Hello, I applied the second option of the article and reverted the DTD. In the future XSD might be a better option. Regards
On Sun, Oct 2, 2016 at 8:52 PM, Felix Schumacher < felix.schumac...@internetallee.de> wrote: > Am 20.09.2016 um 21:29 schrieb Philippe Mouawad: > >> On Tue, Sep 20, 2016 at 9:16 PM, Felix Schumacher < >> felix.schumac...@internetallee.de> wrote: >> >> Am 20.09.2016 um 21:13 schrieb Philippe Mouawad: >>> >>> On Tue, Sep 20, 2016 at 8:56 PM, Felix Schumacher <felix.schumacher@ >>>> internetallee.de> wrote: >>>> >>>> Am 20.09.2016 um 20:33 schrieb Philippe Mouawad: >>>> >>>>> Hi Felix, >>>>> >>>>>> Yes issue seems to come from this: >>>>>> https://github.com/x-stream/xstream/blob/f66bbea1b383e705988 >>>>>> abf8d06ea9782a73f24d4/xstream/src/java/com/thoughtworks/xstr >>>>>> eam/io/xml/DomDriver.java#L147 >>>>>> >>>>>> How do you reproduce it ? >>>>>> I don't see it fail on my laptop nor on jenkins build. >>>>>> >>>>>> ant clean install test >>>>>> >>>>> Thanks I reproduced. >>>>> >>>> Why isn't it failing on Jenkins build ? >>>> >>>> >>>> >>>> With my followup commit, the errors are gone. >>>> >>>>> Sounds ok to me but we lose the DTD. >>>>> >>>> I wonder, if we could use a xsd schema instead. But I haven't looked >>> that >>> up, yet. On the other hand, how many people actually use a DTD anyways? >>> >>> >>> Maybe we can customize the creation like this: >>> >>>> private XStream initXStream() { >>>> XStream xstream = new XStream(new DomDriver(){ >>>> /** >>>> * Create the DocumentBuilderFactory instance without >>>> setting >>>> http://apache.org/xml/features/disallow-doctype-decl to true >>>> * >>>> * @return the new instance >>>> */ >>>> @Override >>>> protected DocumentBuilderFactory >>>> createDocumentBuilderFactory() >>>> { >>>> final DocumentBuilderFactory factory = >>>> DocumentBuilderFactory.newInstance(); >>>> factory.setExpandEntityReferences(false); >>>> return factory; >>>> } >>>> }); >>>> >>>> Do we introduce the problem, that 1.4.9 wants to protect us from, with >>> this, or is just telling the parser to ignore the dtd? >>> >>> Possibly as per: >> https://blog.compass-security.com/2012/08/secure-xml-parser- >> configuration/ >> Do you think the second solution exposed above works for a >> DocumentBuilderFactory ? >> > Seems to be valid then. I haven't tried it, though. If it works for you, I > am OK with it. > >> >> Anyway what is the real risk for JMeter ? files are loaded locally based >> on >> what users configures, if a local file has been corrupt, doesn't it mean >> computer has already been attacked successfully ? >> > Probably, but you never know :) > > Felix > > >> >> >> Felix >>> >>> >>> >>> >>>> Felix >>>> >>>>> Thanks >>>>> >>>>>> >>>>>> On Tue, Sep 20, 2016 at 8:10 PM, Felix Schumacher < >>>>>> felix.schumac...@internetallee.de> wrote: >>>>>> >>>>>> Am 18.09.2016 um 00:17 schrieb pmoua...@apache.org: >>>>>> >>>>>> Author: pmouawad >>>>>>> >>>>>>> Date: Sat Sep 17 22:17:53 2016 >>>>>>>> New Revision: 1761294 >>>>>>>> >>>>>>>> URL: http://svn.apache.org/viewvc?rev=1761294&view=rev >>>>>>>> Log: >>>>>>>> Updated to xstream 1.4.9 (from 1.4.8) >>>>>>>> >>>>>>>> This change seems to break the tests with: >>>>>>>> >>>>>>>> ... >>>>>>> [java] Last error=java.lang.NullPointerException >>>>>>> [java] [Fatal Error] templates.xml:21:10: DOCTYPE is >>>>>>> disallowed >>>>>>> when >>>>>>> the feature "http://apache.org/xml/features/disallow-doctype-decl"; >>>>>>> set >>>>>>> to >>>>>>> true. >>>>>>> ... >>>>>>> [java] There was 1 failure: >>>>>>> [java] 1) initializationError(org.apache >>>>>>> .jmeter.junit.JMeterTest) >>>>>>> [java] java.lang.Exception: Error creating >>>>>>> org.apache.jmeter.gui.action.SelectTemplatesDialog >>>>>>> [java] at org.apache.jmeter.junit.JMeter >>>>>>> Test.getObjects(JMeterTest.java:485) >>>>>>> [java] at org.apache.jmeter.junit.JMeter >>>>>>> Test.suiteSerializableElements(JMeterTest.java:388) >>>>>>> [java] at org.apache.jmeter.junit.JMeter >>>>>>> Test.suite(JMeterTest.java:133) >>>>>>> [java] at sun.reflect.NativeMethodAccess >>>>>>> orImpl.invoke0(Native >>>>>>> Method) >>>>>>> ... >>>>>>> [java] Caused by: java.lang.NullPointerException >>>>>>> [java] at org.apache.jmeter.gui.action.S >>>>>>> electTemplatesDialog.populateTemplatePage(SelectTemplatesDia >>>>>>> log.java:227) >>>>>>> [java] at org.apache.jmeter.gui.action.S >>>>>>> electTemplatesDialog.init(SelectTemplatesDialog.java:199) >>>>>>> [java] at org.apache.jmeter.gui.action.S >>>>>>> electTemplatesDialog.<init>(SelectTemplatesDialog.java:90) >>>>>>> [java] at sun.reflect.NativeConstructorA >>>>>>> ccessorImpl.newInstance0(Native >>>>>>> Method) >>>>>>> [java] at sun.reflect.NativeConstructorA >>>>>>> ccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) >>>>>>> [java] at sun.reflect.DelegatingConstruc >>>>>>> torAccessorImpl.newInstance(DelegatingConstructorAccessorImp >>>>>>> l.java:45) >>>>>>> [java] at java.lang.reflect.Constructor. >>>>>>> newInstance(Constructor.java:423) >>>>>>> [java] at java.lang.Class.newInstance(Class.java:442) >>>>>>> [java] at org.apache.jmeter.junit.JMeter >>>>>>> Test.getObjects(JMeterTest.java:456) >>>>>>> [java] ... 20 more >>>>>>> [java] >>>>>>> >>>>>>> Templates are read through xstream, that is probably why this error >>>>>>> came >>>>>>> up. >>>>>>> >>>>>>> The "offending" change is probably https://github.com/x-stream/xs >>>>>>> tream/issues/25 >>>>>>> >>>>>>> Has anyone else noticed this, too? What shall we do? >>>>>>> >>>>>>> Regards, >>>>>>> Felix >>>>>>> >>>>>>> >>>>>>> Added: >>>>>>> >>>>>>> jmeter/trunk/licenses/bin/xstream-1.4.9.txt >>>>>>>> - copied unchanged from r1761222, >>>>>>>> jmeter/trunk/licenses/bin/xstr >>>>>>>> eam-1.4.8.txt >>>>>>>> Removed: >>>>>>>> jmeter/trunk/licenses/bin/xstream-1.4.8.txt >>>>>>>> Modified: >>>>>>>> jmeter/trunk/LICENSE >>>>>>>> jmeter/trunk/build.properties >>>>>>>> jmeter/trunk/eclipse.classpath >>>>>>>> jmeter/trunk/lib/ (props changed) >>>>>>>> jmeter/trunk/lib/aareadme.txt >>>>>>>> jmeter/trunk/res/maven/ApacheJMeter_parent.pom >>>>>>>> jmeter/trunk/xdocs/changes.xml >>>>>>>> >>>>>>>> Modified: jmeter/trunk/LICENSE >>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/LICENSE?rev=176129 >>>>>>>> 4&r1=1761293&r2=1761294&view=diff >>>>>>>> ============================================================ >>>>>>>> ================== >>>>>>>> --- jmeter/trunk/LICENSE [utf-8] (original) >>>>>>>> +++ jmeter/trunk/LICENSE [utf-8] Sat Sep 17 22:17:53 2016 >>>>>>>> @@ -271,4 +271,4 @@ For details, please see the files under: >>>>>>>> * slf4j-api-1.7.21.jar (MIT) >>>>>>>> * xmlpull-1.1.3.1.jar (Public Domain) >>>>>>>> * xpp3-1.1.4c.jar (Indiana University Extreme! Lab Software >>>>>>>> License >>>>>>>> 1.1.1) >>>>>>>> -* xstream-1.4.8.jar (BSD) >>>>>>>> +* xstream-1.4.9.jar (BSD) >>>>>>>> >>>>>>>> Modified: jmeter/trunk/build.properties >>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/build.properties?r >>>>>>>> ev=1761294&r1=1761293&r2=1761294&view=diff >>>>>>>> ============================================================ >>>>>>>> ================== >>>>>>>> --- jmeter/trunk/build.properties (original) >>>>>>>> +++ jmeter/trunk/build.properties Sat Sep 17 22:17:53 2016 >>>>>>>> @@ -301,10 +301,10 @@ tika-parsers.loc = ${maven2.r >>>>>>>> tika-parsers.md5 = 6858c2989b5f19b4b4aed0b9ff83e548 >>>>>>>> # XStream can be found at: http://x-stream.github.io >>>>>>>> -xstream.version = 1.4.8 >>>>>>>> +xstream.version = 1.4.9 >>>>>>>> xstream.jar = xstream-${xstream.version}.jar >>>>>>>> xstream.loc = ${maven2.repo}/com/thoughtwork >>>>>>>> s/xstream/xstream/${xstream.version} >>>>>>>> -xstream.md5 = 4551a29c38f22ed25eaf109eda50ff03 >>>>>>>> +xstream.md5 = 17f5ef61f6225a86ac39fc3dab45d755 >>>>>>>> # XMLPull is required by XStream 1.4.x >>>>>>>> xmlpull.version = 1.1.3.1 >>>>>>>> >>>>>>>> Modified: jmeter/trunk/eclipse.classpath >>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/eclipse.classpath? >>>>>>>> rev=1761294&r1=1761293&r2=1761294&view=diff >>>>>>>> ============================================================ >>>>>>>> ================== >>>>>>>> --- jmeter/trunk/eclipse.classpath (original) >>>>>>>> +++ jmeter/trunk/eclipse.classpath Sat Sep 17 22:17:53 2016 >>>>>>>> @@ -99,7 +99,7 @@ >>>>>>>> <classpathentry kind="lib" path="lib/xmlgraphics-commons- >>>>>>>> 2.0.1.jar"/> >>>>>>>> <classpathentry kind="lib" path="lib/xmlpull-1.1.3.1.jar" >>>>>>>> /> >>>>>>>> <classpathentry kind="lib" path="lib/xpp3_min-1.1.4c.jar" >>>>>>>> /> >>>>>>>> - <classpathentry kind="lib" path="lib/xstream-1.4.8.jar"/> >>>>>>>> + <classpathentry kind="lib" path="lib/xstream-1.4.9.jar"/> >>>>>>>> <!-- Needed for build and test --> >>>>>>>> <classpathentry kind="lib" path="lib/api/bcmail-jdk15on-1 >>>>>>>> .49.jar"/> >>>>>>>> <classpathentry kind="lib" path="lib/api/bcprov-jdk15on-1 >>>>>>>> .49.jar"/> >>>>>>>> >>>>>>>> Propchange: jmeter/trunk/lib/ >>>>>>>> ------------------------------------------------------------ >>>>>>>> >>>>>>>> ------------------ >>>>>>>> --- svn:ignore (original) >>>>>>>> +++ svn:ignore Sat Sep 17 22:17:53 2016 >>>>>>>> @@ -59,4 +59,4 @@ xml-apis-1.4.01.jar >>>>>>>> xmlgraphics-commons-2.0.1.jar >>>>>>>> xmlpull-1.1.3.1.jar >>>>>>>> xpp3_min-1.1.4c.jar >>>>>>>> -xstream-1.4.8.jar >>>>>>>> +xstream-1.4.9.jar >>>>>>>> >>>>>>>> Modified: jmeter/trunk/lib/aareadme.txt >>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/lib/aareadme.txt?r >>>>>>>> ev=1761294&r1=1761293&r2=1761294&view=diff >>>>>>>> ============================================================ >>>>>>>> ================== >>>>>>>> --- jmeter/trunk/lib/aareadme.txt (original) >>>>>>>> +++ jmeter/trunk/lib/aareadme.txt Sat Sep 17 22:17:53 2016 >>>>>>>> @@ -279,7 +279,7 @@ or >>>>>>>> http://www.extreme.indiana.edu/dist/java-repository/xpp3/di >>>>>>>> stributions/ >>>>>>>> - xstream >>>>>>>> -xstream-1.4.8 >>>>>>>> +xstream-1.4.9 >>>>>>>> ------------- >>>>>>>> http://x-stream.github.io/download.html >>>>>>>> - SaveService >>>>>>>> >>>>>>>> Modified: jmeter/trunk/res/maven/ApacheJMeter_parent.pom >>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/res/maven/ApacheJM >>>>>>>> eter_parent.pom?rev=1761294&r1=1761293&r2=1761294&view=diff >>>>>>>> ============================================================ >>>>>>>> ================== >>>>>>>> --- jmeter/trunk/res/maven/ApacheJMeter_parent.pom (original) >>>>>>>> +++ jmeter/trunk/res/maven/ApacheJMeter_parent.pom Sat Sep 17 >>>>>>>> 22:17:53 >>>>>>>> 2016 >>>>>>>> @@ -101,7 +101,7 @@ under the License. >>>>>>>> <tika-core.version>1.13</tika-core.version> >>>>>>>> <tika-parsers.version>1.13</tika-parsers.version> >>>>>>>> <xmlpull.version>1.1.3.1</xmlpull.version> >>>>>>>> - <xstream.version>1.4.8</xstream.version> >>>>>>>> + <xstream.version>1.4.9</xstream.version> >>>>>>>> <xpp3.version>1.1.4c</xpp3.version> >>>>>>>> <xalan.version>2.7.2</xalan.version> >>>>>>>> <serializer.version>2.7.2</serializer.version> >>>>>>>> >>>>>>>> Modified: jmeter/trunk/xdocs/changes.xml >>>>>>>> URL: http://svn.apache.org/viewvc/jmeter/trunk/xdocs/changes.xml? >>>>>>>> rev=1761294&r1=1761293&r2=1761294&view=diff >>>>>>>> ============================================================ >>>>>>>> ================== >>>>>>>> --- jmeter/trunk/xdocs/changes.xml [utf-8] (original) >>>>>>>> +++ jmeter/trunk/xdocs/changes.xml [utf-8] Sat Sep 17 22:17:53 2016 >>>>>>>> @@ -170,6 +170,7 @@ Summary >>>>>>>> <li>Updated to httpcore 4.4.5 (from 4.4.4)</li> >>>>>>>> <li>Updated to slf4j-api 1.7.21 (from 1.7.13)</li> >>>>>>>> <li>Updated to rsyntaxtextarea-2.6.0 (from 2.5.8)</li> >>>>>>>> + <li>Updated to xstream 1.4.9 (from 1.4.8)</li> >>>>>>>> <li><pr>215</pr>Reduce duplicated code by using the newly >>>>>>>> added >>>>>>>> method <code>GuiUtils#cancelEditing</code>. >>>>>>>> Contributed by Benoit Wiart (b.wiart at >>>>>>>> ubik-ingenierie.com >>>>>>>> )</li> >>>>>>>> <li><pr>218</pr>Misc cleanup. Contributed by Benoit Wiart >>>>>>>> (b.wiart >>>>>>>> at ubik-ingenierie.com)</li> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >> > -- Cordialement. Philippe Mouawad.
