On Tue, Sep 20, 2016 at 9:16 PM, Felix Schumacher < felix.schumac...@internetallee.de> wrote:
> Am 20.09.2016 um 21:13 schrieb Philippe Mouawad: > >> On Tue, Sep 20, 2016 at 8:56 PM, Felix Schumacher <felix.schumacher@ >> internetallee.de> wrote: >> >> Am 20.09.2016 um 20:33 schrieb Philippe Mouawad: >>> >>> Hi Felix, >>>> Yes issue seems to come from this: >>>> https://github.com/x-stream/xstream/blob/f66bbea1b383e705988 >>>> abf8d06ea9782a73f24d4/xstream/src/java/com/thoughtworks/xstr >>>> eam/io/xml/DomDriver.java#L147 >>>> >>>> How do you reproduce it ? >>>> I don't see it fail on my laptop nor on jenkins build. >>>> >>>> ant clean install test >>> >>> Thanks I reproduced. >> Why isn't it failing on Jenkins build ? >> >> >> >> With my followup commit, the errors are gone. >>> >>> Sounds ok to me but we lose the DTD. >> > I wonder, if we could use a xsd schema instead. But I haven't looked that > up, yet. On the other hand, how many people actually use a DTD anyways? > > > Maybe we can customize the creation like this: >> >> private XStream initXStream() { >> XStream xstream = new XStream(new DomDriver(){ >> /** >> * Create the DocumentBuilderFactory instance without setting >> http://apache.org/xml/features/disallow-doctype-decl to true >> * >> * @return the new instance >> */ >> @Override >> protected DocumentBuilderFactory >> createDocumentBuilderFactory() >> { >> final DocumentBuilderFactory factory = >> DocumentBuilderFactory.newInstance(); >> factory.setExpandEntityReferences(false); >> return factory; >> } >> }); >> > Do we introduce the problem, that 1.4.9 wants to protect us from, with > this, or is just telling the parser to ignore the dtd? > Possibly as per: https://blog.compass-security.com/2012/08/secure-xml-parser-configuration/ Do you think the second solution exposed above works for a DocumentBuilderFactory ? Anyway what is the real risk for JMeter ? files are loaded locally based on what users configures, if a local file has been corrupt, doesn't it mean computer has already been attacked successfully ? > Felix > > > >> >> >> Felix >>> >>> Thanks >>>> >>>> >>>> On Tue, Sep 20, 2016 at 8:10 PM, Felix Schumacher < >>>> felix.schumac...@internetallee.de> wrote: >>>> >>>> Am 18.09.2016 um 00:17 schrieb pmoua...@apache.org: >>>> >>>>> Author: pmouawad >>>>> >>>>>> Date: Sat Sep 17 22:17:53 2016 >>>>>> New Revision: 1761294 >>>>>> >>>>>> URL: http://svn.apache.org/viewvc?rev=1761294&view=rev >>>>>> Log: >>>>>> Updated to xstream 1.4.9 (from 1.4.8) >>>>>> >>>>>> This change seems to break the tests with: >>>>>> >>>>> ... >>>>> [java] Last error=java.lang.NullPointerException >>>>> [java] [Fatal Error] templates.xml:21:10: DOCTYPE is disallowed >>>>> when >>>>> the feature "http://apache.org/xml/features/disallow-doctype-decl"; set >>>>> to >>>>> true. >>>>> ... >>>>> [java] There was 1 failure: >>>>> [java] 1) initializationError(org.apache >>>>> .jmeter.junit.JMeterTest) >>>>> [java] java.lang.Exception: Error creating >>>>> org.apache.jmeter.gui.action.SelectTemplatesDialog >>>>> [java] at org.apache.jmeter.junit.JMeter >>>>> Test.getObjects(JMeterTest.java:485) >>>>> [java] at org.apache.jmeter.junit.JMeter >>>>> Test.suiteSerializableElements(JMeterTest.java:388) >>>>> [java] at org.apache.jmeter.junit.JMeter >>>>> Test.suite(JMeterTest.java:133) >>>>> [java] at sun.reflect.NativeMethodAccess >>>>> orImpl.invoke0(Native >>>>> Method) >>>>> ... >>>>> [java] Caused by: java.lang.NullPointerException >>>>> [java] at org.apache.jmeter.gui.action.S >>>>> electTemplatesDialog.populateTemplatePage(SelectTemplatesDia >>>>> log.java:227) >>>>> [java] at org.apache.jmeter.gui.action.S >>>>> electTemplatesDialog.init(SelectTemplatesDialog.java:199) >>>>> [java] at org.apache.jmeter.gui.action.S >>>>> electTemplatesDialog.<init>(SelectTemplatesDialog.java:90) >>>>> [java] at sun.reflect.NativeConstructorA >>>>> ccessorImpl.newInstance0(Native >>>>> Method) >>>>> [java] at sun.reflect.NativeConstructorA >>>>> ccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>>> [java] at sun.reflect.DelegatingConstruc >>>>> torAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) >>>>> [java] at java.lang.reflect.Constructor. >>>>> newInstance(Constructor.java:423) >>>>> [java] at java.lang.Class.newInstance(Class.java:442) >>>>> [java] at org.apache.jmeter.junit.JMeter >>>>> Test.getObjects(JMeterTest.java:456) >>>>> [java] ... 20 more >>>>> [java] >>>>> >>>>> Templates are read through xstream, that is probably why this error >>>>> came >>>>> up. >>>>> >>>>> The "offending" change is probably https://github.com/x-stream/xs >>>>> tream/issues/25 >>>>> >>>>> Has anyone else noticed this, too? What shall we do? >>>>> >>>>> Regards, >>>>> Felix >>>>> >>>>> >>>>> Added: >>>>> >>>>>> jmeter/trunk/licenses/bin/xstream-1.4.9.txt >>>>>> - copied unchanged from r1761222, >>>>>> jmeter/trunk/licenses/bin/xstr >>>>>> eam-1.4.8.txt >>>>>> Removed: >>>>>> jmeter/trunk/licenses/bin/xstream-1.4.8.txt >>>>>> Modified: >>>>>> jmeter/trunk/LICENSE >>>>>> jmeter/trunk/build.properties >>>>>> jmeter/trunk/eclipse.classpath >>>>>> jmeter/trunk/lib/ (props changed) >>>>>> jmeter/trunk/lib/aareadme.txt >>>>>> jmeter/trunk/res/maven/ApacheJMeter_parent.pom >>>>>> jmeter/trunk/xdocs/changes.xml >>>>>> >>>>>> Modified: jmeter/trunk/LICENSE >>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/LICENSE?rev=176129 >>>>>> 4&r1=1761293&r2=1761294&view=diff >>>>>> ============================================================ >>>>>> ================== >>>>>> --- jmeter/trunk/LICENSE [utf-8] (original) >>>>>> +++ jmeter/trunk/LICENSE [utf-8] Sat Sep 17 22:17:53 2016 >>>>>> @@ -271,4 +271,4 @@ For details, please see the files under: >>>>>> * slf4j-api-1.7.21.jar (MIT) >>>>>> * xmlpull-1.1.3.1.jar (Public Domain) >>>>>> * xpp3-1.1.4c.jar (Indiana University Extreme! Lab Software >>>>>> License >>>>>> 1.1.1) >>>>>> -* xstream-1.4.8.jar (BSD) >>>>>> +* xstream-1.4.9.jar (BSD) >>>>>> >>>>>> Modified: jmeter/trunk/build.properties >>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/build.properties?r >>>>>> ev=1761294&r1=1761293&r2=1761294&view=diff >>>>>> ============================================================ >>>>>> ================== >>>>>> --- jmeter/trunk/build.properties (original) >>>>>> +++ jmeter/trunk/build.properties Sat Sep 17 22:17:53 2016 >>>>>> @@ -301,10 +301,10 @@ tika-parsers.loc = ${maven2.r >>>>>> tika-parsers.md5 = 6858c2989b5f19b4b4aed0b9ff83e548 >>>>>> # XStream can be found at: http://x-stream.github.io >>>>>> -xstream.version = 1.4.8 >>>>>> +xstream.version = 1.4.9 >>>>>> xstream.jar = xstream-${xstream.version}.jar >>>>>> xstream.loc = ${maven2.repo}/com/thoughtwork >>>>>> s/xstream/xstream/${xstream.version} >>>>>> -xstream.md5 = 4551a29c38f22ed25eaf109eda50ff03 >>>>>> +xstream.md5 = 17f5ef61f6225a86ac39fc3dab45d755 >>>>>> # XMLPull is required by XStream 1.4.x >>>>>> xmlpull.version = 1.1.3.1 >>>>>> >>>>>> Modified: jmeter/trunk/eclipse.classpath >>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/eclipse.classpath? >>>>>> rev=1761294&r1=1761293&r2=1761294&view=diff >>>>>> ============================================================ >>>>>> ================== >>>>>> --- jmeter/trunk/eclipse.classpath (original) >>>>>> +++ jmeter/trunk/eclipse.classpath Sat Sep 17 22:17:53 2016 >>>>>> @@ -99,7 +99,7 @@ >>>>>> <classpathentry kind="lib" path="lib/xmlgraphics-commons- >>>>>> 2.0.1.jar"/> >>>>>> <classpathentry kind="lib" path="lib/xmlpull-1.1.3.1.jar"/> >>>>>> <classpathentry kind="lib" path="lib/xpp3_min-1.1.4c.jar"/> >>>>>> - <classpathentry kind="lib" path="lib/xstream-1.4.8.jar"/> >>>>>> + <classpathentry kind="lib" path="lib/xstream-1.4.9.jar"/> >>>>>> <!-- Needed for build and test --> >>>>>> <classpathentry kind="lib" path="lib/api/bcmail-jdk15on-1 >>>>>> .49.jar"/> >>>>>> <classpathentry kind="lib" path="lib/api/bcprov-jdk15on-1 >>>>>> .49.jar"/> >>>>>> >>>>>> Propchange: jmeter/trunk/lib/ >>>>>> ------------------------------------------------------------ >>>>>> >>>>>> ------------------ >>>>>> --- svn:ignore (original) >>>>>> +++ svn:ignore Sat Sep 17 22:17:53 2016 >>>>>> @@ -59,4 +59,4 @@ xml-apis-1.4.01.jar >>>>>> xmlgraphics-commons-2.0.1.jar >>>>>> xmlpull-1.1.3.1.jar >>>>>> xpp3_min-1.1.4c.jar >>>>>> -xstream-1.4.8.jar >>>>>> +xstream-1.4.9.jar >>>>>> >>>>>> Modified: jmeter/trunk/lib/aareadme.txt >>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/lib/aareadme.txt?r >>>>>> ev=1761294&r1=1761293&r2=1761294&view=diff >>>>>> ============================================================ >>>>>> ================== >>>>>> --- jmeter/trunk/lib/aareadme.txt (original) >>>>>> +++ jmeter/trunk/lib/aareadme.txt Sat Sep 17 22:17:53 2016 >>>>>> @@ -279,7 +279,7 @@ or >>>>>> http://www.extreme.indiana.edu/dist/java-repository/xpp3/di >>>>>> stributions/ >>>>>> - xstream >>>>>> -xstream-1.4.8 >>>>>> +xstream-1.4.9 >>>>>> ------------- >>>>>> http://x-stream.github.io/download.html >>>>>> - SaveService >>>>>> >>>>>> Modified: jmeter/trunk/res/maven/ApacheJMeter_parent.pom >>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/res/maven/ApacheJM >>>>>> eter_parent.pom?rev=1761294&r1=1761293&r2=1761294&view=diff >>>>>> ============================================================ >>>>>> ================== >>>>>> --- jmeter/trunk/res/maven/ApacheJMeter_parent.pom (original) >>>>>> +++ jmeter/trunk/res/maven/ApacheJMeter_parent.pom Sat Sep 17 >>>>>> 22:17:53 >>>>>> 2016 >>>>>> @@ -101,7 +101,7 @@ under the License. >>>>>> <tika-core.version>1.13</tika-core.version> >>>>>> <tika-parsers.version>1.13</tika-parsers.version> >>>>>> <xmlpull.version>1.1.3.1</xmlpull.version> >>>>>> - <xstream.version>1.4.8</xstream.version> >>>>>> + <xstream.version>1.4.9</xstream.version> >>>>>> <xpp3.version>1.1.4c</xpp3.version> >>>>>> <xalan.version>2.7.2</xalan.version> >>>>>> <serializer.version>2.7.2</serializer.version> >>>>>> >>>>>> Modified: jmeter/trunk/xdocs/changes.xml >>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/xdocs/changes.xml? >>>>>> rev=1761294&r1=1761293&r2=1761294&view=diff >>>>>> ============================================================ >>>>>> ================== >>>>>> --- jmeter/trunk/xdocs/changes.xml [utf-8] (original) >>>>>> +++ jmeter/trunk/xdocs/changes.xml [utf-8] Sat Sep 17 22:17:53 2016 >>>>>> @@ -170,6 +170,7 @@ Summary >>>>>> <li>Updated to httpcore 4.4.5 (from 4.4.4)</li> >>>>>> <li>Updated to slf4j-api 1.7.21 (from 1.7.13)</li> >>>>>> <li>Updated to rsyntaxtextarea-2.6.0 (from 2.5.8)</li> >>>>>> + <li>Updated to xstream 1.4.9 (from 1.4.8)</li> >>>>>> <li><pr>215</pr>Reduce duplicated code by using the newly >>>>>> added >>>>>> method <code>GuiUtils#cancelEditing</code>. >>>>>> Contributed by Benoit Wiart (b.wiart at ubik-ingenierie.com >>>>>> )</li> >>>>>> <li><pr>218</pr>Misc cleanup. Contributed by Benoit Wiart >>>>>> (b.wiart >>>>>> at ubik-ingenierie.com)</li> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >> > -- Cordialement. Philippe Mouawad.
