jackrabbit-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From resc...@apache.org
Subject svn commit: r1680822 - in /jackrabbit/branches/2.0: ./ jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/client/methods/ jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/
Date Thu, 21 May 2015 11:11:41 GMT
Author: reschke
Date: Thu May 21 11:11:40 2015
New Revision: 1680822

URL: http://svn.apache.org/r1680822
Log:
JCR-3883: Jackrabbit WebDAV bundle susceptible to XXE/XEE attack (CVE-2015-1833) (ported to
2.0)

Added:
    jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
  (with props)
Modified:
    jackrabbit/branches/2.0/   (props changed)
    jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/client/methods/DavMethodBase.java
    jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java

Propchange: jackrabbit/branches/2.0/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu May 21 11:11:40 2015
@@ -4,4 +4,4 @@
 /jackrabbit/sandbox/JCR-1456:774917-886178
 /jackrabbit/sandbox/JCR-2170:812417-816332
 /jackrabbit/sandbox/tripod-JCR-2209:795441-795863
-/jackrabbit/trunk:891595,891629,892253,892263,894150-894151,896408,896513,896532,896857,896870,896876,896908,896940,896942-896943,896969,896977,897071,897836,897842,897858,897935,897983,897992-897993,897996,898002,898042,898267,898325,898540,898677,898699,898701,898715,898872,899102,899181,899391,899393-899394,899583,899594,899643,900305,900310,900314,900453,900702,900736,900762-900763,900767,900782,901095,901122,901139,901144,901170,901176,901191,901193,901196,901216,901228,901285,902058,902062,926324,928888,936668,955222,955229,955307,955852,965539,995406,995411-995412,996810,999298-999299,999965,1000912,1000947,1001707,1002065-1002066,1002084,1002101-1002102,1002168,1002170,1002589,1002608,1002657,1002729,1003423,1003470,1003542,1003773,1004182,1004184,1004223-1004224,1004652,1005057,1005112,1032621,1036117,1036336-1036337,1038201,1039064,1040090,1087304,1089436,1100242,1101046,1102601,1104027,1165609,1173196
+/jackrabbit/trunk:891595,891629,892253,892263,894150-894151,896408,896513,896532,896857,896870,896876,896908,896940,896942-896943,896969,896977,897071,897836,897842,897858,897935,897983,897992-897993,897996,898002,898042,898267,898325,898540,898677,898699,898701,898715,898872,899102,899181,899391,899393-899394,899583,899594,899643,900305,900310,900314,900453,900702,900736,900762-900763,900767,900782,901095,901122,901139,901144,901170,901176,901191,901193,901196,901216,901228,901285,902058,902062,926324,928888,936668,955222,955229,955307,955852,965539,995406,995411-995412,996810,999298-999299,999965,1000912,1000947,1001707,1002065-1002066,1002084,1002101-1002102,1002168,1002170,1002589,1002608,1002657,1002729,1003423,1003470,1003542,1003773,1004182,1004184,1004223-1004224,1004652,1005057,1005112,1032621,1036117,1036336-1036337,1038201,1039064,1040090,1087304,1089436,1100242,1101046,1102601,1104027,1165609,1173196,1680757

Modified: jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/client/methods/DavMethodBase.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/client/methods/DavMethodBase.java?rev=1680822&r1=1680821&r2=1680822&view=diff
==============================================================================
--- jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/client/methods/DavMethodBase.java
(original)
+++ jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/client/methods/DavMethodBase.java
Thu May 21 11:11:40 2015
@@ -27,6 +27,7 @@ import org.apache.jackrabbit.webdav.DavE
 import org.apache.jackrabbit.webdav.DavServletResponse;
 import org.apache.jackrabbit.webdav.MultiStatus;
 import org.apache.jackrabbit.webdav.header.Header;
+import org.apache.jackrabbit.webdav.xml.DavDocumentBuilderFactory;
 import org.apache.jackrabbit.webdav.xml.XmlSerializable;
 import org.apache.jackrabbit.webdav.xml.DomUtil;
 import org.slf4j.Logger;
@@ -39,6 +40,7 @@ import org.xml.sax.helpers.DefaultHandle
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
+
 import java.io.IOException;
 import java.io.InputStream;
 
@@ -49,7 +51,7 @@ public abstract class DavMethodBase exte
 
     private static Logger log = LoggerFactory.getLogger(DavMethodBase.class);
 
-    static final DocumentBuilderFactory BUILDER_FACTORY = DomUtil.BUILDER_FACTORY;
+    static final DavDocumentBuilderFactory BUILDER_FACTORY = DomUtil.BUILDER_FACTORY;
 
     private boolean success;
     private Document responseDocument;

Added: jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java?rev=1680822&view=auto
==============================================================================
--- jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
(added)
+++ jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
Thu May 21 11:11:40 2015
@@ -0,0 +1,86 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.jackrabbit.webdav.xml;
+
+import java.io.IOException;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.helpers.DefaultHandler;
+
+/**
+ * Custom {@link DocumentBuilderFactory} extended for use in WebDAV.
+ */
+public class DavDocumentBuilderFactory {
+
+    private static final Logger LOG = LoggerFactory.getLogger(DomUtil.class);
+
+    private final DocumentBuilderFactory DEFAULT_FACTORY = createFactory();
+
+    private DocumentBuilderFactory BUILDER_FACTORY = DEFAULT_FACTORY;
+
+    private DocumentBuilderFactory createFactory() {
+        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setNamespaceAware(true);
+        factory.setIgnoringComments(true);
+        factory.setIgnoringElementContentWhitespace(true);
+        factory.setCoalescing(true);
+        try {
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        } catch (ParserConfigurationException e) {
+            LOG.warn("Secure XML processing is not supported", e);
+        } catch (AbstractMethodError e) {
+            LOG.warn("Secure XML processing is not supported", e);
+        }
+        return factory;
+    }
+
+    public void setFactory(DocumentBuilderFactory documentBuilderFactory) {
+        LOG.debug("DocumentBuilderFactory changed to: " + documentBuilderFactory);
+        BUILDER_FACTORY = documentBuilderFactory != null ? documentBuilderFactory : DEFAULT_FACTORY;
+    }
+
+    /**
+     * An entity resolver that does not allow external entity resolution. See
+     * RFC 4918, Section 20.6
+     */
+    private static final EntityResolver DEFAULT_ENTITY_RESOLVER = new EntityResolver() {
+        public InputSource resolveEntity(String publicId, String systemId) throws IOException
{
+            LOG.debug("Resolution of external entities in XML payload not supported - publicId:
" + publicId + ", systemId: "
+                    + systemId);
+            throw new IOException("This parser does not support resolution of external entities
(publicId: " + publicId
+                    + ", systemId: " + systemId + ")");
+        }
+    };
+
+    public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
+        DocumentBuilder db = BUILDER_FACTORY.newDocumentBuilder();
+        if (BUILDER_FACTORY == DEFAULT_FACTORY) {
+            // if this is the default factory: set the default entity resolver as well
+            db.setEntityResolver(DEFAULT_ENTITY_RESOLVER);
+        }
+        db.setErrorHandler(new DefaultHandler());
+        return db;
+    }
+}

Propchange: jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
URL: http://svn.apache.org/viewvc/jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java?rev=1680822&r1=1680821&r2=1680822&view=diff
==============================================================================
--- jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
(original)
+++ jackrabbit/branches/2.0/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java
Thu May 21 11:11:40 2015
@@ -28,7 +28,6 @@ import org.w3c.dom.NodeList;
 import org.w3c.dom.Text;
 import org.w3c.dom.NamedNodeMap;
 
-import javax.xml.parsers.DocumentBuilderFactory;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -40,16 +39,10 @@ public class DomUtil {
     private static Logger log = LoggerFactory.getLogger(DomUtil.class);
 
     /**
-     * Constant for <code>DocumentBuilderFactory</code> which is used
+     * Constant for <code>DavDocumentBuilderFactory</code> which is used
      * widely to create new <code>Document</code>s
      */
-    public static DocumentBuilderFactory BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
-    static {
-        BUILDER_FACTORY.setNamespaceAware(true);
-        BUILDER_FACTORY.setIgnoringComments(true);
-        BUILDER_FACTORY.setIgnoringElementContentWhitespace(true);
-        BUILDER_FACTORY.setCoalescing(true);
-    }
+    public static DavDocumentBuilderFactory BUILDER_FACTORY = new DavDocumentBuilderFactory();
 
     /**
      * Returns the value of the named attribute of the current element.



Mime
View raw message