++
debian/patches/remove-RunExecutableListener.patch | 137 ++++++++++++++++++++++
debian/patches/series | 2 +
4 files changed, 269 insertions(+), 23 deletions(-)
diff --git a/debian/conf/solrconfig.xml b/debian/conf/solrconfig.xml
index 007ff72..e74ea3e 100644
--- a/debian/conf/solrconfig.xml
+++ b/debian/conf/solrconfig.xml
@@ -338,29 +338,6 @@
postCommit - fired after every commit or optimize command
postOptimize - fired after every optimize command
-->
- <!-- The RunExecutableListener executes an external command from a
- hook such as postCommit or postOptimize.
-
- exe - the name of the executable to run
- dir - dir to use as the current working directory. (default=".")
- wait - the calling thread waits until the executable returns.
- (default="true")
- args - the arguments to pass to the program. (default is none)
- env - environment variables to set. (default is none)
- -->
- <!-- This example shows how RunExecutableListener could be used
- with the script based replication...
- http://wiki.apache.org/solr/CollectionDistribution
- -->
- <!--
- <listener event="postCommit" class="solr.RunExecutableListener">
- <str name="exe">solr/bin/snapshooter</str>
- <str name="dir">.</str>
- <bool name="wait">true</bool>
- <arr name="args"> <str>arg1</str> <str>arg2</str> </arr>
- <arr name="env"> <str>MYVAR=val1</str> </arr>
- </listener>
- -->
</updateHandler>
<!-- IndexReaderFactory
diff --git a/debian/patches/CVE-2017-12629.patch b/debian/patches/CVE-2017-12629.patch
new file mode 100644
index 0000000..96f06e8
--- /dev/null
+++ b/debian/patches/CVE-2017-12629.patch
@@ -0,0 +1,130 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 13 Jan 2018 16:48:33 +0100
+Subject: CVE-2017-12629
+
+---
+ .../org/apache/lucene/xmlparser/CoreParser.java | 77 +++++++++++++++++-----
+ 1 file changed, 59 insertions(+), 18 deletions(-)
+
+diff --git a/lucene/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java b/lucene/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java
+index c84b90a..21b943a 100644
+--- a/lucene/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java
++++ b/lucene/contrib/xml-query-parser/src/java/org/apache/lucene/xmlparser/CoreParser.java
+@@ -1,9 +1,12 @@
+ package org.apache.lucene.xmlparser;
+
+ import java.io.InputStream;
++import java.util.Locale;
+
+ import javax.xml.parsers.DocumentBuilder;
+ import javax.xml.parsers.DocumentBuilderFactory;
++import javax.xml.parsers.ParserConfigurationException;
++import javax.xml.XMLConstants;
+
+ import org.apache.lucene.analysis.Analyzer;
+ import org.apache.lucene.queryParser.QueryParser;
+@@ -11,6 +14,10 @@ import org.apache.lucene.search.Query;
+ import org.apache.lucene.xmlparser.builders.*;
+ import org.w3c.dom.Document;
+ import org.w3c.dom.Element;
++import org.xml.sax.EntityResolver;
++import org.xml.sax.ErrorHandler;
++import org.xml.sax.SAXException;
++import org.xml.sax.InputSource;
+
+ /**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+@@ -124,6 +131,10 @@ public class CoreParser implements QueryBuilder
+ queryFactory.addBuilder("SpanNot",snot);
+ }
+
++ /**
++ * Parses the given stream as XML file and returns a {@link Query}.
++ * By default this disallows external entities for security reasons.
++ */
+ public Query parse(InputStream xmlStream) throws ParserException
+ {
+ return getQuery(parseXML(xmlStream).getDocumentElement());
+@@ -137,34 +148,64 @@ public class CoreParser implements QueryBuilder
+ {
+ filterFactory.addBuilder(nodeName,builder);
+ }
+-
+- private static Document parseXML(InputStream pXmlFile) throws ParserException
+- {
+- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+- DocumentBuilder db = null;
++ /**
++ * Returns a SAX {@link EntityResolver} to be used by {@link DocumentBuilder}.
++ * By default this returns {@link #DISALLOW_EXTERNAL_ENTITY_RESOLVER}, which disallows the
++ * expansion of external entities (for security reasons). To restore legacy behavior,
++ * override this method to return {@code null}.
++ */
++ protected EntityResolver getEntityResolver() {
++ return DISALLOW_EXTERNAL_ENTITY_RESOLVER;
++ }
++
++ /**
++ * Subclass and override to return a SAX {@link ErrorHandler} to be used by {@link DocumentBuilder}.
++ * By default this returns {@code null} so no error handler is used.
++ * This method can be used to redirect XML parse errors/warnings to a custom logger.
++ */
++ protected ErrorHandler getErrorHandler() {
++ return null;
++ }
++
++ private Document parseXML(InputStream pXmlFile) throws ParserException {
++ final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
++ dbf.setValidating(false);
+ try
+ {
+- db = dbf.newDocumentBuilder();
+- }
+- catch (Exception se)
+- {
+- throw new ParserException("XML Parser configuration error", se);
++ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
++ } catch (ParserConfigurationException e) {
++ // ignore since all implementations are required to support the
++ // {@link javax.xml.XMLConstants#FEATURE_SECURE_PROCESSING} feature
+ }
+- org.w3c.dom.Document doc = null;
++ final DocumentBuilder db;
+ try
+ {
+- doc = db.parse(pXmlFile);
+- }
+- catch (Exception se)
+- {
+- throw new ParserException("Error parsing XML stream:" + se, se);
++ db = dbf.newDocumentBuilder();
++ } catch (Exception se) {
++ throw new ParserException("XML Parser configuration error.", se);
+ }
+- return doc;
++ try {
++ db.setEntityResolver(getEntityResolver());
++ db.setErrorHandler(getErrorHandler());
++ return db.parse(pXmlFile);
++ } catch (Exception se) {
++ throw new ParserException("Error parsing XML stream: " + se, se);
+ }
+-
++ }
+
+ public Query getQuery(Element e) throws ParserException
+ {
+ return queryFactory.getQuery(e);
+ }
++ public static final EntityResolver DISALLOW_EXTERNAL_ENTITY_RESOLVER = createEntityResolver();
++
++ public static EntityResolver createEntityResolver() {
++ return new EntityResolver() {
++ public InputSource resolveEntity(String publicId, String systemId) throws SAXException {
++ throw new SAXException(String.format(Locale.ENGLISH,
++ "External Entity resolving unsupported: publicId=\"%s\" systemId=\"%s\"",
++ publicId, systemId));
++ }
++ };
++ }
+ }
diff --git a/debian/patches/remove-RunExecutableListener.patch b/debian/patches/remove-RunExecutableListener.patch
new file mode 100644
index 0000000..bdec749
--- /dev/null
+++ b/debian/patches/remove-RunExecutableListener.patch
@@ -0,0 +1,137 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 13 Jan 2018 17:14:03 +0100
+Subject: remove RunExecutableListener
+
+---
+ .../apache/solr/core/RunExecutableListener.java | 122 ---------------------
+ 1 file changed, 122 deletions(-)
+ delete mode 100644 solr/core/src/java/org/apache/solr/core/RunExecutableListener.java
+
+diff --git a/solr/core/src/java/org/apache/solr/core/RunExecutableListener.java b/solr/core/src/java/org/apache/solr/core/RunExecutableListener.java
+deleted file mode 100644
+index 62f554e..0000000
+--- a/solr/core/src/java/org/apache/solr/core/RunExecutableListener.java
++++ /dev/null
+@@ -1,122 +0,0 @@
+-/**
+- * Licensed to the Apache Software Foundation (ASF) under one or more
+- * contributor license agreements. See the NOTICE file distributed with
+- * this work for additional information regarding copyright ownership.
+- * The ASF licenses this file to You under the Apache License, Version 2.0
+- * (the "License"); you may not use this file except in compliance with
+- * the License. You may obtain a copy of the License at
+- *
+- * http://www.apache.org/licenses/LICENSE-2.0
+- *
+- * Unless required by applicable law or agreed to in writing, software
+- * distributed under the License is distributed on an "AS IS" BASIS,
+- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+- * See the License for the specific language governing permissions and
+- * limitations under the License.
+- */
+-
+-package org.apache.solr.core;
+-
+-import org.apache.solr.common.SolrException;
+-import org.apache.solr.common.util.NamedList;
+-import org.apache.solr.search.SolrIndexSearcher;
+-
+-import java.io.File;
+-import java.io.IOException;
+-import java.util.List;
+-import java.util.ArrayList;
+-
+-/**
+- */
+-class RunExecutableListener extends AbstractSolrEventListener {
+- public RunExecutableListener(SolrCore core) {
+- super(core);
+- }
+- protected String[] cmd;
+- protected File dir;
+- protected String[] envp;
+- protected boolean wait=true;
+-
+- @Override
+- public void init(NamedList args) {
+- super.init(args);
+-
+- List cmdlist = new ArrayList();
+- cmdlist.add(args.get("exe"));
+- List lst = (List)args.get("args");
+- if (lst != null) cmdlist.addAll(lst);
+- cmd = (String[])cmdlist.toArray(new String[cmdlist.size()]);
+-
+- lst = (List)args.get("env");
+- if (lst != null) {
+- envp = (String[])lst.toArray(new String[lst.size()]);
+- }
+-
+- String str = (String)args.get("dir");
+- if (str==null || str.equals("") || str.equals(".") || str.equals("./")) {
+- dir = null;
+- } else {
+- dir = new File(str);
+- }
+-
+- if ("false".equals(args.get("wait")) || Boolean.FALSE.equals(args.get("wait"))) wait=false;
+- }
+-
+- /**
+- * External executable listener.
+- *
+- * @param callback Unused (As of solr 1.4-dev)
+- * @return Error code indicating if the command has executed successfully. <br />
+- * 0 , indicates normal termination.<br />
+- * non-zero , otherwise.
+- */
+- protected int exec(String callback) {
+- int ret = 0;
+-
+- try {
+- boolean doLog = log.isDebugEnabled();
+- if (doLog) {
+- log.debug("About to exec " + cmd[0]);
+- }
+- Process proc = Runtime.getRuntime().exec(cmd, envp ,dir);
+-
+- if (wait) {
+- try {
+- ret = proc.waitFor();
+- } catch (InterruptedException e) {
+- SolrException.log(log,e);
+- ret = INVALID_PROCESS_RETURN_CODE;
+- }
+- }
+-
+- if (wait && doLog) {
+- log.debug("Executable " + cmd[0] + " returned " + ret);
+- }
+-
+- } catch (IOException e) {
+- // don't throw exception, just log it...
+- SolrException.log(log,e);
+- ret = INVALID_PROCESS_RETURN_CODE;
+- }
+-
+- return ret;
+- }
+-
+-
+- @Override
+- public void postCommit() {
+- // anything generic need to be passed to the external program?
+- // the directory of the index? the command that caused it to be
+- // invoked? the version of the index?
+- exec("postCommit");
+- }
+-
+- @Override
+- public void newSearcher(SolrIndexSearcher newSearcher, SolrIndexSearcher currentSearcher) {
+- exec("newSearcher");
+- }
+-
+- /** Non-zero value for an invalid return code **/
+- private static int INVALID_PROCESS_RETURN_CODE = -1;
+-
+-}
diff --git a/debian/patches/series b/debian/patches/series
index a197129..133e43c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,5 @@ CVE-2013-6407_CVE-2013-6408.patch
jetty-compatibility.patch
commons-codec-compatibility.patch
java8-compatibility.patch
+CVE-2017-12629.patch
+remove-RunExecutableListener.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/lucene-solr.git
More information about the pkg-java-commits
mailing list