Author: bodewig
Date: Mon Jun 24 15:29:04 2013
New Revision: 1496096
URL: http://svn.apache.org/r1496096
Log:
beter version of CVE-2013-1571 workaround description
Modified:
ant/site/ant/production/manual/Tasks/javadoc.html
Modified: ant/site/ant/production/manual/Tasks/javadoc.html
URL:
http://svn.apache.org/viewvc/ant/site/ant/production/manual/Tasks/javadoc.html?rev=1496096&r1=1496095&r2=1496096&view=diff
==============================================================================
--- ant/site/ant/production/manual/Tasks/javadoc.html (original)
+++ ant/site/ant/production/manual/Tasks/javadoc.html Mon Jun 24 15:29:04 2013
@@ -83,11 +83,14 @@ to <javadoc> using <tt>classpath</
<p><b>Note:</b> javadocs created by Oracle JDKs prior to Java 7 update
25 contain a frane injection security vulnerability - for more
information
- see <a
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571";>CVE-2013-1571</a>.
- Oracle provides a tool that can post-process javadocs, alternatively
- you can use the macrodef provided as part
- of <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=55132";>Issue
- 55132</a> in order to fix the generated documents.</p>
+ see <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571";
+ target="_blank">CVE-2013-1571</a>. Oracle provides a tool that can
+ post-process javadocs, alternatively you can use the macrodef
+ provided as part
+ of <a href="https://issues.apache.org/bugzilla/show_bug.cgi?id=55132";
+ target="_blank">Issue 55132</a> in order to fix the generated
+ documents. The macrodef is reproduced at
+ the <a href="#CVE-2013-1571-macrodef">bottom</a>.</p>
<h3>Parameters</h3>
<table border="1" cellpadding="2" cellspacing="0">
@@ -897,6 +900,63 @@ arguments</a>. <em>Since Ant 1.6</em></p
</javadoc></pre>
+<a name="CVE-2013-1571-macrodef"><h3>workaround for CVE-2013-1571</h3></a>
+
+<p>The following macro can be used to post-process generated javadocs.</p>
+
+<pre>
+<macrodef name="patch-javadoc">
+ <attribute name="dir"/>
+ <attribute name="docencoding" default="${file.encoding}"/>
+ <sequential>
+ <replace encoding="@{docencoding}" summary="true"
taskname="patch-javadoc">
+ <restrict>
+ <fileset dir="@{dir}" casesensitive="false"
includes="**/index.html,**/index.htm,**/toc.html,**/toc.htm"/>
+ <!-- TODO: add encoding="@{docencoding}" to contains check, when
we are on ANT 1.9.0: -->
+ <not><contains text="function validURL(url) {"
casesensitive="true" /></not>
+ </restrict>
+ <replacetoken><![CDATA[function loadFrames()
{]]></replacetoken>
+ <replacevalue expandProperties="false"><![CDATA[if (targetPage
!= "" && !validURL(targetPage))
+ targetPage = "undefined";
+ function validURL(url) {
+ var pos = url.indexOf(".html");
+ if (pos == -1 || pos != url.length - 5)
+ return false;
+ var allowNumber = false;
+ var allowSep = false;
+ var seenDot = false;
+ for (var i = 0; i < url.length - 5; i++) {
+ var ch = url.charAt(i);
+ if ('a' <= ch && ch <= 'z' ||
+ 'A' <= ch && ch <= 'Z' ||
+ ch == '$' ||
+ ch == '_') {
+ allowNumber = true;
+ allowSep = true;
+ } else if ('0' <= ch && ch <= '9'
+ || ch == '-') {
+ if (!allowNumber)
+ return false;
+ } else if (ch == '/' || ch == '.') {
+ if (!allowSep)
+ return false;
+ allowNumber = false;
+ allowSep = false;
+ if (ch == '.')
+ seenDot = true;
+ if (ch == '/' && seenDot)
+ return false;
+ } else {
+ return false;
+ }
+ }
+ return true;
+ }
+ function loadFrames() {]]></replacevalue>
+ </replace>
+ </sequential>
+ </macrodef>
+</pre>
</body>
</html>
