Am 20.09.2016 um 21:29 schrieb Philippe Mouawad:
On Tue, Sep 20, 2016 at 9:16 PM, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:
Am 20.09.2016 um 21:13 schrieb Philippe Mouawad:
On Tue, Sep 20, 2016 at 8:56 PM, Felix Schumacher <felix.schumacher@
internetallee.de> wrote:
Am 20.09.2016 um 20:33 schrieb Philippe Mouawad:
Hi Felix,
Yes issue seems to come from this:
https://github.com/x-stream/xstream/blob/f66bbea1b383e705988
abf8d06ea9782a73f24d4/xstream/src/java/com/thoughtworks/xstr
eam/io/xml/DomDriver.java#L147
How do you reproduce it ?
I don't see it fail on my laptop nor on jenkins build.
ant clean install test
Thanks I reproduced.
Why isn't it failing on Jenkins build ?
With my followup commit, the errors are gone.
Sounds ok to me but we lose the DTD.
I wonder, if we could use a xsd schema instead. But I haven't looked that
up, yet. On the other hand, how many people actually use a DTD anyways?
Maybe we can customize the creation like this:
private XStream initXStream() {
XStream xstream = new XStream(new DomDriver(){
/**
* Create the DocumentBuilderFactory instance without setting
http://apache.org/xml/features/disallow-doctype-decl to true
*
* @return the new instance
*/
@Override
protected DocumentBuilderFactory
createDocumentBuilderFactory()
{
final DocumentBuilderFactory factory =
DocumentBuilderFactory.newInstance();
factory.setExpandEntityReferences(false);
return factory;
}
});
Do we introduce the problem, that 1.4.9 wants to protect us from, with
this, or is just telling the parser to ignore the dtd?
Possibly as per:
https://blog.compass-security.com/2012/08/secure-xml-parser-configuration/
Do you think the second solution exposed above works for a
DocumentBuilderFactory ?
Seems to be valid then. I haven't tried it, though. If it works for you,
I am OK with it.
Anyway what is the real risk for JMeter ? files are loaded locally based on
what users configures, if a local file has been corrupt, doesn't it mean
computer has already been attacked successfully ?
Probably, but you never know :)
Felix
Felix
Felix
Thanks
On Tue, Sep 20, 2016 at 8:10 PM, Felix Schumacher <
felix.schumac...@internetallee.de> wrote:
Am 18.09.2016 um 00:17 schrieb pmoua...@apache.org:
Author: pmouawad
Date: Sat Sep 17 22:17:53 2016
New Revision: 1761294
URL: http://svn.apache.org/viewvc?rev=1761294&view=rev
Log:
Updated to xstream 1.4.9 (from 1.4.8)
This change seems to break the tests with:
...
[java] Last error=java.lang.NullPointerException
[java] [Fatal Error] templates.xml:21:10: DOCTYPE is disallowed
when
the feature "http://apache.org/xml/features/disallow-doctype-decl"; set
to
true.
...
[java] There was 1 failure:
[java] 1) initializationError(org.apache
.jmeter.junit.JMeterTest)
[java] java.lang.Exception: Error creating
org.apache.jmeter.gui.action.SelectTemplatesDialog
[java] at org.apache.jmeter.junit.JMeter
Test.getObjects(JMeterTest.java:485)
[java] at org.apache.jmeter.junit.JMeter
Test.suiteSerializableElements(JMeterTest.java:388)
[java] at org.apache.jmeter.junit.JMeter
Test.suite(JMeterTest.java:133)
[java] at sun.reflect.NativeMethodAccess
orImpl.invoke0(Native
Method)
...
[java] Caused by: java.lang.NullPointerException
[java] at org.apache.jmeter.gui.action.S
electTemplatesDialog.populateTemplatePage(SelectTemplatesDia
log.java:227)
[java] at org.apache.jmeter.gui.action.S
electTemplatesDialog.init(SelectTemplatesDialog.java:199)
[java] at org.apache.jmeter.gui.action.S
electTemplatesDialog.<init>(SelectTemplatesDialog.java:90)
[java] at sun.reflect.NativeConstructorA
ccessorImpl.newInstance0(Native
Method)
[java] at sun.reflect.NativeConstructorA
ccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
[java] at sun.reflect.DelegatingConstruc
torAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
[java] at java.lang.reflect.Constructor.
newInstance(Constructor.java:423)
[java] at java.lang.Class.newInstance(Class.java:442)
[java] at org.apache.jmeter.junit.JMeter
Test.getObjects(JMeterTest.java:456)
[java] ... 20 more
[java]
Templates are read through xstream, that is probably why this error
came
up.
The "offending" change is probably https://github.com/x-stream/xs
tream/issues/25
Has anyone else noticed this, too? What shall we do?
Regards,
Felix
Added:
jmeter/trunk/licenses/bin/xstream-1.4.9.txt
- copied unchanged from r1761222,
jmeter/trunk/licenses/bin/xstr
eam-1.4.8.txt
Removed:
jmeter/trunk/licenses/bin/xstream-1.4.8.txt
Modified:
jmeter/trunk/LICENSE
jmeter/trunk/build.properties
jmeter/trunk/eclipse.classpath
jmeter/trunk/lib/ (props changed)
jmeter/trunk/lib/aareadme.txt
jmeter/trunk/res/maven/ApacheJMeter_parent.pom
jmeter/trunk/xdocs/changes.xml
Modified: jmeter/trunk/LICENSE
URL: http://svn.apache.org/viewvc/jmeter/trunk/LICENSE?rev=176129
4&r1=1761293&r2=1761294&view=diff
============================================================
==================
--- jmeter/trunk/LICENSE [utf-8] (original)
+++ jmeter/trunk/LICENSE [utf-8] Sat Sep 17 22:17:53 2016
@@ -271,4 +271,4 @@ For details, please see the files under:
* slf4j-api-1.7.21.jar (MIT)
* xmlpull-1.1.3.1.jar (Public Domain)
* xpp3-1.1.4c.jar (Indiana University Extreme! Lab Software
License
1.1.1)
-* xstream-1.4.8.jar (BSD)
+* xstream-1.4.9.jar (BSD)
Modified: jmeter/trunk/build.properties
URL: http://svn.apache.org/viewvc/jmeter/trunk/build.properties?r
ev=1761294&r1=1761293&r2=1761294&view=diff
============================================================
==================
--- jmeter/trunk/build.properties (original)
+++ jmeter/trunk/build.properties Sat Sep 17 22:17:53 2016
@@ -301,10 +301,10 @@ tika-parsers.loc = ${maven2.r
tika-parsers.md5 = 6858c2989b5f19b4b4aed0b9ff83e548
# XStream can be found at: http://x-stream.github.io
-xstream.version = 1.4.8
+xstream.version = 1.4.9
xstream.jar = xstream-${xstream.version}.jar
xstream.loc = ${maven2.repo}/com/thoughtwork
s/xstream/xstream/${xstream.version}
-xstream.md5 = 4551a29c38f22ed25eaf109eda50ff03
+xstream.md5 = 17f5ef61f6225a86ac39fc3dab45d755
# XMLPull is required by XStream 1.4.x
xmlpull.version = 1.1.3.1
Modified: jmeter/trunk/eclipse.classpath
URL: http://svn.apache.org/viewvc/jmeter/trunk/eclipse.classpath?
rev=1761294&r1=1761293&r2=1761294&view=diff
============================================================
==================
--- jmeter/trunk/eclipse.classpath (original)
+++ jmeter/trunk/eclipse.classpath Sat Sep 17 22:17:53 2016
@@ -99,7 +99,7 @@
<classpathentry kind="lib" path="lib/xmlgraphics-commons-
2.0.1.jar"/>
<classpathentry kind="lib" path="lib/xmlpull-1.1.3.1.jar"/>
<classpathentry kind="lib" path="lib/xpp3_min-1.1.4c.jar"/>
- <classpathentry kind="lib" path="lib/xstream-1.4.8.jar"/>
+ <classpathentry kind="lib" path="lib/xstream-1.4.9.jar"/>
<!-- Needed for build and test -->
<classpathentry kind="lib" path="lib/api/bcmail-jdk15on-1
.49.jar"/>
<classpathentry kind="lib" path="lib/api/bcprov-jdk15on-1
.49.jar"/>
Propchange: jmeter/trunk/lib/
------------------------------------------------------------
------------------
--- svn:ignore (original)
+++ svn:ignore Sat Sep 17 22:17:53 2016
@@ -59,4 +59,4 @@ xml-apis-1.4.01.jar
xmlgraphics-commons-2.0.1.jar
xmlpull-1.1.3.1.jar
xpp3_min-1.1.4c.jar
-xstream-1.4.8.jar
+xstream-1.4.9.jar
Modified: jmeter/trunk/lib/aareadme.txt
URL: http://svn.apache.org/viewvc/jmeter/trunk/lib/aareadme.txt?r
ev=1761294&r1=1761293&r2=1761294&view=diff
============================================================
==================
--- jmeter/trunk/lib/aareadme.txt (original)
+++ jmeter/trunk/lib/aareadme.txt Sat Sep 17 22:17:53 2016
@@ -279,7 +279,7 @@ or
http://www.extreme.indiana.edu/dist/java-repository/xpp3/di
stributions/
- xstream
-xstream-1.4.8
+xstream-1.4.9
-------------
http://x-stream.github.io/download.html
- SaveService
Modified: jmeter/trunk/res/maven/ApacheJMeter_parent.pom
URL: http://svn.apache.org/viewvc/jmeter/trunk/res/maven/ApacheJM
eter_parent.pom?rev=1761294&r1=1761293&r2=1761294&view=diff
============================================================
==================
--- jmeter/trunk/res/maven/ApacheJMeter_parent.pom (original)
+++ jmeter/trunk/res/maven/ApacheJMeter_parent.pom Sat Sep 17
22:17:53
2016
@@ -101,7 +101,7 @@ under the License.
<tika-core.version>1.13</tika-core.version>
<tika-parsers.version>1.13</tika-parsers.version>
<xmlpull.version>1.1.3.1</xmlpull.version>
- <xstream.version>1.4.8</xstream.version>
+ <xstream.version>1.4.9</xstream.version>
<xpp3.version>1.1.4c</xpp3.version>
<xalan.version>2.7.2</xalan.version>
<serializer.version>2.7.2</serializer.version>
Modified: jmeter/trunk/xdocs/changes.xml
URL: http://svn.apache.org/viewvc/jmeter/trunk/xdocs/changes.xml?
rev=1761294&r1=1761293&r2=1761294&view=diff
============================================================
==================
--- jmeter/trunk/xdocs/changes.xml [utf-8] (original)
+++ jmeter/trunk/xdocs/changes.xml [utf-8] Sat Sep 17 22:17:53 2016
@@ -170,6 +170,7 @@ Summary
<li>Updated to httpcore 4.4.5 (from 4.4.4)</li>
<li>Updated to slf4j-api 1.7.21 (from 1.7.13)</li>
<li>Updated to rsyntaxtextarea-2.6.0 (from 2.5.8)</li>
+ <li>Updated to xstream 1.4.9 (from 1.4.8)</li>
<li><pr>215</pr>Reduce duplicated code by using the newly
added
method <code>GuiUtils#cancelEditing</code>.
Contributed by Benoit Wiart (b.wiart at ubik-ingenierie.com
)</li>
<li><pr>218</pr>Misc cleanup. Contributed by Benoit Wiart
(b.wiart
at ubik-ingenierie.com)</li>
