jmeter-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felix Schumacher <felix.schumac...@internetallee.de>
Subject Re: svn commit: r1761294 - in /jmeter/trunk: LICENSE build.properties eclipse.classpath lib/ lib/aareadme.txt licenses/bin/xstream-1.4.8.txt licenses/bin/xstream-1.4.9.txt res/maven/ApacheJMeter_parent.pom xdocs/changes.xml
Date Sun, 02 Oct 2016 18:52:42 GMT
Am 20.09.2016 um 21:29 schrieb Philippe Mouawad:
> On Tue, Sep 20, 2016 at 9:16 PM, Felix Schumacher <
> felix.schumacher@internetallee.de> wrote:
>
>> Am 20.09.2016 um 21:13 schrieb Philippe Mouawad:
>>
>>> On Tue, Sep 20, 2016 at 8:56 PM, Felix Schumacher <felix.schumacher@
>>> internetallee.de> wrote:
>>>
>>> Am 20.09.2016 um 20:33 schrieb Philippe Mouawad:
>>>> Hi Felix,
>>>>> Yes issue seems to come from this:
>>>>> https://github.com/x-stream/xstream/blob/f66bbea1b383e705988
>>>>> abf8d06ea9782a73f24d4/xstream/src/java/com/thoughtworks/xstr
>>>>> eam/io/xml/DomDriver.java#L147
>>>>>
>>>>> How do you reproduce it ?
>>>>> I don't see it fail on my laptop nor on jenkins build.
>>>>>
>>>>> ant clean install test
>>>> Thanks I reproduced.
>>> Why isn't it failing on Jenkins build ?
>>>
>>>
>>>
>>> With my followup commit, the errors are gone.
>>>> Sounds ok to me but we lose the DTD.
>> I wonder, if we could use a xsd schema instead. But I haven't looked that
>> up, yet. On the other hand, how many people actually use a DTD anyways?
>>
>>
>> Maybe we can customize the creation like this:
>>>      private XStream initXStream() {
>>>           XStream xstream = new XStream(new DomDriver(){
>>>               /**
>>>                * Create the DocumentBuilderFactory instance without setting
>>> http://apache.org/xml/features/disallow-doctype-decl to true
>>>                *
>>>                * @return the new instance
>>>                */
>>>               @Override
>>>               protected DocumentBuilderFactory
>>> createDocumentBuilderFactory()
>>> {
>>>                   final DocumentBuilderFactory factory =
>>> DocumentBuilderFactory.newInstance();
>>>                   factory.setExpandEntityReferences(false);
>>>                   return factory;
>>>               }
>>>           });
>>>
>> Do we introduce the problem, that 1.4.9 wants to protect us from, with
>> this, or is just telling the parser to ignore the dtd?
>>
> Possibly as per:
> https://blog.compass-security.com/2012/08/secure-xml-parser-configuration/
> Do you think the second solution exposed above works for a
> DocumentBuilderFactory ?
Seems to be valid then. I haven't tried it, though. If it works for you, 
I am OK with it.
>
> Anyway what is the real risk for JMeter ? files are loaded locally based on
> what users configures, if a local file has been corrupt, doesn't it mean
> computer has already been attacked successfully ?
Probably, but you never know :)

Felix
>
>
>
>> Felix
>>
>>
>>
>>>
>>> Felix
>>>> Thanks
>>>>>
>>>>> On Tue, Sep 20, 2016 at 8:10 PM, Felix Schumacher <
>>>>> felix.schumacher@internetallee.de> wrote:
>>>>>
>>>>> Am 18.09.2016 um 00:17 schrieb pmouawad@apache.org:
>>>>>
>>>>>> Author: pmouawad
>>>>>>
>>>>>>> Date: Sat Sep 17 22:17:53 2016
>>>>>>> New Revision: 1761294
>>>>>>>
>>>>>>> URL: http://svn.apache.org/viewvc?rev=1761294&view=rev
>>>>>>> Log:
>>>>>>> Updated to xstream 1.4.9 (from 1.4.8)
>>>>>>>
>>>>>>> This change seems to break the tests with:
>>>>>>>
>>>>>> ...
>>>>>> [java] Last error=java.lang.NullPointerException
>>>>>>         [java] [Fatal Error] templates.xml:21:10: DOCTYPE is disallowed
>>>>>> when
>>>>>> the feature "http://apache.org/xml/features/disallow-doctype-decl"
set
>>>>>> to
>>>>>> true.
>>>>>> ...
>>>>>>      [java] There was 1 failure:
>>>>>>         [java] 1) initializationError(org.apache
>>>>>> .jmeter.junit.JMeterTest)
>>>>>>         [java] java.lang.Exception: Error creating
>>>>>> org.apache.jmeter.gui.action.SelectTemplatesDialog
>>>>>>         [java]     at org.apache.jmeter.junit.JMeter
>>>>>> Test.getObjects(JMeterTest.java:485)
>>>>>>         [java]     at org.apache.jmeter.junit.JMeter
>>>>>> Test.suiteSerializableElements(JMeterTest.java:388)
>>>>>>         [java]     at org.apache.jmeter.junit.JMeter
>>>>>> Test.suite(JMeterTest.java:133)
>>>>>>         [java]     at sun.reflect.NativeMethodAccess
>>>>>> orImpl.invoke0(Native
>>>>>> Method)
>>>>>> ...
>>>>>>         [java] Caused by: java.lang.NullPointerException
>>>>>>         [java]     at org.apache.jmeter.gui.action.S
>>>>>> electTemplatesDialog.populateTemplatePage(SelectTemplatesDia
>>>>>> log.java:227)
>>>>>>         [java]     at org.apache.jmeter.gui.action.S
>>>>>> electTemplatesDialog.init(SelectTemplatesDialog.java:199)
>>>>>>         [java]     at org.apache.jmeter.gui.action.S
>>>>>> electTemplatesDialog.<init>(SelectTemplatesDialog.java:90)
>>>>>>         [java]     at sun.reflect.NativeConstructorA
>>>>>> ccessorImpl.newInstance0(Native
>>>>>> Method)
>>>>>>         [java]     at sun.reflect.NativeConstructorA
>>>>>> ccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>>>>>         [java]     at sun.reflect.DelegatingConstruc
>>>>>> torAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>>>>         [java]     at java.lang.reflect.Constructor.
>>>>>> newInstance(Constructor.java:423)
>>>>>>         [java]     at java.lang.Class.newInstance(Class.java:442)
>>>>>>         [java]     at org.apache.jmeter.junit.JMeter
>>>>>> Test.getObjects(JMeterTest.java:456)
>>>>>>         [java]     ... 20 more
>>>>>>         [java]
>>>>>>
>>>>>> Templates are read through xstream, that is probably why this error
>>>>>> came
>>>>>> up.
>>>>>>
>>>>>> The "offending" change is probably https://github.com/x-stream/xs
>>>>>> tream/issues/25
>>>>>>
>>>>>> Has anyone else noticed this, too? What shall we do?
>>>>>>
>>>>>> Regards,
>>>>>>     Felix
>>>>>>
>>>>>>
>>>>>> Added:
>>>>>>
>>>>>>>         jmeter/trunk/licenses/bin/xstream-1.4.9.txt
>>>>>>>           - copied unchanged from r1761222,
>>>>>>> jmeter/trunk/licenses/bin/xstr
>>>>>>> eam-1.4.8.txt
>>>>>>> Removed:
>>>>>>>         jmeter/trunk/licenses/bin/xstream-1.4.8.txt
>>>>>>> Modified:
>>>>>>>         jmeter/trunk/LICENSE
>>>>>>>         jmeter/trunk/build.properties
>>>>>>>         jmeter/trunk/eclipse.classpath
>>>>>>>         jmeter/trunk/lib/   (props changed)
>>>>>>>         jmeter/trunk/lib/aareadme.txt
>>>>>>>         jmeter/trunk/res/maven/ApacheJMeter_parent.pom
>>>>>>>         jmeter/trunk/xdocs/changes.xml
>>>>>>>
>>>>>>> Modified: jmeter/trunk/LICENSE
>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/LICENSE?rev=176129
>>>>>>> 4&r1=1761293&r2=1761294&view=diff
>>>>>>> ============================================================
>>>>>>> ==================
>>>>>>> --- jmeter/trunk/LICENSE [utf-8] (original)
>>>>>>> +++ jmeter/trunk/LICENSE [utf-8] Sat Sep 17 22:17:53 2016
>>>>>>> @@ -271,4 +271,4 @@ For details, please see the files under:
>>>>>>>      * slf4j-api-1.7.21.jar (MIT)
>>>>>>>      * xmlpull-1.1.3.1.jar (Public Domain)
>>>>>>>      * xpp3-1.1.4c.jar (Indiana University Extreme! Lab Software
>>>>>>> License
>>>>>>> 1.1.1)
>>>>>>> -* xstream-1.4.8.jar (BSD)
>>>>>>> +* xstream-1.4.9.jar (BSD)
>>>>>>>
>>>>>>> Modified: jmeter/trunk/build.properties
>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/build.properties?r
>>>>>>> ev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>>> ============================================================
>>>>>>> ==================
>>>>>>> --- jmeter/trunk/build.properties (original)
>>>>>>> +++ jmeter/trunk/build.properties Sat Sep 17 22:17:53 2016
>>>>>>> @@ -301,10 +301,10 @@ tika-parsers.loc            = ${maven2.r
>>>>>>>      tika-parsers.md5            = 6858c2989b5f19b4b4aed0b9ff83e548
>>>>>>>        # XStream can be found at: http://x-stream.github.io
>>>>>>> -xstream.version             = 1.4.8
>>>>>>> +xstream.version             = 1.4.9
>>>>>>>      xstream.jar                 = xstream-${xstream.version}.jar
>>>>>>>      xstream.loc                 = ${maven2.repo}/com/thoughtwork
>>>>>>> s/xstream/xstream/${xstream.version}
>>>>>>> -xstream.md5                 = 4551a29c38f22ed25eaf109eda50ff03
>>>>>>> +xstream.md5                 = 17f5ef61f6225a86ac39fc3dab45d755
>>>>>>>        # XMLPull is required by XStream 1.4.x
>>>>>>>      xmlpull.version             = 1.1.3.1
>>>>>>>
>>>>>>> Modified: jmeter/trunk/eclipse.classpath
>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/eclipse.classpath?
>>>>>>> rev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>>> ============================================================
>>>>>>> ==================
>>>>>>> --- jmeter/trunk/eclipse.classpath (original)
>>>>>>> +++ jmeter/trunk/eclipse.classpath Sat Sep 17 22:17:53 2016
>>>>>>> @@ -99,7 +99,7 @@
>>>>>>>            <classpathentry kind="lib" path="lib/xmlgraphics-commons-
>>>>>>> 2.0.1.jar"/>
>>>>>>>            <classpathentry kind="lib" path="lib/xmlpull-1.1.3.1.jar"/>
>>>>>>>            <classpathentry kind="lib" path="lib/xpp3_min-1.1.4c.jar"/>
>>>>>>> -       <classpathentry kind="lib" path="lib/xstream-1.4.8.jar"/>
>>>>>>> +       <classpathentry kind="lib" path="lib/xstream-1.4.9.jar"/>
>>>>>>>            <!-- Needed for build and test -->
>>>>>>>            <classpathentry kind="lib" path="lib/api/bcmail-jdk15on-1
>>>>>>> .49.jar"/>
>>>>>>>            <classpathentry kind="lib" path="lib/api/bcprov-jdk15on-1
>>>>>>> .49.jar"/>
>>>>>>>
>>>>>>> Propchange: jmeter/trunk/lib/
>>>>>>> ------------------------------------------------------------
>>>>>>>
>>>>>>> ------------------
>>>>>>> --- svn:ignore (original)
>>>>>>> +++ svn:ignore Sat Sep 17 22:17:53 2016
>>>>>>> @@ -59,4 +59,4 @@ xml-apis-1.4.01.jar
>>>>>>>      xmlgraphics-commons-2.0.1.jar
>>>>>>>      xmlpull-1.1.3.1.jar
>>>>>>>      xpp3_min-1.1.4c.jar
>>>>>>> -xstream-1.4.8.jar
>>>>>>> +xstream-1.4.9.jar
>>>>>>>
>>>>>>> Modified: jmeter/trunk/lib/aareadme.txt
>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/lib/aareadme.txt?r
>>>>>>> ev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>>> ============================================================
>>>>>>> ==================
>>>>>>> --- jmeter/trunk/lib/aareadme.txt (original)
>>>>>>> +++ jmeter/trunk/lib/aareadme.txt Sat Sep 17 22:17:53 2016
>>>>>>> @@ -279,7 +279,7 @@ or
>>>>>>>      http://www.extreme.indiana.edu/dist/java-repository/xpp3/di
>>>>>>> stributions/
>>>>>>>      - xstream
>>>>>>>      -xstream-1.4.8
>>>>>>> +xstream-1.4.9
>>>>>>>      -------------
>>>>>>>      http://x-stream.github.io/download.html
>>>>>>>      - SaveService
>>>>>>>
>>>>>>> Modified: jmeter/trunk/res/maven/ApacheJMeter_parent.pom
>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/res/maven/ApacheJM
>>>>>>> eter_parent.pom?rev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>>> ============================================================
>>>>>>> ==================
>>>>>>> --- jmeter/trunk/res/maven/ApacheJMeter_parent.pom (original)
>>>>>>> +++ jmeter/trunk/res/maven/ApacheJMeter_parent.pom Sat Sep 17
>>>>>>> 22:17:53
>>>>>>> 2016
>>>>>>> @@ -101,7 +101,7 @@ under the License.
>>>>>>>            <tika-core.version>1.13</tika-core.version>
>>>>>>>            <tika-parsers.version>1.13</tika-parsers.version>
>>>>>>>            <xmlpull.version>1.1.3.1</xmlpull.version>
>>>>>>> -      <xstream.version>1.4.8</xstream.version>
>>>>>>> +      <xstream.version>1.4.9</xstream.version>
>>>>>>>            <xpp3.version>1.1.4c</xpp3.version>
>>>>>>>            <xalan.version>2.7.2</xalan.version>
>>>>>>>            <serializer.version>2.7.2</serializer.version>
>>>>>>>
>>>>>>> Modified: jmeter/trunk/xdocs/changes.xml
>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/xdocs/changes.xml?
>>>>>>> rev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>>> ============================================================
>>>>>>> ==================
>>>>>>> --- jmeter/trunk/xdocs/changes.xml [utf-8] (original)
>>>>>>> +++ jmeter/trunk/xdocs/changes.xml [utf-8] Sat Sep 17 22:17:53
2016
>>>>>>> @@ -170,6 +170,7 @@ Summary
>>>>>>>          <li>Updated to httpcore 4.4.5 (from 4.4.4)</li>
>>>>>>>          <li>Updated to slf4j-api 1.7.21 (from 1.7.13)</li>
>>>>>>>          <li>Updated to rsyntaxtextarea-2.6.0 (from 2.5.8)</li>
>>>>>>> +    <li>Updated to xstream 1.4.9 (from 1.4.8)</li>
>>>>>>>          <li><pr>215</pr>Reduce duplicated
code by using the newly
>>>>>>> added
>>>>>>> method <code>GuiUtils#cancelEditing</code>.
>>>>>>>          Contributed by Benoit Wiart (b.wiart at ubik-ingenierie.com
>>>>>>> )</li>
>>>>>>>          <li><pr>218</pr>Misc cleanup. Contributed
by Benoit Wiart
>>>>>>> (b.wiart
>>>>>>> at ubik-ingenierie.com)</li>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>


Mime
View raw message