Hi,
I'm a developer on the ROME RSS/Atom parser project
(http://rome.dev.java.net/). We were recently notified of a possible
security issue in our code
(http://www.somebits.com/weblog/tech/bad/xmlCode.html), which we've
fixed.
I'm aware that FeedParser is a dormant project, but the attached patch
will fix the same problem in the Apache-Commons project version.
I've also attached updated FeedParserImpl.java suitable for using with
Kevin's TailRank version (http://tailrank.com/code.php) (Hi Kevin!)
SAXBuilder.java is needed for both versions.
There is also an example RSS file which triggers the bug. (You'll need
some kind of monitoring tool to check for connections to example.com
on port 80).
Hopefully someone will find these useful.
Regards
Nick Lothian
[EMAIL PROTECTED]
Index: FeedParserImpl.java
===================================================================
--- FeedParserImpl.java (revision 462698)
+++ FeedParserImpl.java (working copy)
@@ -24,8 +24,13 @@
import org.apache.commons.feedparser.tools.XMLCleanser;
import org.apache.commons.feedparser.tools.XMLEncodingParser;
import org.apache.log4j.Logger;
-import org.jdom.input.SAXBuilder;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
+import org.jdom.input.DOMBuilder;
+import org.jdom.JDOMException;
+import org.xml.sax.XMLReader;
+
/**
* This FeedParser implementation is based on JDOM and Jaxen and is based
around
* XPath and JDOM iteration. While the implementation is straight forward it
@@ -63,7 +68,7 @@
//OK. Now we have the right InputStream so we should build our DOM
//and exec.
- SAXBuilder builder = new SAXBuilder();
+ SAXBuilder builder = createSAXBuilder();
//NOTE: in b10 of JDOM this won't accept an InputStream and
requires
//a org.w3c.dom.Document so we'll have to build one here. Will
this
@@ -87,6 +92,56 @@
}
+ protected SAXBuilder createSAXBuilder() throws FeedParserException {
+ SAXBuilder saxBuilder = new SAXBuilder(false);
+ //
+ // This code is needed to fix the security problem outlined in
http://www.securityfocus.com/archive/1/297714
+ //
+ // Unfortunately there isn't an easy way to check if an XML parser
supports a particular feature, so
+ // we need to set it and catch the exception if it fails. We also need
to subclass the JDom SAXBuilder
+ // class in order to get access to the underlying SAX parser -
otherwise the features don't get set until
+ // we are already building the document, by which time it's too late
to fix the problem.
+ //
+ // Crimson is one parser which is known not to support these features.
+ try {
+ XMLReader parser = saxBuilder.createParser();
+ try {
+
parser.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
+
saxBuilder.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
+ } catch (SAXNotRecognizedException e) {
+ // ignore
+ } catch (SAXNotSupportedException e) {
+ // ignore
+ }
+
+ try {
+
parser.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
+
saxBuilder.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
+ } catch (SAXNotRecognizedException e) {
+ // ignore
+ } catch (SAXNotSupportedException e) {
+ // ignore
+ }
+
+ try {
+
parser.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
false);
+
saxBuilder.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
false);
+ } catch (SAXNotRecognizedException e) {
+ // ignore
+ } catch (SAXNotSupportedException e) {
+ // ignore
+ }
+
+ } catch (JDOMException e) {
+ throw new FeedParserException("JDom could not create a
SAX parser", e);
+ }
+
+ saxBuilder.setExpandEntities(false);
+
+ return saxBuilder;
+ }
+
+
/**
* Perform the Xerces UTF8 correction and FeedFilter.
*/
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
