On Tue, Sep 20, 2016 at 9:16 PM, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:

> Am 20.09.2016 um 21:13 schrieb Philippe Mouawad:
>
>> On Tue, Sep 20, 2016 at 8:56 PM, Felix Schumacher <felix.schumacher@
>> internetallee.de> wrote:
>>
>> Am 20.09.2016 um 20:33 schrieb Philippe Mouawad:
>>>
>>> Hi Felix,
>>>> Yes issue seems to come from this:
>>>> https://github.com/x-stream/xstream/blob/f66bbea1b383e705988
>>>> abf8d06ea9782a73f24d4/xstream/src/java/com/thoughtworks/xstr
>>>> eam/io/xml/DomDriver.java#L147
>>>>
>>>> How do you reproduce it ?
>>>> I don't see it fail on my laptop nor on jenkins build.
>>>>
>>>> ant clean install test
>>>
>>> Thanks I reproduced.
>> Why isn't it failing on Jenkins build ?
>>
>>
>>
>> With my followup commit, the errors are gone.
>>>
>>> Sounds ok to me but we lose the DTD.
>>
> I wonder, if we could use a xsd schema instead. But I haven't looked that
> up, yet. On the other hand, how many people actually use a DTD anyways?
>
>
> Maybe we can customize the creation like this:
>>
>>     private XStream initXStream() {
>>          XStream xstream = new XStream(new DomDriver(){
>>              /**
>>               * Create the DocumentBuilderFactory instance without setting
>> http://apache.org/xml/features/disallow-doctype-decl to true
>>               *
>>               * @return the new instance
>>               */
>>              @Override
>>              protected DocumentBuilderFactory
>> createDocumentBuilderFactory()
>> {
>>                  final DocumentBuilderFactory factory =
>> DocumentBuilderFactory.newInstance();
>>                  factory.setExpandEntityReferences(false);
>>                  return factory;
>>              }
>>          });
>>
> Do we introduce the problem, that 1.4.9 wants to protect us from, with
> this, or is just telling the parser to ignore the dtd?
>

Possibly as per:
https://blog.compass-security.com/2012/08/secure-xml-parser-configuration/
Do you think the second solution exposed above works for a
DocumentBuilderFactory ?

Anyway what is the real risk for JMeter ? files are loaded locally based on
what users configures, if a local file has been corrupt, doesn't it mean
computer has already been attacked successfully ?



> Felix
>
>
>
>>
>>
>> Felix
>>>
>>> Thanks
>>>>
>>>>
>>>> On Tue, Sep 20, 2016 at 8:10 PM, Felix Schumacher <
>>>> felix.schumac...@internetallee.de> wrote:
>>>>
>>>> Am 18.09.2016 um 00:17 schrieb pmoua...@apache.org:
>>>>
>>>>> Author: pmouawad
>>>>>
>>>>>> Date: Sat Sep 17 22:17:53 2016
>>>>>> New Revision: 1761294
>>>>>>
>>>>>> URL: http://svn.apache.org/viewvc?rev=1761294&view=rev
>>>>>> Log:
>>>>>> Updated to xstream 1.4.9 (from 1.4.8)
>>>>>>
>>>>>> This change seems to break the tests with:
>>>>>>
>>>>> ...
>>>>> [java] Last error=java.lang.NullPointerException
>>>>>        [java] [Fatal Error] templates.xml:21:10: DOCTYPE is disallowed
>>>>> when
>>>>> the feature "http://apache.org/xml/features/disallow-doctype-decl"; set
>>>>> to
>>>>> true.
>>>>> ...
>>>>>     [java] There was 1 failure:
>>>>>        [java] 1) initializationError(org.apache
>>>>> .jmeter.junit.JMeterTest)
>>>>>        [java] java.lang.Exception: Error creating
>>>>> org.apache.jmeter.gui.action.SelectTemplatesDialog
>>>>>        [java]     at org.apache.jmeter.junit.JMeter
>>>>> Test.getObjects(JMeterTest.java:485)
>>>>>        [java]     at org.apache.jmeter.junit.JMeter
>>>>> Test.suiteSerializableElements(JMeterTest.java:388)
>>>>>        [java]     at org.apache.jmeter.junit.JMeter
>>>>> Test.suite(JMeterTest.java:133)
>>>>>        [java]     at sun.reflect.NativeMethodAccess
>>>>> orImpl.invoke0(Native
>>>>> Method)
>>>>> ...
>>>>>        [java] Caused by: java.lang.NullPointerException
>>>>>        [java]     at org.apache.jmeter.gui.action.S
>>>>> electTemplatesDialog.populateTemplatePage(SelectTemplatesDia
>>>>> log.java:227)
>>>>>        [java]     at org.apache.jmeter.gui.action.S
>>>>> electTemplatesDialog.init(SelectTemplatesDialog.java:199)
>>>>>        [java]     at org.apache.jmeter.gui.action.S
>>>>> electTemplatesDialog.<init>(SelectTemplatesDialog.java:90)
>>>>>        [java]     at sun.reflect.NativeConstructorA
>>>>> ccessorImpl.newInstance0(Native
>>>>> Method)
>>>>>        [java]     at sun.reflect.NativeConstructorA
>>>>> ccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>>>>>        [java]     at sun.reflect.DelegatingConstruc
>>>>> torAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>>>>>        [java]     at java.lang.reflect.Constructor.
>>>>> newInstance(Constructor.java:423)
>>>>>        [java]     at java.lang.Class.newInstance(Class.java:442)
>>>>>        [java]     at org.apache.jmeter.junit.JMeter
>>>>> Test.getObjects(JMeterTest.java:456)
>>>>>        [java]     ... 20 more
>>>>>        [java]
>>>>>
>>>>> Templates are read through xstream, that is probably why this error
>>>>> came
>>>>> up.
>>>>>
>>>>> The "offending" change is probably https://github.com/x-stream/xs
>>>>> tream/issues/25
>>>>>
>>>>> Has anyone else noticed this, too? What shall we do?
>>>>>
>>>>> Regards,
>>>>>    Felix
>>>>>
>>>>>
>>>>> Added:
>>>>>
>>>>>>        jmeter/trunk/licenses/bin/xstream-1.4.9.txt
>>>>>>          - copied unchanged from r1761222,
>>>>>> jmeter/trunk/licenses/bin/xstr
>>>>>> eam-1.4.8.txt
>>>>>> Removed:
>>>>>>        jmeter/trunk/licenses/bin/xstream-1.4.8.txt
>>>>>> Modified:
>>>>>>        jmeter/trunk/LICENSE
>>>>>>        jmeter/trunk/build.properties
>>>>>>        jmeter/trunk/eclipse.classpath
>>>>>>        jmeter/trunk/lib/   (props changed)
>>>>>>        jmeter/trunk/lib/aareadme.txt
>>>>>>        jmeter/trunk/res/maven/ApacheJMeter_parent.pom
>>>>>>        jmeter/trunk/xdocs/changes.xml
>>>>>>
>>>>>> Modified: jmeter/trunk/LICENSE
>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/LICENSE?rev=176129
>>>>>> 4&r1=1761293&r2=1761294&view=diff
>>>>>> ============================================================
>>>>>> ==================
>>>>>> --- jmeter/trunk/LICENSE [utf-8] (original)
>>>>>> +++ jmeter/trunk/LICENSE [utf-8] Sat Sep 17 22:17:53 2016
>>>>>> @@ -271,4 +271,4 @@ For details, please see the files under:
>>>>>>     * slf4j-api-1.7.21.jar (MIT)
>>>>>>     * xmlpull-1.1.3.1.jar (Public Domain)
>>>>>>     * xpp3-1.1.4c.jar (Indiana University Extreme! Lab Software
>>>>>> License
>>>>>> 1.1.1)
>>>>>> -* xstream-1.4.8.jar (BSD)
>>>>>> +* xstream-1.4.9.jar (BSD)
>>>>>>
>>>>>> Modified: jmeter/trunk/build.properties
>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/build.properties?r
>>>>>> ev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>> ============================================================
>>>>>> ==================
>>>>>> --- jmeter/trunk/build.properties (original)
>>>>>> +++ jmeter/trunk/build.properties Sat Sep 17 22:17:53 2016
>>>>>> @@ -301,10 +301,10 @@ tika-parsers.loc            = ${maven2.r
>>>>>>     tika-parsers.md5            = 6858c2989b5f19b4b4aed0b9ff83e548
>>>>>>       # XStream can be found at: http://x-stream.github.io
>>>>>> -xstream.version             = 1.4.8
>>>>>> +xstream.version             = 1.4.9
>>>>>>     xstream.jar                 = xstream-${xstream.version}.jar
>>>>>>     xstream.loc                 = ${maven2.repo}/com/thoughtwork
>>>>>> s/xstream/xstream/${xstream.version}
>>>>>> -xstream.md5                 = 4551a29c38f22ed25eaf109eda50ff03
>>>>>> +xstream.md5                 = 17f5ef61f6225a86ac39fc3dab45d755
>>>>>>       # XMLPull is required by XStream 1.4.x
>>>>>>     xmlpull.version             = 1.1.3.1
>>>>>>
>>>>>> Modified: jmeter/trunk/eclipse.classpath
>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/eclipse.classpath?
>>>>>> rev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>> ============================================================
>>>>>> ==================
>>>>>> --- jmeter/trunk/eclipse.classpath (original)
>>>>>> +++ jmeter/trunk/eclipse.classpath Sat Sep 17 22:17:53 2016
>>>>>> @@ -99,7 +99,7 @@
>>>>>>           <classpathentry kind="lib" path="lib/xmlgraphics-commons-
>>>>>> 2.0.1.jar"/>
>>>>>>           <classpathentry kind="lib" path="lib/xmlpull-1.1.3.1.jar"/>
>>>>>>           <classpathentry kind="lib" path="lib/xpp3_min-1.1.4c.jar"/>
>>>>>> -       <classpathentry kind="lib" path="lib/xstream-1.4.8.jar"/>
>>>>>> +       <classpathentry kind="lib" path="lib/xstream-1.4.9.jar"/>
>>>>>>           <!-- Needed for build and test -->
>>>>>>           <classpathentry kind="lib" path="lib/api/bcmail-jdk15on-1
>>>>>> .49.jar"/>
>>>>>>           <classpathentry kind="lib" path="lib/api/bcprov-jdk15on-1
>>>>>> .49.jar"/>
>>>>>>
>>>>>> Propchange: jmeter/trunk/lib/
>>>>>> ------------------------------------------------------------
>>>>>>
>>>>>> ------------------
>>>>>> --- svn:ignore (original)
>>>>>> +++ svn:ignore Sat Sep 17 22:17:53 2016
>>>>>> @@ -59,4 +59,4 @@ xml-apis-1.4.01.jar
>>>>>>     xmlgraphics-commons-2.0.1.jar
>>>>>>     xmlpull-1.1.3.1.jar
>>>>>>     xpp3_min-1.1.4c.jar
>>>>>> -xstream-1.4.8.jar
>>>>>> +xstream-1.4.9.jar
>>>>>>
>>>>>> Modified: jmeter/trunk/lib/aareadme.txt
>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/lib/aareadme.txt?r
>>>>>> ev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>> ============================================================
>>>>>> ==================
>>>>>> --- jmeter/trunk/lib/aareadme.txt (original)
>>>>>> +++ jmeter/trunk/lib/aareadme.txt Sat Sep 17 22:17:53 2016
>>>>>> @@ -279,7 +279,7 @@ or
>>>>>>     http://www.extreme.indiana.edu/dist/java-repository/xpp3/di
>>>>>> stributions/
>>>>>>     - xstream
>>>>>>     -xstream-1.4.8
>>>>>> +xstream-1.4.9
>>>>>>     -------------
>>>>>>     http://x-stream.github.io/download.html
>>>>>>     - SaveService
>>>>>>
>>>>>> Modified: jmeter/trunk/res/maven/ApacheJMeter_parent.pom
>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/res/maven/ApacheJM
>>>>>> eter_parent.pom?rev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>> ============================================================
>>>>>> ==================
>>>>>> --- jmeter/trunk/res/maven/ApacheJMeter_parent.pom (original)
>>>>>> +++ jmeter/trunk/res/maven/ApacheJMeter_parent.pom Sat Sep 17
>>>>>> 22:17:53
>>>>>> 2016
>>>>>> @@ -101,7 +101,7 @@ under the License.
>>>>>>           <tika-core.version>1.13</tika-core.version>
>>>>>>           <tika-parsers.version>1.13</tika-parsers.version>
>>>>>>           <xmlpull.version>1.1.3.1</xmlpull.version>
>>>>>> -      <xstream.version>1.4.8</xstream.version>
>>>>>> +      <xstream.version>1.4.9</xstream.version>
>>>>>>           <xpp3.version>1.1.4c</xpp3.version>
>>>>>>           <xalan.version>2.7.2</xalan.version>
>>>>>>           <serializer.version>2.7.2</serializer.version>
>>>>>>
>>>>>> Modified: jmeter/trunk/xdocs/changes.xml
>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/xdocs/changes.xml?
>>>>>> rev=1761294&r1=1761293&r2=1761294&view=diff
>>>>>> ============================================================
>>>>>> ==================
>>>>>> --- jmeter/trunk/xdocs/changes.xml [utf-8] (original)
>>>>>> +++ jmeter/trunk/xdocs/changes.xml [utf-8] Sat Sep 17 22:17:53 2016
>>>>>> @@ -170,6 +170,7 @@ Summary
>>>>>>         <li>Updated to httpcore 4.4.5 (from 4.4.4)</li>
>>>>>>         <li>Updated to slf4j-api 1.7.21 (from 1.7.13)</li>
>>>>>>         <li>Updated to rsyntaxtextarea-2.6.0 (from 2.5.8)</li>
>>>>>> +    <li>Updated to xstream 1.4.9 (from 1.4.8)</li>
>>>>>>         <li><pr>215</pr>Reduce duplicated code by using the newly
>>>>>> added
>>>>>> method <code>GuiUtils#cancelEditing</code>.
>>>>>>         Contributed by Benoit Wiart (b.wiart at ubik-ingenierie.com
>>>>>> )</li>
>>>>>>         <li><pr>218</pr>Misc cleanup. Contributed by Benoit Wiart
>>>>>> (b.wiart
>>>>>> at ubik-ingenierie.com)</li>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>
>


-- 
Cordialement.
Philippe Mouawad.

Reply via email to