This is an automated email from the git hooks/post-receive script. nomadium pushed a commit to branch master in repository libspring-java.
commit b427b789df529f4766a7cfc4a78a9f3a9f6c168b Author: Miguel Landaeta <[email protected]> Date: Mon Mar 24 17:01:01 2014 -0300 Fix CVE-2014-0054 and CVE-2014-1904 --- debian/changelog | 8 +- debian/patches/CVE-2014-0054.patch | 553 +++++-------------------------------- debian/patches/CVE-2014-1904.patch | 62 +---- debian/patches/series | 2 +- 4 files changed, 83 insertions(+), 542 deletions(-) diff --git a/debian/changelog b/debian/changelog index 40ad7e8..5c5d2f9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,10 +1,8 @@ -libspring-java (3.0.6.RELEASE-13) UNRELEASED; urgency=high +libspring-java (3.0.6.RELEASE-13) unstable; urgency=high - TO-DO: the patches doesn't apply cleanly. + * Fix CVE-2014-0054 and CVE-2014-1904. (Closes: #741604). - * Fix CVE-2014-0054 and CVE-2014-1904. (Closes: #735420). - - -- Miguel Landaeta <[email protected]> Mon, 24 Mar 2014 14:10:52 -0300 + -- Miguel Landaeta <[email protected]> Mon, 24 Mar 2014 17:10:32 -0300 libspring-java (3.0.6.RELEASE-12) unstable; urgency=low diff --git a/debian/patches/CVE-2014-0054.patch b/debian/patches/CVE-2014-0054.patch index 4ee51a7..dcb9faa 100644 --- a/debian/patches/CVE-2014-0054.patch +++ b/debian/patches/CVE-2014-0054.patch @@ -1,15 +1,14 @@ From: Miguel Landaeta <[email protected]> -Date: Mon, 24 Mar 2014 14:10:00 -0300 -Subject: CVE-2013-6429 +Date: Mon, 24 Mar 2014 16:57:19 -0300 +Subject: CVE-2014-0054 Bug: http://bugs.debian.org/741604 -diff --git a/spring-oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java -index adc403c..4189c0e 100644 -./projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java +diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java +index 871075f..fea0519 100644 --- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java +++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java -@@ -162,6 +162,11 @@ public class CastorMarshaller extends AbstractMarshaller implements Initializing +@@ -120,6 +120,11 @@ public class CastorMarshaller extends AbstractMarshaller implements Initializing this.encoding = encoding; } @@ -19,13 +18,13 @@ index adc403c..4189c0e 100644 + } + /** - * Set the locations of the Castor XML mapping files. + * Set the locations of the Castor XML Mapping files. */ -diff --git a/spring-oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java -index 0837695..93fa1a4 100644 +diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java +index 1b3412d..37d7937 100644 --- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java -+++ b/projects/org.springframework.oxmsrc/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java -@@ -400,6 +400,13 @@ public class Jaxb2Marshaller implements MimeMarshaller, MimeUnmarshaller, Generi ++++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java +@@ -317,6 +317,13 @@ public class Jaxb2Marshaller this.processExternalEntities = processExternalEntities; } @@ -36,16 +35,16 @@ index 0837695..93fa1a4 100644 + return this.processExternalEntities; + } + - @Override public void setBeanClassLoader(ClassLoader classLoader) { this.beanClassLoader = classLoader; -diff --git a/spring-oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java -index b184560..715ef4e 100644 + } +diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java +index 5d6a053..0de00b2 100644 --- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java +++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java @@ -1,5 +1,5 @@ /* -- * Copyright 2002-2013 the original author or authors. +- * Copyright 2002-2010 the original author or authors. + * Copyright 2002-2014 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -58,7 +57,7 @@ index b184560..715ef4e 100644 import javax.xml.transform.Result; import javax.xml.transform.Source; import javax.xml.transform.Transformer; -@@ -149,6 +150,11 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe +@@ -133,6 +134,11 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe this.encoding = encoding; } @@ -70,7 +69,7 @@ index b184560..715ef4e 100644 /** * Set the document standalone flag for marshalling. By default, this flag is not present. */ -@@ -338,7 +344,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe +@@ -301,7 +307,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe } catch (TransformerException ex) { throw new MarshallingFailureException( @@ -79,7 +78,7 @@ index b184560..715ef4e 100644 } } -@@ -398,7 +404,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe +@@ -367,7 +373,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe @Override protected Object unmarshalDomNode(Node node) throws XmlMappingException { try { @@ -88,10 +87,10 @@ index b184560..715ef4e 100644 } catch (IOException ex) { throw new UnmarshallingFailureException("JiBX unmarshalling exception", ex); -@@ -409,12 +415,15 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe +@@ -377,12 +383,15 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe + @Override protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource) throws XmlMappingException, IOException { - - return transformAndUnmarshal(new SAXSource(xmlReader, inputSource)); + return transformAndUnmarshal(new SAXSource(xmlReader, inputSource), inputSource.getEncoding()); } @@ -99,14 +98,14 @@ index b184560..715ef4e 100644 - private Object transformAndUnmarshal(Source source) throws IOException { + private Object transformAndUnmarshal(Source source, String encoding) throws IOException { try { - Transformer transformer = this.transformerFactory.newTransformer(); + Transformer transformer = transformerFactory.newTransformer(); + if (encoding != null) { + transformer.setOutputProperty(OutputKeys.ENCODING, encoding); + } ByteArrayOutputStream os = new ByteArrayOutputStream(); transformer.transform(source, new StreamResult(os)); ByteArrayInputStream is = new ByteArrayInputStream(os.toByteArray()); -@@ -422,7 +431,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe +@@ -390,7 +399,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe } catch (TransformerException ex) { throw new MarshallingFailureException( @@ -115,13 +114,13 @@ index b184560..715ef4e 100644 } } -diff --git a/spring-oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java -index a118775..2df808e 100644 +diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java +index cee37bb..09bc006 100644 --- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java +++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java @@ -1,5 +1,5 @@ /* -- * Copyright 2002-2013 the original author or authors. +- * Copyright 2002-2010 the original author or authors. + * Copyright 2002-2014 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -160,8 +159,8 @@ index a118775..2df808e 100644 + /** - * Marshals the object graph with the given root into the provided {@code javax.xml.transform.Result}. -@@ -133,7 +161,7 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { + * Marshals the object graph with the given root into the provided <code>javax.xml.transform.Result</code>. +@@ -131,7 +159,7 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { return unmarshalSaxSource((SAXSource) source); } else if (source instanceof StreamSource) { @@ -170,7 +169,7 @@ index a118775..2df808e 100644 } else { throw new IllegalArgumentException("Unknown Source type: " + source.getClass()); -@@ -175,7 +203,9 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { +@@ -173,7 +201,9 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { * @throws SAXException if thrown by JAXP methods */ protected XMLReader createXmlReader() throws SAXException { @@ -181,7 +180,7 @@ index a118775..2df808e 100644 } -@@ -358,8 +388,42 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { +@@ -356,8 +386,42 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { } /** @@ -215,27 +214,27 @@ index a118775..2df808e 100644 + } + + /** - * Template method for handling {@code StreamSource}s. - * <p>This implementation defers to {@code unmarshalInputStream} or {@code unmarshalReader}. + * Template method for handling <code>StreamSource</code>s. + * <p>This implementation defers to <code>unmarshalInputStream</code> or <code>unmarshalReader</code>. + * <p>As of 3.2.8 and 4.0.2 this method is no longer invoked from + * {@link #unmarshal(javax.xml.transform.Source)}. The method invoked instead is + * {@link #unmarshalStreamSourceNoExternalEntitities(javax.xml.transform.stream.StreamSource)}. + * - * @param streamSource the {@code StreamSource} + * @param streamSource the <code>StreamSource</code> * @return the object graph * @throws IOException if an I/O exception occurs -diff --git a/spring-oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java -index 1fd4940..b3bb5cf 100644 +diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java +index eb5a6e6..9f06b35 100644 --- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java +++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java @@ -1,5 +1,5 @@ /* -- * Copyright 2002-2012 the original author or authors. +- * Copyright 2002-2009 the original author or authors. + * Copyright 2002-2014 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. -@@ -113,6 +113,10 @@ public class XmlBeansMarshaller extends AbstractMarshaller { +@@ -116,6 +116,10 @@ public class XmlBeansMarshaller extends AbstractMarshaller { return this.validating; } @@ -246,11 +245,11 @@ index 1fd4940..b3bb5cf 100644 /** * This implementation returns true if the given class is an implementation of {@link XmlObject}. -diff --git a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java -index de42e5b..52c121e 100644 +diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java +index d6521ff..efa9403 100644 --- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java +++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java -@@ -27,11 +27,9 @@ import java.lang.reflect.Constructor; +@@ -26,11 +26,9 @@ import java.io.Writer; import java.util.LinkedHashMap; import java.util.List; import java.util.Map; @@ -263,9 +262,9 @@ index de42e5b..52c121e 100644 +import javax.xml.transform.stax.StAXSource; +import javax.xml.transform.stream.StreamSource; - import com.thoughtworks.xstream.MarshallingStrategy; import com.thoughtworks.xstream.XStream; -@@ -342,6 +340,11 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin + import com.thoughtworks.xstream.converters.ConversionException; +@@ -349,6 +347,11 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin this.encoding = encoding; } @@ -277,7 +276,7 @@ index de42e5b..52c121e 100644 /** * Set the classes supported by this marshaller. * <p>If this property is empty (the default), all classes are supported. -@@ -701,6 +704,13 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin +@@ -470,6 +473,13 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin // Unmarshalling @Override @@ -291,452 +290,30 @@ index de42e5b..52c121e 100644 protected Object unmarshalDomNode(Node node) throws XmlMappingException { HierarchicalStreamReader streamReader; if (node instanceof Document) { -diff --git a/spring-oxm/src/test/java/org/springframework/oxm/castor/CastorUnmarshallerTests.java b/spring-oxm/src/test/java/org/springframework/oxm/castor/CastorUnmarshallerTests.java -index 5856408..5500642 100644 ---- a/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/castor/CastorUnmarshallerTests.java -+++ b/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/castor/CastorUnmarshallerTests.java -@@ -1,5 +1,5 @@ - /* -- * Copyright 2002-2013 the original author or authors. -+ * Copyright 2002-2014 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -19,6 +19,8 @@ package org.springframework.oxm.castor; - import java.io.ByteArrayInputStream; - import java.io.IOException; - import java.io.StringReader; -+import java.util.concurrent.atomic.AtomicReference; -+import javax.xml.transform.sax.SAXSource; - import javax.xml.transform.stream.StreamSource; - - import org.junit.Ignore; -@@ -28,9 +30,13 @@ import org.springframework.core.io.ClassPathResource; - import org.springframework.oxm.AbstractUnmarshallerTests; - import org.springframework.oxm.MarshallingException; - import org.springframework.oxm.Unmarshaller; -+import org.xml.sax.InputSource; -+import org.xml.sax.XMLReader; - -+import static junit.framework.Assert.assertNotNull; - import static org.hamcrest.CoreMatchers.*; - import static org.junit.Assert.*; -+import static org.junit.Assert.assertEquals; - - /** - * @author Arjen Poutsma -@@ -203,4 +209,59 @@ public class CastorUnmarshallerTests extends AbstractUnmarshallerTests { - StreamSource source = new StreamSource(new StringReader(xml)); - return unmarshaller.unmarshal(source); - } -+ -+ @Test -+ public void unmarshalStreamSourceExternalEntities() throws Exception { -+ -+ final AtomicReference<XMLReader> result = new AtomicReference<XMLReader>(); -+ CastorMarshaller marshaller = new CastorMarshaller() { -+ @Override -+ protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource) { -+ result.set(xmlReader); -+ return null; -+ } -+ }; -+ -+ // 1. external-general-entities disabled (default) -+ -+ marshaller.unmarshal(new StreamSource("1")); -+ assertNotNull(result.get()); -+ assertEquals(false, result.get().getFeature("http://xml.org/sax/features/external-general-entities";)); -+ -+ // 2. external-general-entities disabled (default) -+ -+ result.set(null); -+ marshaller.setProcessExternalEntities(true); -+ marshaller.unmarshal(new StreamSource("1")); -+ assertNotNull(result.get()); -+ assertEquals(true, result.get().getFeature("http://xml.org/sax/features/external-general-entities";)); -+ } -+ -+ @Test -+ public void unmarshalSaxSourceExternalEntities() throws Exception { -+ -+ final AtomicReference<XMLReader> result = new AtomicReference<XMLReader>(); -+ CastorMarshaller marshaller = new CastorMarshaller() { -+ @Override -+ protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource) { -+ result.set(xmlReader); -+ return null; -+ } -+ }; -+ -+ // 1. external-general-entities disabled (default) -+ -+ marshaller.unmarshal(new SAXSource(new InputSource("1"))); -+ assertNotNull(result.get()); -+ assertEquals(false, result.get().getFeature("http://xml.org/sax/features/external-general-entities";)); -+ -+ // 2. external-general-entities disabled (default) -+ -+ result.set(null); -+ marshaller.setProcessExternalEntities(true); -+ marshaller.unmarshal(new SAXSource(new InputSource("1"))); -+ assertNotNull(result.get()); -+ assertEquals(true, result.get().getFeature("http://xml.org/sax/features/external-general-entities";)); -+ } -+ - } -diff --git a/spring-oxm/src/test/java/org/springframework/oxm/jaxb/Jaxb2MarshallerTests.java b/spring-oxm/src/test/java/org/springframework/oxm/jaxb/Jaxb2MarshallerTests.java -index af99408..921a4b2 100644 ---- a/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jaxb/Jaxb2MarshallerTests.java -+++ b/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jaxb/Jaxb2MarshallerTests.java -@@ -1,5 +1,5 @@ - /* -- * Copyright 2002-2013 the original author or authors. -+ * Copyright 2002-2014 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -31,9 +31,12 @@ import javax.xml.bind.annotation.XmlType; - import javax.xml.namespace.QName; - import javax.xml.transform.Result; - import javax.xml.transform.sax.SAXResult; -+import javax.xml.transform.sax.SAXSource; - import javax.xml.transform.stream.StreamResult; -+import javax.xml.transform.stream.StreamSource; - - import org.junit.Test; -+import org.mockito.ArgumentCaptor; - import org.mockito.InOrder; - import org.springframework.core.io.ClassPathResource; - import org.springframework.core.io.Resource; -@@ -47,9 +50,7 @@ import org.springframework.oxm.jaxb.test.ObjectFactory; - import org.springframework.oxm.mime.MimeContainer; - import org.springframework.util.FileCopyUtils; - import org.springframework.util.ReflectionUtils; --import org.xml.sax.Attributes; --import org.xml.sax.ContentHandler; --import org.xml.sax.Locator; -+import org.xml.sax.*; - - import static org.junit.Assert.*; - import static org.custommonkey.xmlunit.XMLAssert.assertXMLEqual; -@@ -289,7 +290,7 @@ public class Jaxb2MarshallerTests extends AbstractMarshallerTests { - public void marshalAWrappedObjectHoldingAnXmlElementDeclElement() throws Exception { - // SPR-10714 - marshaller = new Jaxb2Marshaller(); -- marshaller.setPackagesToScan(new String[] { "org.springframework.oxm.jaxb" }); -+ marshaller.setPackagesToScan(new String[]{"org.springframework.oxm.jaxb"}); - marshaller.afterPropertiesSet(); - Airplane airplane = new Airplane(); - airplane.setName("test"); -@@ -300,6 +301,75 @@ public class Jaxb2MarshallerTests extends AbstractMarshallerTests { - writer.toString(), "<airplane><name>test</name></airplane>"); - } - -+ // SPR-10806 -+ -+ @Test -+ public void unmarshalStreamSourceExternalEntities() throws Exception { -+ -+ final javax.xml.bind.Unmarshaller unmarshaller = mock(javax.xml.bind.Unmarshaller.class); -+ Jaxb2Marshaller marshaller = new Jaxb2Marshaller() { -+ @Override -+ protected javax.xml.bind.Unmarshaller createUnmarshaller() { -+ return unmarshaller; -+ } -+ }; -+ -+ // 1. external-general-entities disabled (default) -+ -+ marshaller.unmarshal(new StreamSource("1")); -+ ArgumentCaptor<SAXSource> sourceCaptor = ArgumentCaptor.forClass(SAXSource.class); -+ verify(unmarshaller).unmarshal(sourceCaptor.capture()); -+ -+ SAXSource result = sourceCaptor.getValue(); -+ assertEquals(false, result.getXMLReader().getFeature("http://xml.org/sax/features/external-general-entities";)); -+ -+ // 2. external-general-entities enabled -+ -+ reset(unmarshaller); -+ marshaller.setProcessExternalEntities(true); -+ -+ marshaller.unmarshal(new StreamSource("1")); -+ verify(unmarshaller).unmarshal(sourceCaptor.capture()); -+ -+ result = sourceCaptor.getValue(); -+ assertEquals(true, result.getXMLReader().getFeature("http://xml.org/sax/features/external-general-entities";)); -+ } -+ -+ // SPR-10806 -+ -+ @Test -+ public void unmarshalSaxSourceExternalEntities() throws Exception { -+ -+ final javax.xml.bind.Unmarshaller unmarshaller = mock(javax.xml.bind.Unmarshaller.class); -+ Jaxb2Marshaller marshaller = new Jaxb2Marshaller() { -+ @Override -+ protected javax.xml.bind.Unmarshaller createUnmarshaller() { -+ return unmarshaller; -+ } -+ }; -+ -+ // 1. external-general-entities disabled (default) -+ -+ marshaller.unmarshal(new SAXSource(new InputSource("1"))); -+ ArgumentCaptor<SAXSource> sourceCaptor = ArgumentCaptor.forClass(SAXSource.class); -+ verify(unmarshaller).unmarshal(sourceCaptor.capture()); -+ -+ SAXSource result = sourceCaptor.getValue(); -+ assertEquals(false, result.getXMLReader().getFeature("http://xml.org/sax/features/external-general-entities";)); -+ -+ // 2. external-general-entities enabled -+ -+ reset(unmarshaller); -+ marshaller.setProcessExternalEntities(true); -+ -+ marshaller.unmarshal(new SAXSource(new InputSource("1"))); -+ verify(unmarshaller).unmarshal(sourceCaptor.capture()); -+ -+ result = sourceCaptor.getValue(); -+ assertEquals(true, result.getXMLReader().getFeature("http://xml.org/sax/features/external-general-entities";)); -+ } -+ -+ - @XmlRootElement - @SuppressWarnings("unused") - public static class DummyRootElement { -diff --git a/spring-oxm/src/test/java/org/springframework/oxm/jibx/JibxMarshallerTests.java b/spring-oxm/src/test/java/org/springframework/oxm/jibx/JibxMarshallerTests.java -index 14ab19c..f7d26af 100644 ---- a/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jibx/JibxMarshallerTests.java -+++ b/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jibx/JibxMarshallerTests.java -@@ -16,21 +16,34 @@ - - package org.springframework.oxm.jibx; - -+import java.io.IOException; - import java.io.StringWriter; -+import java.util.concurrent.atomic.AtomicReference; -+import javax.xml.transform.sax.SAXSource; - import javax.xml.transform.stream.StreamResult; -+import javax.xml.transform.stream.StreamSource; - - import org.custommonkey.xmlunit.XMLUnit; - import org.junit.BeforeClass; - import org.junit.Test; - -+import org.mockito.ArgumentCaptor; - import org.springframework.oxm.AbstractMarshallerTests; - import org.springframework.oxm.Marshaller; -+import org.springframework.oxm.XmlMappingException; -+import org.springframework.oxm.jaxb.Jaxb2Marshaller; - import org.springframework.tests.Assume; - import org.springframework.tests.TestGroup; -+import org.xml.sax.InputSource; -+import org.xml.sax.XMLReader; - - import static org.custommonkey.xmlunit.XMLAssert.*; -+import static org.junit.Assert.assertEquals; - import static org.junit.Assert.assertFalse; - import static org.junit.Assert.assertTrue; -+import static org.mockito.Mockito.mock; -+import static org.mockito.Mockito.reset; -+import static org.mockito.Mockito.verify; - - /** - * @author Arjen Poutsma -@@ -107,5 +120,4 @@ public class JibxMarshallerTests extends AbstractMarshallerTests { - assertFalse("JibxMarshaller supports illegal type", marshaller.supports(getClass())); - } - -- - } -diff --git a/spring-oxm/src/test/java/org/springframework/oxm/jibx/JibxUnmarshallerTests.java b/spring-oxm/src/test/java/org/springframework/oxm/jibx/JibxUnmarshallerTests.java -index b1e460d..5ceeab2 100644 ---- a/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jibx/JibxUnmarshallerTests.java -+++ b/projects/org.springframework.oxm/src/test/java/org/springframework/oxm/jibx/JibxUnmarshallerTests.java -@@ -28,7 +28,9 @@ import org.springframework.oxm.Unmarshaller; - import org.springframework.tests.Assume; - import org.springframework.tests.TestGroup; - --import static org.junit.Assert.*; -+import static org.junit.Assert.assertEquals; -+import static org.junit.Assert.assertNotNull; -+ - - /** - * @author Arjen Poutsma -diff --git a/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java b/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java -index 676f6d6..ad8d7d9 100644 ---- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java -+++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java -@@ -1,5 +1,5 @@ - /* -- * Copyright 2002-2010 the original author or authors. -+ * Copyright 2002-2014 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -28,6 +28,9 @@ import javax.xml.bind.annotation.XmlRootElement; - import javax.xml.bind.annotation.XmlType; - import javax.xml.transform.Result; - import javax.xml.transform.Source; -+import javax.xml.transform.dom.DOMSource; -+import javax.xml.transform.sax.SAXSource; -+import javax.xml.transform.stream.StreamSource; - - import org.springframework.core.annotation.AnnotationUtils; - import org.springframework.http.HttpHeaders; -@@ -36,6 +39,11 @@ import org.springframework.http.converter.HttpMessageConversionException; - import org.springframework.http.converter.HttpMessageNotReadableException; - import org.springframework.http.converter.HttpMessageNotWritableException; - import org.springframework.util.ClassUtils; -+import org.springframework.util.xml.StaxUtils; -+import org.xml.sax.InputSource; -+import org.xml.sax.SAXException; -+import org.xml.sax.XMLReader; -+import org.xml.sax.helpers.XMLReaderFactory; - - /** - * Implementation of {@link org.springframework.http.converter.HttpMessageConverter HttpMessageConverter} that can read -@@ -49,6 +57,17 @@ import org.springframework.util.ClassUtils; - */ - public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessageConverter<Object> { - -+ private boolean processExternalEntities = false; -+ -+ -+ /** -+ * Indicates whether external XML entities are processed when converting to a Source. -+ * <p>Default is {@code false}, meaning that external entities are not resolved. -+ */ -+ public void setProcessExternalEntities(boolean processExternalEntities) { -+ this.processExternalEntities = processExternalEntities; -+ } -+ - @Override - public boolean canRead(Class<?> clazz, MediaType mediaType) { - return (clazz.isAnnotationPresent(XmlRootElement.class) || clazz.isAnnotationPresent(XmlType.class)) && -@@ -69,6 +88,7 @@ public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessa - @Override - protected Object readFromSource(Class<?> clazz, HttpHeaders headers, Source source) throws IOException { - try { -+ source = processSource(source); - Unmarshaller unmarshaller = createUnmarshaller(clazz); - if (clazz.isAnnotationPresent(XmlRootElement.class)) { - return unmarshaller.unmarshal(source); -@@ -87,6 +107,26 @@ public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessa - } - } - -+ protected Source processSource(Source source) { -+ if (source instanceof StreamSource) { -+ StreamSource streamSource = (StreamSource) source; -+ InputSource inputSource = new InputSource(streamSource.getInputStream()); -+ try { -+ XMLReader xmlReader = XMLReaderFactory.createXMLReader(); -+ String featureName = "http://xml.org/sax/features/external-general-entities";; -+ xmlReader.setFeature(featureName, this.processExternalEntities); -+ return new SAXSource(xmlReader, inputSource); -+ } -+ catch (SAXException ex) { -+ logger.warn("Processing of external entities could not be disabled", ex); -+ return source; -+ } -+ } -+ else { -+ return source; -+ } -+ } -+ - @Override - protected void writeToResult(Object o, HttpHeaders headers, Result result) throws IOException { - try { -diff --git a/spring-web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/spring-web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java -index e970450..ec7daec 100644 +diff --git a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java +index 15b7d8e..3126ca4 100644 --- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java +++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java -@@ -95,6 +95,12 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe - this.processExternalEntities = processExternalEntities; - } - -+ /** -+ * @return the configured value for whether XML external entities are allowed. -+ */ -+ public boolean isProcessExternalEntities() { -+ return this.processExternalEntities; -+ } - - @Override +@@ -85,6 +85,13 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe + this.processExternalEntities = processExternalEntities; + } + ++ /** ++ * @return the configured value for whether XML external entities are allowed. ++ */ ++ public boolean isProcessExternalEntities() { ++ return this.processExternalEntities; ++ } ++ + @Override public boolean supports(Class<?> clazz) { -@@ -159,8 +165,7 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe - private Source readStAXSource(InputStream body) { - try { - XMLInputFactory inputFactory = XMLInputFactory.newFactory(); -- inputFactory.setProperty( -- "javax.xml.stream.isSupportingExternalEntities", this.processExternalEntities); -+ inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, this.processExternalEntities); - XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body); - return new StAXSource(streamReader); - } -diff --git a/spring-web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTests.java b/spring-web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTests.java -index 30b7cc0..fe1e392 100644 ---- a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTests.java -+++ b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTests.java -@@ -32,9 +32,13 @@ import org.junit.Test; - import org.springframework.aop.framework.AdvisedSupport; - import org.springframework.aop.framework.AopProxy; - import org.springframework.aop.framework.DefaultAopProxyFactory; -+import org.springframework.core.io.ClassPathResource; -+import org.springframework.core.io.Resource; - import org.springframework.http.MediaType; - import org.springframework.http.MockHttpInputMessage; - import org.springframework.http.MockHttpOutputMessage; -+import org.springframework.http.converter.HttpMessageNotReadableException; -+import org.xml.sax.SAXParseException; - - /** @author Arjen Poutsma */ - public class Jaxb2RootElementHttpMessageConverterTests { -@@ -96,6 +100,33 @@ public class Jaxb2RootElementHttpMessageConverterTests { - } - - @Test -+ public void readXmlRootElementExternalEntityDisabled() throws Exception { -+ Resource external = new ClassPathResource("external.txt", getClass()); -+ String content = "<!DOCTYPE root [" + -+ " <!ELEMENT external ANY >\n" + -+ " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]>" + -+ " <rootElement><external>&ext;</external></rootElement>"; -+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8")); -+ RootElement rootElement = (RootElement) converter.read(RootElement.class, inputMessage); -+ -+ assertEquals("", rootElement.external); -+ } -+ -+ @Test -+ public void readXmlRootElementExternalEntityEnabled() throws Exception { -+ Resource external = new ClassPathResource("external.txt", getClass()); -+ String content = "<!DOCTYPE root [" + -+ " <!ELEMENT external ANY >\n" + -+ " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]>" + -+ " <rootElement><external>&ext;</external></rootElement>"; -+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8")); -+ this.converter.setProcessExternalEntities(true); -+ RootElement rootElement = (RootElement) converter.read(RootElement.class, inputMessage); -+ -+ assertEquals("Foo Bar", rootElement.external); -+ } -+ -+ @Test - public void writeXmlRootElement() throws Exception { - MockHttpOutputMessage outputMessage = new MockHttpOutputMessage(); - converter.write(rootElement, null, outputMessage); -@@ -120,6 +151,9 @@ public class Jaxb2RootElementHttpMessageConverterTests { - - private Type type = new Type(); - -+ @XmlElement(required=false) -+ public String external; -+ - public Type getType() { - return this.type; - } + return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz) +@@ -146,7 +153,7 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe + private Source readStAXSource(InputStream body) { + try { + XMLInputFactory inputFactory = XMLInputFactory.newFactory(); +- inputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", processExternalEntities); ++ inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, this.processExternalEntities); + XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body); + return StaxUtils.createStaxSource(streamReader); + } diff --git a/debian/patches/CVE-2014-1904.patch b/debian/patches/CVE-2014-1904.patch index e59e02d..d9274d1 100644 --- a/debian/patches/CVE-2014-1904.patch +++ b/debian/patches/CVE-2014-1904.patch @@ -1,37 +1,36 @@ From: Miguel Landaeta <[email protected]> -Date: Mon, 24 Mar 2014 14:35:39 -0300 -Subject: CVE-2013-6429 +Date: Mon, 24 Mar 2014 17:07:58 -0300 +Subject: CVE-2014-1904 Bug: http://bugs.debian.org/741604 -diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java -index a6aa59c..8c50bde 100644 +diff --git a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java +index 2e9cc84..b416084 100644 --- a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java +++ b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java @@ -1,5 +1,5 @@ /* -- * Copyright 2002-2013 the original author or authors. +- * Copyright 2002-2010 the original author or authors. + * Copyright 2002-2014 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. -@@ -16,6 +16,7 @@ - - package org.springframework.web.servlet.tags.form; +@@ -21,11 +21,14 @@ import javax.servlet.http.HttpServletResponse; + import javax.servlet.jsp.JspException; + import javax.servlet.jsp.PageContext; +import java.io.UnsupportedEncodingException; - import java.util.Map; - - import javax.servlet.ServletRequest; -@@ -32,6 +33,7 @@ import org.springframework.util.ObjectUtils; ++ + import org.springframework.beans.PropertyAccessor; + import org.springframework.core.Conventions; + import org.springframework.util.ObjectUtils; import org.springframework.util.StringUtils; - import org.springframework.web.servlet.support.RequestDataValueProcessor; import org.springframework.web.util.HtmlUtils; +import org.springframework.web.util.UriUtils; /** - * Databinding-aware JSP tag for rendering an HTML '{@code form}' whose -@@ -442,6 +444,13 @@ public class FormTag extends AbstractHtmlElementTag { + * Databinding-aware JSP tag for rendering an HTML '<code>form</code>' whose +@@ -397,6 +400,13 @@ public class FormTag extends AbstractHtmlElementTag { } else { String requestUri = getRequestContext().getRequestUri(); @@ -45,36 +44,3 @@ index a6aa59c..8c50bde 100644 ServletResponse response = this.pageContext.getResponse(); if (response instanceof HttpServletResponse) { requestUri = ((HttpServletResponse) response).encodeURL(requestUri); -diff --git a/spring-webmvc/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java b/spring-webmvc/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java -index 8fdcc1c..2612761 100644 ---- a/projects/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java -+++ b/projects/org.springframework.web.servlet/src/test/java/org/springframework/web/servlet/tags/form/FormTagTests.java -@@ -1,5 +1,5 @@ - /* -- * Copyright 2002-2013 the original author or authors. -+ * Copyright 2002-2014 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -340,6 +340,21 @@ public class FormTagTests extends AbstractHtmlElementTagTests { - assertFormTagClosed(output); - } - -+ public void testDefaultActionEncoded() throws Exception { -+ -+ this.request.setRequestURI("/a b c"); -+ request.setQueryString(""); -+ -+ this.tag.doStartTag(); -+ this.tag.doEndTag(); -+ this.tag.doFinally(); -+ -+ String output = getOutput(); -+ String formOutput = getFormTag(output); -+ -+ assertContainsAttribute(formOutput, "action", "/a%20b%20c"); -+ } -+ - private String getFormTag(String output) { - int inputStart = output.indexOf("<", 1); - int inputEnd = output.lastIndexOf(">", output.length() - 2); diff --git a/debian/patches/series b/debian/patches/series index 36fe668..be7dad9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -12,5 +12,5 @@ Add-processExternalEntities-to-JAXB2Marshaller.patch CVE-2013-6429.patch CVE-2013-6430.patch -#CVE-2014-0054.patch +CVE-2014-0054.patch CVE-2014-1904.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libspring-java.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
