This is an automated email from the git hooks/post-receive script. apo-guest pushed a commit to branch master in repository libspring-java.
commit d4ca951bb6aeee75602ea7542a1cd487380d91a0 Author: Markus Koschany <[email protected]> Date: Thu Dec 5 13:43:14 2013 +0100 Fix CVE-2013-4152 --- ...rocessExternalEntities-to-JAXB2Marshaller.patch | 116 +++++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 117 insertions(+) diff --git a/debian/patches/Add-processExternalEntities-to-JAXB2Marshaller.patch b/debian/patches/Add-processExternalEntities-to-JAXB2Marshaller.patch new file mode 100644 index 0000000..77afb93 --- /dev/null +++ b/debian/patches/Add-processExternalEntities-to-JAXB2Marshaller.patch @@ -0,0 +1,116 @@ +From: Markus Koschany <[email protected]> +Date: Thu, 5 Dec 2013 10:59:47 +0100 +Subject: Add 'processExternalEntities to JAXB2Marshaller + +Added 'processExternalEntities' property to the JAXB2Marshaller, which +indicates whether external XML entities are processed when +unmarshalling. + +Default is false, meaning that external entities are not resolved. +Processing of external entities will only be enabled/disabled when the +Source} passed to #unmarshal(Source) is a SAXSource or StreamSource. It +has no effect for DOMSource or StAXSource instances. + +Original patch by Arjen Poutsma. + +Bug: http://bugs.debian.org/720902 +--- + .../springframework/oxm/jaxb/Jaxb2Marshaller.java | 56 ++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java +index 890ce18..1b3412d 100644 +--- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java ++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java +@@ -61,7 +61,9 @@ import javax.xml.stream.XMLStreamReader; + import javax.xml.stream.XMLStreamWriter; + import javax.xml.transform.Result; + import javax.xml.transform.Source; ++import javax.xml.transform.dom.DOMSource; + import javax.xml.transform.sax.SAXSource; ++import javax.xml.transform.stream.StreamSource; + import javax.xml.validation.Schema; + import javax.xml.validation.SchemaFactory; + +@@ -158,6 +160,8 @@ public class Jaxb2Marshaller + + private boolean lazyInit = false; + ++ private boolean processExternalEntities = false; ++ + + /** + * Set multiple JAXB context paths. The given array of context paths is converted to a +@@ -301,6 +305,18 @@ public class Jaxb2Marshaller + this.lazyInit = lazyInit; + } + ++ /** ++ * Indicates whether external XML entities are processed when unmarshalling. ++ * <p>Default is {@code false}, meaning that external entities are not resolved. ++ * Note that processing of external entities will only be enabled/disabled when the ++ * {@code Source} passed to {@link #unmarshal(Source)} is a {@link SAXSource} or ++ * {@link StreamSource}. It has no effect for {@link DOMSource} or {@link StAXSource} ++ * instances. ++ */ ++ public void setProcessExternalEntities(boolean processExternalEntities) { ++ this.processExternalEntities = processExternalEntities; ++ } ++ + public void setBeanClassLoader(ClassLoader classLoader) { + this.beanClassLoader = classLoader; + } +@@ -569,6 +585,8 @@ public class Jaxb2Marshaller + } + + public Object unmarshal(Source source, MimeContainer mimeContainer) throws XmlMappingException { ++ source = processSource(source); ++ + try { + Unmarshaller unmarshaller = createUnmarshaller(); + if (this.mtomEnabled && mimeContainer != null) { +@@ -616,6 +634,44 @@ public class Jaxb2Marshaller + } + } + ++ private Source processSource(Source source) { ++ if (StaxUtils.isStaxSource(source) || source instanceof DOMSource) { ++ return source; ++ } ++ ++ XMLReader xmlReader = null; ++ InputSource inputSource = null; ++ ++ if (source instanceof SAXSource) { ++ SAXSource saxSource = (SAXSource) source; ++ xmlReader = saxSource.getXMLReader(); ++ inputSource = saxSource.getInputSource(); ++ } ++ else if (source instanceof StreamSource) { ++ StreamSource streamSource = (StreamSource) source; ++ if (streamSource.getInputStream() != null) { ++ inputSource = new InputSource(streamSource.getInputStream()); ++ } ++ else if (streamSource.getReader() != null) { ++ inputSource = new InputSource(streamSource.getReader()); ++ } ++ } ++ ++ try { ++ if (xmlReader == null) { ++ xmlReader = XMLReaderFactory.createXMLReader(); ++ } ++ xmlReader.setFeature("http://xml.org/sax/features/external-general-entities";, ++ this.processExternalEntities); ++ ++ return new SAXSource(xmlReader, inputSource); ++ } ++ catch (SAXException ex) { ++ logger.warn("Processing of external entities could not be disabled", ex); ++ return source; ++ } ++ } ++ + /** + * Template method that can be overridden by concrete JAXB marshallers for custom initialization behavior. + * Gets called after creation of JAXB <code>Marshaller</code>, and after the respective properties have been set. diff --git a/debian/patches/series b/debian/patches/series index 6365123..533ec80 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ 0009_hibernate_validator_41.diff 0010_velocity_17.diff 0011-java7-compat.patch +Add-processExternalEntities-to-JAXB2Marshaller.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libspring-java.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
