This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch master in repository libspring-java.
commit 3154877c41f80993cf1b8f209f58b5651a90da75 Author: Emmanuel Bourg <[email protected]> Date: Wed Nov 26 16:04:22 2014 +0100 Removed the security patches (fixed upstream) --- debian/changelog | 4 +- debian/patches/CVE-2013-6429.patch | 712 ------------------------------------- debian/patches/CVE-2013-6430.patch | 151 -------- debian/patches/CVE-2014-0054.patch | 319 ----------------- debian/patches/CVE-2014-0225.patch | 305 ---------------- debian/patches/CVE-2014-1904.patch | 46 --- debian/patches/series | 5 - 7 files changed, 3 insertions(+), 1539 deletions(-) diff --git a/debian/changelog b/debian/changelog index 35f78ee..74eb894 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,8 @@ -libspring-java (3.0.6.RELEASE-18) UNRELEASED; urgency=medium +libspring-java (3.2.12-1) UNRELEASED; urgency=medium * Team upload. + * New upstream release + - Removed the patches applied upstream * Use XZ compression for the upstream tarball * Remove more jar files from the upstream tarball diff --git a/debian/patches/CVE-2013-6429.patch b/debian/patches/CVE-2013-6429.patch deleted file mode 100644 index 3334c0e..0000000 --- a/debian/patches/CVE-2013-6429.patch +++ /dev/null @@ -1,712 +0,0 @@ -From: Markus Koschany <[email protected]> -Date: Fri, 24 Jan 2014 16:46:07 +0100 -Subject: CVE-2013-6429 - -Bug: http://bugs.debian.org/735420 ---- - .../java/org/springframework/util/StreamUtils.java | 183 ++++++++++++++++++++ - .../org/springframework/util/xml/StaxUtils.java | 15 +- - .../converter/xml/SourceHttpMessageConverter.java | 190 +++++++++++++++++---- - .../xml/SourceHttpMessageConverterTests.java | 145 +++++++++++++--- - .../http/converter/xml/external.txt | 1 + - 5 files changed, 478 insertions(+), 56 deletions(-) - create mode 100644 projects/org.springframework.core/src/main/java/org/springframework/util/StreamUtils.java - create mode 100644 projects/org.springframework.web/src/test/resources/org/springframework/http/converter/xml/external.txt - -diff --git a/projects/org.springframework.core/src/main/java/org/springframework/util/StreamUtils.java b/projects/org.springframework.core/src/main/java/org/springframework/util/StreamUtils.java -new file mode 100644 -index 0000000..cc3107d ---- /dev/null -+++ b/projects/org.springframework.core/src/main/java/org/springframework/util/StreamUtils.java -@@ -0,0 +1,183 @@ -+/* -+ * Copyright 2002-2013 the original author or authors. -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+package org.springframework.util; -+ -+import java.io.ByteArrayOutputStream; -+import java.io.FilterInputStream; -+import java.io.FilterOutputStream; -+import java.io.IOException; -+import java.io.InputStream; -+import java.io.InputStreamReader; -+import java.io.OutputStream; -+import java.io.OutputStreamWriter; -+import java.io.Writer; -+import java.nio.charset.Charset; -+ -+ -+/** -+ * Simple utility methods for dealing with streams. The copy methods of this class are -+ * similar to those defined in {@link FileCopyUtils} except that all affected streams are -+ * left open when done. All copy methods use a block size of 4096 bytes. -+ * -+ * <p>Mainly for use within the framework, but also useful for application code. -+ * -+ * @author Juergen Hoeller -+ * @author Phillip Webb -+ * @since 3.2.2 -+ * @see FileCopyUtils -+ */ -+public abstract class StreamUtils { -+ -+ public static final int BUFFER_SIZE = 4096; -+ -+ -+ /** -+ * Copy the contents of the given InputStream into a new byte array. -+ * Leaves the stream open when done. -+ * @param in the stream to copy from -+ * @return the new byte array that has been copied to -+ * @throws IOException in case of I/O errors -+ */ -+ public static byte[] copyToByteArray(InputStream in) throws IOException { -+ ByteArrayOutputStream out = new ByteArrayOutputStream(BUFFER_SIZE); -+ copy(in, out); -+ return out.toByteArray(); -+ } -+ -+ /** -+ * Copy the contents of the given InputStream into a String. -+ * Leaves the stream open when done. -+ * @param in the InputStream to copy from -+ * @return the String that has been copied to -+ * @throws IOException in case of I/O errors -+ */ -+ public static String copyToString(InputStream in, Charset charset) throws IOException { -+ Assert.notNull(in, "No InputStream specified"); -+ StringBuilder out = new StringBuilder(); -+ InputStreamReader reader = new InputStreamReader(in, charset); -+ char[] buffer = new char[BUFFER_SIZE]; -+ int bytesRead = -1; -+ while ((bytesRead = reader.read(buffer)) != -1) { -+ out.append(buffer, 0, bytesRead); -+ } -+ return out.toString(); -+ } -+ -+ /** -+ * Copy the contents of the given byte array to the given OutputStream. -+ * Leaves the stream open when done. -+ * @param in the byte array to copy from -+ * @param out the OutputStream to copy to -+ * @throws IOException in case of I/O errors -+ */ -+ public static void copy(byte[] in, OutputStream out) throws IOException { -+ Assert.notNull(in, "No input byte array specified"); -+ Assert.notNull(out, "No OutputStream specified"); -+ out.write(in); -+ } -+ -+ /** -+ * Copy the contents of the given String to the given output OutputStream. -+ * Leaves the stream open when done. -+ * @param in the String to copy from -+ * @param charset the Charset -+ * @param out the OutputStream to copy to -+ * @throws IOException in case of I/O errors -+ */ -+ public static void copy(String in, Charset charset, OutputStream out) throws IOException { -+ Assert.notNull(in, "No input String specified"); -+ Assert.notNull(charset, "No charset specified"); -+ Assert.notNull(out, "No OutputStream specified"); -+ Writer writer = new OutputStreamWriter(out, charset); -+ writer.write(in); -+ writer.flush(); -+ } -+ -+ /** -+ * Copy the contents of the given InputStream to the given OutputStream. -+ * Leaves both streams open when done. -+ * @param in the InputStream to copy from -+ * @param out the OutputStream to copy to -+ * @return the number of bytes copied -+ * @throws IOException in case of I/O errors -+ */ -+ public static int copy(InputStream in, OutputStream out) throws IOException { -+ Assert.notNull(in, "No InputStream specified"); -+ Assert.notNull(out, "No OutputStream specified"); -+ int byteCount = 0; -+ byte[] buffer = new byte[BUFFER_SIZE]; -+ int bytesRead = -1; -+ while ((bytesRead = in.read(buffer)) != -1) { -+ out.write(buffer, 0, bytesRead); -+ byteCount += bytesRead; -+ } -+ out.flush(); -+ return byteCount; -+ } -+ -+ /** -+ * Returns a variant of the given {@link InputStream} where calling -+ * {@link InputStream#close() close()} has no effect. -+ * @param in the InputStream to decorate -+ * @return a version of the InputStream that ignores calls to close -+ */ -+ public static InputStream nonClosing(InputStream in) { -+ Assert.notNull(in, "No InputStream specified"); -+ return new NonClosingInputStream(in); -+ } -+ -+ /** -+ * Returns a variant of the given {@link OutputStream} where calling -+ * {@link OutputStream#close() close()} has no effect. -+ * @param out the OutputStream to decorate -+ * @return a version of the OutputStream that ignores calls to close -+ */ -+ public static OutputStream nonClosing(OutputStream out) { -+ Assert.notNull(out, "No OutputStream specified"); -+ return new NonClosingOutputStream(out); -+ } -+ -+ -+ private static class NonClosingInputStream extends FilterInputStream { -+ -+ public NonClosingInputStream(InputStream in) { -+ super(in); -+ } -+ -+ @Override -+ public void close() throws IOException { -+ } -+ } -+ -+ -+ private static class NonClosingOutputStream extends FilterOutputStream { -+ -+ public NonClosingOutputStream(OutputStream out) { -+ super(out); -+ } -+ -+ @Override -+ public void write(byte[] b, int off, int let) throws IOException { -+ // It is critical that we override this method for performance -+ out.write(b, off, let); -+ } -+ -+ @Override -+ public void close() throws IOException { -+ } -+ } -+} -diff --git a/projects/org.springframework.core/src/main/java/org/springframework/util/xml/StaxUtils.java b/projects/org.springframework.core/src/main/java/org/springframework/util/xml/StaxUtils.java -index 4bd4a7a..dee73ca 100644 ---- a/projects/org.springframework.core/src/main/java/org/springframework/util/xml/StaxUtils.java -+++ b/projects/org.springframework.core/src/main/java/org/springframework/util/xml/StaxUtils.java -@@ -113,7 +113,16 @@ public abstract class StaxUtils { - * 1.4 {@link StAXSource}; {@code false} otherwise. - */ - public static boolean isStaxSource(Source source) { -- return (source instanceof StaxSource || (jaxp14Available && Jaxp14StaxHandler.isStaxSource(source))); -+ return ((source instanceof StaxSource) || (jaxp14Available && Jaxp14StaxHandler.isStaxSource(source))); -+ } -+ -+ /** -+ * Indicate whether the given class is a StAX Source class. -+ * @return {@code true} if {@code source} is a custom StAX source or JAXP -+ * 1.4 {@link StAXSource} class; {@code false} otherwise. -+ */ -+ public static boolean isStaxSourceClass(Class<? extends Source> clazz) { -+ return (StaxSource.class.equals(clazz) || (jaxp14Available && Jaxp14StaxHandler.isStaxSourceClass(clazz))); - } - - // Stax Result -@@ -343,6 +352,10 @@ public abstract class StaxUtils { - return source instanceof StAXSource; - } - -+ private static boolean isStaxSourceClass(Class<? extends Source> clazz) { -+ return StAXSource.class.equals(clazz); -+ } -+ - private static boolean isStaxResult(Result result) { - return result instanceof StAXResult; - } -diff --git a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java -index 4ba1aac..15b7d8e 100644 ---- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java -+++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java -@@ -1,5 +1,5 @@ - /* -- * Copyright 2002-2010 the original author or authors. -+ * Copyright 2002-2013 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -19,21 +19,40 @@ package org.springframework.http.converter.xml; - import java.io.ByteArrayInputStream; - import java.io.ByteArrayOutputStream; - import java.io.IOException; -+import java.io.InputStream; -+import java.io.OutputStream; -+import javax.xml.parsers.DocumentBuilder; -+import javax.xml.parsers.DocumentBuilderFactory; -+import javax.xml.parsers.ParserConfigurationException; -+import javax.xml.stream.XMLInputFactory; -+import javax.xml.stream.XMLStreamException; -+import javax.xml.stream.XMLStreamReader; - import javax.xml.transform.Result; - import javax.xml.transform.Source; - import javax.xml.transform.TransformerException; -+import javax.xml.transform.TransformerFactory; - import javax.xml.transform.dom.DOMResult; - import javax.xml.transform.dom.DOMSource; - import javax.xml.transform.sax.SAXSource; - import javax.xml.transform.stream.StreamResult; - import javax.xml.transform.stream.StreamSource; - -+import org.w3c.dom.Document; - import org.xml.sax.InputSource; -+import org.xml.sax.SAXException; -+import org.xml.sax.XMLReader; -+import org.xml.sax.helpers.XMLReaderFactory; - - import org.springframework.http.HttpHeaders; -+import org.springframework.http.HttpInputMessage; -+import org.springframework.http.HttpOutputMessage; -+import org.springframework.http.MediaType; -+import org.springframework.http.converter.AbstractHttpMessageConverter; - import org.springframework.http.converter.HttpMessageConversionException; - import org.springframework.http.converter.HttpMessageNotReadableException; - import org.springframework.http.converter.HttpMessageNotWritableException; -+import org.springframework.util.StreamUtils; -+import org.springframework.util.xml.StaxUtils; - - /** - * Implementation of {@link org.springframework.http.converter.HttpMessageConverter} -@@ -42,55 +61,154 @@ import org.springframework.http.converter.HttpMessageNotWritableException; - * @author Arjen Poutsma - * @since 3.0 - */ --public class SourceHttpMessageConverter<T extends Source> extends AbstractXmlHttpMessageConverter<T> { -+public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMessageConverter<T> { - -- @Override -+ private final TransformerFactory transformerFactory = TransformerFactory.newInstance(); -+ -+ private boolean processExternalEntities = false; -+ -+ /** -+ * Sets the {@link #setSupportedMediaTypes(java.util.List) supportedMediaTypes} -+ * to {@code text/xml} and {@code application/xml}, and {@code application/*-xml}. -+ */ -+ public SourceHttpMessageConverter() { -+ super(MediaType.APPLICATION_XML, MediaType.TEXT_XML, new MediaType("application", "*+xml")); -+ } -+ -+ -+ /** -+ * Indicates whether external XML entities are processed when converting -+ * to a Source. -+ * <p>Default is {@code false}, meaning that external entities are not resolved. -+ */ -+ public void setProcessExternalEntities(boolean processExternalEntities) { -+ this.processExternalEntities = processExternalEntities; -+ } -+ -+ @Override - public boolean supports(Class<?> clazz) { -- return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz) || StreamSource.class.equals(clazz) || -- Source.class.equals(clazz); -+ return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz) -+ || StreamSource.class.equals(clazz) || Source.class.equals(clazz); - } - -+ @Override -+ protected T readInternal(Class<? extends T> clazz, HttpInputMessage inputMessage) -+ throws IOException, HttpMessageNotReadableException { -+ -+ InputStream body = inputMessage.getBody(); -+ if (DOMSource.class.equals(clazz)) { -+ return (T) readDOMSource(body); -+ } -+ else if (StaxUtils.isStaxSourceClass(clazz)) { -+ return (T) readStAXSource(body); -+ } -+ else if (SAXSource.class.equals(clazz)) { -+ return (T) readSAXSource(body); -+ } -+ else if (StreamSource.class.equals(clazz) || Source.class.equals(clazz)) { -+ return (T) readStreamSource(body); -+ } -+ else { -+ throw new HttpMessageConversionException("Could not read class [" + clazz + -+ "]. Only DOMSource, SAXSource, and StreamSource are supported."); -+ } -+ } -+ -+ private DOMSource readDOMSource(InputStream body) throws IOException { -+ try { -+ DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); -+ documentBuilderFactory.setNamespaceAware(true); -+ documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, processExternalEntities); -+ DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); -+ Document document = documentBuilder.parse(body); -+ return new DOMSource(document); -+ } -+ catch (ParserConfigurationException ex) { -+ throw new HttpMessageNotReadableException("Could not set feature: " + ex.getMessage(), ex); -+ } -+ catch (SAXException ex) { -+ throw new HttpMessageNotReadableException("Could not parse document: " + ex.getMessage(), ex); -+ } -+ } -+ -+ private SAXSource readSAXSource(InputStream body) throws IOException { -+ try { -+ XMLReader reader = XMLReaderFactory.createXMLReader(); -+ reader.setFeature("http://xml.org/sax/features/external-general-entities";, processExternalEntities); -+ byte[] bytes = StreamUtils.copyToByteArray(body); -+ return new SAXSource(reader, new InputSource(new ByteArrayInputStream(bytes))); -+ } -+ catch (SAXException ex) { -+ throw new HttpMessageNotReadableException("Could not parse document: " + ex.getMessage(), ex); -+ } -+ } -+ -+ private Source readStAXSource(InputStream body) { -+ try { -+ XMLInputFactory inputFactory = XMLInputFactory.newFactory(); -+ inputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", processExternalEntities); -+ XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body); -+ return StaxUtils.createStaxSource(streamReader); -+ } -+ catch (XMLStreamException ex) { -+ throw new HttpMessageNotReadableException("Could not parse document: " + ex.getMessage(), ex); -+ } -+ } -+ -+ private StreamSource readStreamSource(InputStream body) throws IOException { -+ byte[] bytes = StreamUtils.copyToByteArray(body); -+ return new StreamSource(new ByteArrayInputStream(bytes)); -+ } -+ - @Override -- @SuppressWarnings("unchecked") -- protected T readFromSource(Class clazz, HttpHeaders headers, Source source) throws IOException { -- try { -- if (DOMSource.class.equals(clazz)) { -- DOMResult domResult = new DOMResult(); -- transform(source, domResult); -- return (T) new DOMSource(domResult.getNode()); -- } -- else if (SAXSource.class.equals(clazz)) { -- ByteArrayInputStream bis = transformToByteArrayInputStream(source); -- return (T) new SAXSource(new InputSource(bis)); -+ protected Long getContentLength(T t, MediaType contentType) { -+ if (t instanceof DOMSource) { -+ try { -+ CountingOutputStream os = new CountingOutputStream(); -+ transform(t, new StreamResult(os)); -+ return os.count; - } -- else if (StreamSource.class.equals(clazz) || Source.class.equals(clazz)) { -- ByteArrayInputStream bis = transformToByteArrayInputStream(source); -- return (T) new StreamSource(bis); -- } -- else { -- throw new HttpMessageConversionException("Could not read class [" + clazz + -- "]. Only DOMSource, SAXSource, and StreamSource are supported."); -+ catch (TransformerException ex) { -+ // ignore - } - } -- catch (TransformerException ex) { -- throw new HttpMessageNotReadableException("Could not transform from [" + source + "] to [" + clazz + "]", -- ex); -- } -- } -- -- private ByteArrayInputStream transformToByteArrayInputStream(Source source) throws TransformerException { -- ByteArrayOutputStream bos = new ByteArrayOutputStream(); -- transform(source, new StreamResult(bos)); -- return new ByteArrayInputStream(bos.toByteArray()); -+ return null; - } - -- @Override -- protected void writeToResult(T t, HttpHeaders headers, Result result) throws IOException { -+ @Override -+ protected void writeInternal(T t, HttpOutputMessage outputMessage) -+ throws IOException, HttpMessageNotWritableException { - try { -+ Result result = new StreamResult(outputMessage.getBody()); - transform(t, result); - } - catch (TransformerException ex) { -- throw new HttpMessageNotWritableException("Could not transform [" + t + "] to [" + result + "]", ex); -+ throw new HttpMessageNotWritableException("Could not transform [" + t + "] to output message", ex); -+ } -+ } -+ -+ private void transform(Source source, Result result) throws TransformerException { -+ this.transformerFactory.newTransformer().transform(source, result); -+ } -+ -+ -+ private static class CountingOutputStream extends OutputStream { -+ -+ private long count = 0; -+ -+ @Override -+ public void write(int b) throws IOException { -+ count++; -+ } -+ -+ @Override -+ public void write(byte[] b) throws IOException { -+ count += b.length; -+ } -+ -+ @Override -+ public void write(byte[] b, int off, int len) throws IOException { -+ count += len; - } - } - -diff --git a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java -index bb20f8a..8d47c22 100644 ---- a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java -+++ b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java -@@ -1,5 +1,5 @@ - /* -- * Copyright 2002-2010 the original author or authors. -+ * Copyright 2002-2013 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -16,35 +16,60 @@ - - package org.springframework.http.converter.xml; - -+import static org.custommonkey.xmlunit.XMLAssert.assertXMLEqual; -+import static org.junit.Assert.*; -+import static org.junit.Assert.assertNotEquals; -+ -+import java.io.IOException; -+import java.io.InputStream; - import java.io.InputStreamReader; -+import java.io.StringReader; - import java.nio.charset.Charset; -+ - import javax.xml.parsers.DocumentBuilderFactory; -+import javax.xml.stream.XMLStreamException; -+import javax.xml.stream.XMLStreamReader; - import javax.xml.transform.Source; - import javax.xml.transform.dom.DOMSource; - import javax.xml.transform.sax.SAXSource; -+import javax.xml.transform.stax.StAXSource; - import javax.xml.transform.stream.StreamSource; - --import static org.custommonkey.xmlunit.XMLAssert.*; - import org.junit.Before; - import org.junit.Test; --import org.w3c.dom.Document; --import org.w3c.dom.Element; --import org.xml.sax.InputSource; - -+import org.springframework.core.io.ClassPathResource; -+import org.springframework.core.io.Resource; - import org.springframework.http.MediaType; - import org.springframework.http.MockHttpInputMessage; - import org.springframework.http.MockHttpOutputMessage; - import org.springframework.util.FileCopyUtils; -+import org.w3c.dom.Document; -+import org.w3c.dom.Element; -+import org.xml.sax.InputSource; -+import org.xml.sax.SAXException; -+import org.xml.sax.XMLReader; -+import org.xml.sax.helpers.DefaultHandler; - --/** @author Arjen Poutsma */ --@SuppressWarnings("unchecked") -+/** -+ * @author Arjen Poutsma -+ */ - public class SourceHttpMessageConverterTests { - -+ private static final String BODY = "<root>Hello World</root>"; -+ - private SourceHttpMessageConverter<Source> converter; - -+ private String bodyExternal; -+ - @Before -- public void setUp() { -+ public void setUp() throws IOException { - converter = new SourceHttpMessageConverter<Source>(); -+ Resource external = new ClassPathResource("external.txt", getClass()); -+ -+ bodyExternal = "<!DOCTYPE root [" + -+ " <!ELEMENT root ANY >\n" + -+ " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]><root>&ext;</root>"; - } - - @Test -@@ -62,45 +87,100 @@ public class SourceHttpMessageConverterTests { - - @Test - public void readDOMSource() throws Exception { -- String body = "<root>Hello World</root>"; -- MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8")); -+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8")); -+ inputMessage.getHeaders().setContentType(new MediaType("application", "xml")); -+ DOMSource result = (DOMSource) converter.read(DOMSource.class, inputMessage); -+ Document document = (Document) result.getNode(); -+ assertEquals("Invalid result", "root", document.getDocumentElement().getLocalName()); -+ } -+ -+ @Test -+ public void readDOMSourceExternal() throws Exception { -+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(bodyExternal.getBytes("UTF-8")); - inputMessage.getHeaders().setContentType(new MediaType("application", "xml")); - DOMSource result = (DOMSource) converter.read(DOMSource.class, inputMessage); - Document document = (Document) result.getNode(); - assertEquals("Invalid result", "root", document.getDocumentElement().getLocalName()); -+ assertNotEquals("Invalid result", "Foo Bar", document.getDocumentElement().getTextContent()); - } - - @Test - public void readSAXSource() throws Exception { -- String body = "<root>Hello World</root>"; -- MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8")); -+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8")); - inputMessage.getHeaders().setContentType(new MediaType("application", "xml")); - SAXSource result = (SAXSource) converter.read(SAXSource.class, inputMessage); - InputSource inputSource = result.getInputSource(); - String s = FileCopyUtils.copyToString(new InputStreamReader(inputSource.getByteStream())); -- assertXMLEqual("Invalid result", body, s); -+ assertXMLEqual("Invalid result", BODY, s); - } - - @Test -+ public void readSAXSourceExternal() throws Exception { -+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(bodyExternal.getBytes("UTF-8")); -+ inputMessage.getHeaders().setContentType(new MediaType("application", "xml")); -+ SAXSource result = (SAXSource) converter.read(SAXSource.class, inputMessage); -+ InputSource inputSource = result.getInputSource(); -+ XMLReader reader = result.getXMLReader(); -+ reader.setContentHandler(new DefaultHandler() { -+ @Override -+ public void characters(char[] ch, int start, int length) throws SAXException { -+ String s = new String(ch, start, length); -+ assertNotEquals("Invalid result", "Foo Bar", s); -+ } -+ }); -+ reader.parse(inputSource); -+ } -+ -+ @Test -+ public void readStAXSource() throws Exception { -+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8")); -+ inputMessage.getHeaders().setContentType(new MediaType("application", "xml")); -+ StAXSource result = (StAXSource) converter.read(StAXSource.class, inputMessage); -+ XMLStreamReader streamReader = result.getXMLStreamReader(); -+ assertTrue(streamReader.hasNext()); -+ streamReader.nextTag(); -+ String s = streamReader.getLocalName(); -+ assertEquals("root", s); -+ s = streamReader.getElementText(); -+ assertEquals("Hello World", s); -+ streamReader.close(); -+ } -+ -+ @Test -+ public void readStAXSourceExternal() throws Exception { -+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(bodyExternal.getBytes("UTF-8")); -+ inputMessage.getHeaders().setContentType(new MediaType("application", "xml")); -+ StAXSource result = (StAXSource) converter.read(StAXSource.class, inputMessage); -+ XMLStreamReader streamReader = result.getXMLStreamReader(); -+ assertTrue(streamReader.hasNext()); -+ streamReader.next(); -+ streamReader.next(); -+ String s = streamReader.getLocalName(); -+ assertEquals("root", s); -+ s = streamReader.getElementText(); -+ assertNotEquals("Foo Bar", s); -+ streamReader.close(); -+ } -+ -+ -+ @Test - public void readStreamSource() throws Exception { -- String body = "<root>Hello World</root>"; -- MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8")); -+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8")); - inputMessage.getHeaders().setContentType(new MediaType("application", "xml")); - StreamSource result = (StreamSource) converter.read(StreamSource.class, inputMessage); - String s = FileCopyUtils.copyToString(new InputStreamReader(result.getInputStream())); -- assertXMLEqual("Invalid result", body, s); -+ assertXMLEqual("Invalid result", BODY, s); - } - - @Test - public void readSource() throws Exception { -- String body = "<root>Hello World</root>"; -- MockHttpInputMessage inputMessage = new MockHttpInputMessage(body.getBytes("UTF-8")); -+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(BODY.getBytes("UTF-8")); - inputMessage.getHeaders().setContentType(new MediaType("application", "xml")); - converter.read(Source.class, inputMessage); - } - - @Test -- public void write() throws Exception { -+ public void writeDOMSource() throws Exception { - DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); - documentBuilderFactory.setNamespaceAware(true); - Document document = documentBuilderFactory.newDocumentBuilder().newDocument(); -@@ -115,7 +195,34 @@ public class SourceHttpMessageConverterTests { - outputMessage.getBodyAsString(Charset.forName("UTF-8"))); - assertEquals("Invalid content-type", new MediaType("application", "xml"), - outputMessage.getHeaders().getContentType()); -+ assertEquals("Invalid content-length", outputMessage.getBodyAsBytes().length, -+ outputMessage.getHeaders().getContentLength()); - } - -+ @Test -+ public void writeSAXSource() throws Exception { -+ String xml = "<root>Hello World</root>"; -+ SAXSource saxSource = new SAXSource(new InputSource(new StringReader(xml))); -+ -+ MockHttpOutputMessage outputMessage = new MockHttpOutputMessage(); -+ converter.write(saxSource, null, outputMessage); -+ assertXMLEqual("Invalid result", "<root>Hello World</root>", -+ outputMessage.getBodyAsString(Charset.forName("UTF-8"))); -+ assertEquals("Invalid content-type", new MediaType("application", "xml"), -+ outputMessage.getHeaders().getContentType()); -+ } -+ -+ @Test -+ public void writeStreamSource() throws Exception { -+ String xml = "<root>Hello World</root>"; -+ StreamSource streamSource = new StreamSource(new StringReader(xml)); -+ -+ MockHttpOutputMessage outputMessage = new MockHttpOutputMessage(); -+ converter.write(streamSource, null, outputMessage); -+ assertXMLEqual("Invalid result", "<root>Hello World</root>", -+ outputMessage.getBodyAsString(Charset.forName("UTF-8"))); -+ assertEquals("Invalid content-type", new MediaType("application", "xml"), -+ outputMessage.getHeaders().getContentType()); -+ } - - } -diff --git a/projects/org.springframework.web/src/test/resources/org/springframework/http/converter/xml/external.txt b/projects/org.springframework.web/src/test/resources/org/springframework/http/converter/xml/external.txt -new file mode 100644 -index 0000000..76c7ac2 ---- /dev/null -+++ b/projects/org.springframework.web/src/test/resources/org/springframework/http/converter/xml/external.txt -@@ -0,0 +1 @@ -+Foo Bar diff --git a/debian/patches/CVE-2013-6430.patch b/debian/patches/CVE-2013-6430.patch deleted file mode 100644 index 7c4c362..0000000 --- a/debian/patches/CVE-2013-6430.patch +++ /dev/null @@ -1,151 +0,0 @@ -From: Markus Koschany <[email protected]> -Date: Thu, 23 Jan 2014 00:03:13 +0100 -Subject: CVE-2013-6430 - -Bug: http://bugs.debian.org/735420 ---- - .../springframework/web/util/JavaScriptUtils.java | 35 ++++++++--- - .../web/util/JavaScriptUtilsTests.java | 67 ++++++++++++++++++++++ - 2 files changed, 95 insertions(+), 7 deletions(-) - create mode 100644 projects/org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java - -diff --git a/projects/org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java b/projects/org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java -index b28d398..861b46f 100644 ---- a/projects/org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java -+++ b/projects/org.springframework.web/src/main/java/org/springframework/web/util/JavaScriptUtils.java -@@ -1,5 +1,5 @@ - /* -- * Copyright 2002-2008 the original author or authors. -+ * Copyright 2002-2013 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -21,21 +21,21 @@ package org.springframework.web.util; - * Escapes based on the JavaScript 1.5 recommendation. - * - * <p>Reference: -- * <a href="http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Guide:Literals#String_Literals";> -- * Core JavaScript 1.5 Guide -- * </a> -+ * <a href="https://developer.mozilla.org/en-US/docs/JavaScript/Guide/Values,_variables,_and_literals#String_literals";> -+ * JavaScript Guide</a> on Mozilla Developer Network. - * - * @author Juergen Hoeller - * @author Rob Harrop -+ * @author Rossen Stoyanchev - * @since 1.1.1 - */ - public class JavaScriptUtils { - - /** -- * Turn special characters into escaped characters conforming to JavaScript. -- * Handles complete character set defined in HTML 4.01 recommendation. -+ * Turn JavaScript special characters into escaped characters. -+ * - * @param input the input string -- * @return the escaped string -+ * @return the string with escaped characters - */ - public static String javaScriptEscape(String input) { - if (input == null) { -@@ -73,6 +73,27 @@ public class JavaScriptUtils { - else if (c == '\f') { - filtered.append("\\f"); - } -+ else if (c == '\b') { -+ filtered.append("\\b"); -+ } -+ // No '\v' in Java, use octal value for VT ascii char -+ else if (c == '\013') { -+ filtered.append("\\v"); -+ } -+ else if (c == '<') { -+ filtered.append("\\u003C"); -+ } -+ else if (c == '>') { -+ filtered.append("\\u003E"); -+ } -+ // Unicode for PS (line terminator in ECMA-262) -+ else if (c == '\u2028') { -+ filtered.append("\\u2028"); -+ } -+ // Unicode for LS (line terminator in ECMA-262) -+ else if (c == '\u2029') { -+ filtered.append("\\u2029"); -+ } - else { - filtered.append(c); - } -diff --git a/projects/org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java b/projects/org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java -new file mode 100644 -index 0000000..182f18e ---- /dev/null -+++ b/projects/org.springframework.web/src/test/java/org/springframework/web/util/JavaScriptUtilsTests.java -@@ -0,0 +1,67 @@ -+/* -+ * Copyright 2004-2013 the original author or authors. -+ * -+ * Licensed under the Apache License, Version 2.0 (the "License"); -+ * you may not use this file except in compliance with the License. -+ * You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+ -+package org.springframework.web.util; -+ -+import static org.junit.Assert.*; -+ -+import java.io.UnsupportedEncodingException; -+ -+import org.junit.Test; -+ -+/** -+ * Test fixture for {@link JavaScriptUtils}. -+ * -+ * @author Rossen Stoyanchev -+ */ -+public class JavaScriptUtilsTests { -+ -+ @Test -+ public void escape() { -+ StringBuilder sb = new StringBuilder(); -+ sb.append('"'); -+ sb.append("'"); -+ sb.append("\\"); -+ sb.append("/"); -+ sb.append("\t"); -+ sb.append("\n"); -+ sb.append("\r"); -+ sb.append("\f"); -+ sb.append("\b"); -+ sb.append("\013"); -+ assertEquals("\\\"\\'\\\\\\/\\t\\n\\n\\f\\b\\v", JavaScriptUtils.javaScriptEscape(sb.toString())); -+ } -+ -+ // SPR-9983 -+ -+ @Test -+ public void escapePsLsLineTerminators() { -+ StringBuilder sb = new StringBuilder(); -+ sb.append('\u2028'); -+ sb.append('\u2029'); -+ String result = JavaScriptUtils.javaScriptEscape(sb.toString()); -+ -+ assertEquals("\\u2028\\u2029", result); -+ } -+ -+ // SPR-9983 -+ -+ @Test -+ public void escapeLessThanGreaterThanSigns() throws UnsupportedEncodingException { -+ assertEquals("\\u003C\\u003E", JavaScriptUtils.javaScriptEscape("<>")); -+ } -+ -+} diff --git a/debian/patches/CVE-2014-0054.patch b/debian/patches/CVE-2014-0054.patch deleted file mode 100644 index dcb9faa..0000000 --- a/debian/patches/CVE-2014-0054.patch +++ /dev/null @@ -1,319 +0,0 @@ -From: Miguel Landaeta <[email protected]> -Date: Mon, 24 Mar 2014 16:57:19 -0300 -Subject: CVE-2014-0054 - -Bug: http://bugs.debian.org/741604 - -diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java -index 871075f..fea0519 100644 ---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java -+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/castor/CastorMarshaller.java -@@ -120,6 +120,11 @@ public class CastorMarshaller extends AbstractMarshaller implements Initializing - this.encoding = encoding; - } - -+ @Override -+ protected String getDefaultEncoding() { -+ return this.encoding; -+ } -+ - /** - * Set the locations of the Castor XML Mapping files. - */ -diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java -index 1b3412d..37d7937 100644 ---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java -+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java -@@ -317,6 +317,13 @@ public class Jaxb2Marshaller - this.processExternalEntities = processExternalEntities; - } - -+ /** -+ * @return the configured value for whether XML external entities are allowed. -+ */ -+ public boolean isProcessExternalEntities() { -+ return this.processExternalEntities; -+ } -+ - public void setBeanClassLoader(ClassLoader classLoader) { - this.beanClassLoader = classLoader; - } -diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java -index 5d6a053..0de00b2 100644 ---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java -+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jibx/JibxMarshaller.java -@@ -1,5 +1,5 @@ - /* -- * Copyright 2002-2010 the original author or authors. -+ * Copyright 2002-2014 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -28,6 +28,7 @@ import javax.xml.stream.XMLEventWriter; - import javax.xml.stream.XMLStreamException; - import javax.xml.stream.XMLStreamReader; - import javax.xml.stream.XMLStreamWriter; -+import javax.xml.transform.OutputKeys; - import javax.xml.transform.Result; - import javax.xml.transform.Source; - import javax.xml.transform.Transformer; -@@ -133,6 +134,11 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe - this.encoding = encoding; - } - -+ @Override -+ protected String getDefaultEncoding() { -+ return this.encoding; -+ } -+ - /** - * Set the document standalone flag for marshalling. By default, this flag is not present. - */ -@@ -301,7 +307,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe - } - catch (TransformerException ex) { - throw new MarshallingFailureException( -- "Could not transform to [" + ClassUtils.getShortName(result.getClass()) + "]"); -+ "Could not transform to [" + ClassUtils.getShortName(result.getClass()) + "]", ex); - } - - } -@@ -367,7 +373,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe - @Override - protected Object unmarshalDomNode(Node node) throws XmlMappingException { - try { -- return transformAndUnmarshal(new DOMSource(node)); -+ return transformAndUnmarshal(new DOMSource(node), null); - } - catch (IOException ex) { - throw new UnmarshallingFailureException("JiBX unmarshalling exception", ex); -@@ -377,12 +383,15 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe - @Override - protected Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource) - throws XmlMappingException, IOException { -- return transformAndUnmarshal(new SAXSource(xmlReader, inputSource)); -+ return transformAndUnmarshal(new SAXSource(xmlReader, inputSource), inputSource.getEncoding()); - } - -- private Object transformAndUnmarshal(Source source) throws IOException { -+ private Object transformAndUnmarshal(Source source, String encoding) throws IOException { - try { - Transformer transformer = transformerFactory.newTransformer(); -+ if (encoding != null) { -+ transformer.setOutputProperty(OutputKeys.ENCODING, encoding); -+ } - ByteArrayOutputStream os = new ByteArrayOutputStream(); - transformer.transform(source, new StreamResult(os)); - ByteArrayInputStream is = new ByteArrayInputStream(os.toByteArray()); -@@ -390,7 +399,7 @@ public class JibxMarshaller extends AbstractMarshaller implements InitializingBe - } - catch (TransformerException ex) { - throw new MarshallingFailureException( -- "Could not transform from [" + ClassUtils.getShortName(source.getClass()) + "]"); -+ "Could not transform from [" + ClassUtils.getShortName(source.getClass()) + "]", ex); - } - } - -diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java -index cee37bb..09bc006 100644 ---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java -+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java -@@ -1,5 +1,5 @@ - /* -- * Copyright 2002-2010 the original author or authors. -+ * Copyright 2002-2014 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -73,6 +73,34 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { - - private final Object documentBuilderFactoryMonitor = new Object(); - -+ private boolean processExternalEntities = false; -+ -+ -+ /** -+ * Indicates whether external XML entities are processed when unmarshalling. -+ * <p>Default is {@code false}, meaning that external entities are not resolved. -+ * Note that processing of external entities will only be enabled/disabled when the -+ * {@code Source} passed to {@link #unmarshal(Source)} is a {@link SAXSource} or -+ * {@link StreamSource}. It has no effect for {@link DOMSource} or {@link StAXSource} -+ * instances. -+ */ -+ public void setProcessExternalEntities(boolean processExternalEntities) { -+ this.processExternalEntities = processExternalEntities; -+ } -+ -+ /** -+ * @return the configured value for whether XML external entities are allowed. -+ */ -+ public boolean isProcessExternalEntities() { -+ return this.processExternalEntities; -+ } -+ -+ /** -+ * @return the default encoding to use for marshalling or unmarshalling from -+ * a byte stream, or {@code null}. -+ */ -+ abstract protected String getDefaultEncoding(); -+ - - /** - * Marshals the object graph with the given root into the provided <code>javax.xml.transform.Result</code>. -@@ -131,7 +159,7 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { - return unmarshalSaxSource((SAXSource) source); - } - else if (source instanceof StreamSource) { -- return unmarshalStreamSource((StreamSource) source); -+ return unmarshalStreamSourceNoExternalEntitities((StreamSource) source); - } - else { - throw new IllegalArgumentException("Unknown Source type: " + source.getClass()); -@@ -173,7 +201,9 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { - * @throws SAXException if thrown by JAXP methods - */ - protected XMLReader createXmlReader() throws SAXException { -- return XMLReaderFactory.createXMLReader(); -+ XMLReader xmlReader = XMLReaderFactory.createXMLReader(); -+ xmlReader.setFeature("http://xml.org/sax/features/external-general-entities";, isProcessExternalEntities()); -+ return xmlReader; - } - - -@@ -356,8 +386,42 @@ public abstract class AbstractMarshaller implements Marshaller, Unmarshaller { - } - - /** -+ * Template method for handling {@code StreamSource}s with protection against -+ * the XML External Entity (XXE) processing vulnerability taking into account -+ * the value of the {@link #setProcessExternalEntities(boolean)} property. -+ * <p> -+ * The default implementation wraps the StreamSource as a SAXSource and delegates -+ * to {@link #unmarshalSaxSource(javax.xml.transform.sax.SAXSource)}. -+ * -+ * @param streamSource the {@code StreamSource} -+ * @return the object graph -+ * @throws IOException if an I/O exception occurs -+ * @throws XmlMappingException if the given source cannot be mapped to an object -+ * -+ * @see <a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML_External_Entity_(XXE)_Processing</a> -+ */ -+ protected Object unmarshalStreamSourceNoExternalEntitities(StreamSource streamSource) throws XmlMappingException, IOException { -+ InputSource inputSource; -+ if (streamSource.getInputStream() != null) { -+ inputSource = new InputSource(streamSource.getInputStream()); -+ inputSource.setEncoding(getDefaultEncoding()); -+ } -+ else if (streamSource.getReader() != null) { -+ inputSource = new InputSource(streamSource.getReader()); -+ } -+ else { -+ inputSource = new InputSource(streamSource.getSystemId()); -+ } -+ return unmarshalSaxSource(new SAXSource(inputSource)); -+ } -+ -+ /** - * Template method for handling <code>StreamSource</code>s. - * <p>This implementation defers to <code>unmarshalInputStream</code> or <code>unmarshalReader</code>. -+ * <p>As of 3.2.8 and 4.0.2 this method is no longer invoked from -+ * {@link #unmarshal(javax.xml.transform.Source)}. The method invoked instead is -+ * {@link #unmarshalStreamSourceNoExternalEntitities(javax.xml.transform.stream.StreamSource)}. -+ * - * @param streamSource the <code>StreamSource</code> - * @return the object graph - * @throws IOException if an I/O exception occurs -diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java -index eb5a6e6..9f06b35 100644 ---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java -+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xmlbeans/XmlBeansMarshaller.java -@@ -1,5 +1,5 @@ - /* -- * Copyright 2002-2009 the original author or authors. -+ * Copyright 2002-2014 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -116,6 +116,10 @@ public class XmlBeansMarshaller extends AbstractMarshaller { - return this.validating; - } - -+ @Override -+ protected String getDefaultEncoding() { -+ return null; -+ } - - /** - * This implementation returns true if the given class is an implementation of {@link XmlObject}. -diff --git a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java -index d6521ff..efa9403 100644 ---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java -+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java -@@ -26,11 +26,9 @@ import java.io.Writer; - import java.util.LinkedHashMap; - import java.util.List; - import java.util.Map; --import javax.xml.stream.XMLEventReader; --import javax.xml.stream.XMLEventWriter; --import javax.xml.stream.XMLStreamException; --import javax.xml.stream.XMLStreamReader; --import javax.xml.stream.XMLStreamWriter; -+import javax.xml.stream.*; -+import javax.xml.transform.stax.StAXSource; -+import javax.xml.transform.stream.StreamSource; - - import com.thoughtworks.xstream.XStream; - import com.thoughtworks.xstream.converters.ConversionException; -@@ -349,6 +347,11 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin - this.encoding = encoding; - } - -+ @Override -+ protected String getDefaultEncoding() { -+ return this.encoding; -+ } -+ - /** - * Set the classes supported by this marshaller. - * <p>If this property is empty (the default), all classes are supported. -@@ -470,6 +473,13 @@ public class XStreamMarshaller extends AbstractMarshaller implements Initializin - // Unmarshalling - - @Override -+ protected Object unmarshalStreamSourceNoExternalEntitities(StreamSource streamSource) -+ throws XmlMappingException, IOException { -+ -+ return super.unmarshalStreamSource(streamSource); -+ } -+ -+ @Override - protected Object unmarshalDomNode(Node node) throws XmlMappingException { - HierarchicalStreamReader streamReader; - if (node instanceof Document) { -diff --git a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java -index 15b7d8e..3126ca4 100644 ---- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java -+++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java -@@ -85,6 +85,13 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe - this.processExternalEntities = processExternalEntities; - } - -+ /** -+ * @return the configured value for whether XML external entities are allowed. -+ */ -+ public boolean isProcessExternalEntities() { -+ return this.processExternalEntities; -+ } -+ - @Override - public boolean supports(Class<?> clazz) { - return DOMSource.class.equals(clazz) || SAXSource.class.equals(clazz) -@@ -146,7 +153,7 @@ public class SourceHttpMessageConverter<T extends Source> extends AbstractHttpMe - private Source readStAXSource(InputStream body) { - try { - XMLInputFactory inputFactory = XMLInputFactory.newFactory(); -- inputFactory.setProperty("javax.xml.stream.isSupportingExternalEntities", processExternalEntities); -+ inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, this.processExternalEntities); - XMLStreamReader streamReader = inputFactory.createXMLStreamReader(body); - return StaxUtils.createStaxSource(streamReader); - } diff --git a/debian/patches/CVE-2014-0225.patch b/debian/patches/CVE-2014-0225.patch deleted file mode 100644 index 9fe2e7b..0000000 --- a/debian/patches/CVE-2014-0225.patch +++ /dev/null @@ -1,305 +0,0 @@ ---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java -+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/jaxb/Jaxb2Marshaller.java -@@ -21,6 +21,7 @@ - import java.io.IOException; - import java.io.InputStream; - import java.io.OutputStream; -+import java.io.StringReader; - import java.io.UnsupportedEncodingException; - import java.lang.reflect.GenericArrayType; - import java.lang.reflect.ParameterizedType; -@@ -69,6 +70,7 @@ - - import org.apache.commons.logging.Log; - import org.apache.commons.logging.LogFactory; -+import org.xml.sax.EntityResolver; - import org.xml.sax.InputSource; - import org.xml.sax.SAXException; - import org.xml.sax.XMLReader; -@@ -668,8 +670,11 @@ - if (xmlReader == null) { - xmlReader = XMLReaderFactory.createXMLReader(); - } -- xmlReader.setFeature("http://xml.org/sax/features/external-general-entities";, -- this.processExternalEntities); -+ String name = "http://xml.org/sax/features/external-general-entities";; -+ xmlReader.setFeature(name, isProcessExternalEntities()); -+ if (!isProcessExternalEntities()) { -+ xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER); -+ } - - return new SAXSource(xmlReader, inputSource); - } -@@ -865,4 +870,11 @@ - } - } - -+ -+ private static final EntityResolver NO_OP_ENTITY_RESOLVER = new EntityResolver() { -+ public InputSource resolveEntity(String publicId, String systemId) { -+ return new InputSource(new StringReader("")); -+ } -+ }; -+ - } ---- a/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java -+++ b/projects/org.springframework.oxm/src/main/java/org/springframework/oxm/support/AbstractMarshaller.java -@@ -20,6 +20,7 @@ - import java.io.InputStream; - import java.io.OutputStream; - import java.io.Reader; -+import java.io.StringReader; - import java.io.Writer; - import javax.xml.parsers.DocumentBuilder; - import javax.xml.parsers.DocumentBuilderFactory; -@@ -42,6 +43,7 @@ - import org.apache.commons.logging.LogFactory; - import org.w3c.dom.Node; - import org.xml.sax.ContentHandler; -+import org.xml.sax.EntityResolver; - import org.xml.sax.InputSource; - import org.xml.sax.SAXException; - import org.xml.sax.XMLReader; -@@ -203,6 +205,9 @@ - protected XMLReader createXmlReader() throws SAXException { - XMLReader xmlReader = XMLReaderFactory.createXMLReader(); - xmlReader.setFeature("http://xml.org/sax/features/external-general-entities";, isProcessExternalEntities()); -+ if (!isProcessExternalEntities()) { -+ xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER); -+ } - return xmlReader; - } - -@@ -563,4 +568,11 @@ - protected abstract Object unmarshalSaxReader(XMLReader xmlReader, InputSource inputSource) - throws XmlMappingException, IOException; - -+ -+ private static final EntityResolver NO_OP_ENTITY_RESOLVER = new EntityResolver() { -+ public InputSource resolveEntity(String publicId, String systemId) { -+ return new InputSource(new StringReader("")); -+ } -+ }; -+ - } ---- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java -+++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverter.java -@@ -17,6 +17,7 @@ - package org.springframework.http.converter.xml; - - import java.io.IOException; -+import java.io.StringReader; - import javax.xml.bind.JAXBElement; - import javax.xml.bind.JAXBException; - import javax.xml.bind.MarshalException; -@@ -28,6 +29,8 @@ - import javax.xml.bind.annotation.XmlType; - import javax.xml.transform.Result; - import javax.xml.transform.Source; -+import javax.xml.transform.sax.SAXSource; -+import javax.xml.transform.stream.StreamSource; - - import org.springframework.core.annotation.AnnotationUtils; - import org.springframework.http.HttpHeaders; -@@ -36,6 +39,11 @@ - import org.springframework.http.converter.HttpMessageNotReadableException; - import org.springframework.http.converter.HttpMessageNotWritableException; - import org.springframework.util.ClassUtils; -+import org.xml.sax.EntityResolver; -+import org.xml.sax.InputSource; -+import org.xml.sax.SAXException; -+import org.xml.sax.XMLReader; -+import org.xml.sax.helpers.XMLReaderFactory; - - /** - * Implementation of {@link org.springframework.http.converter.HttpMessageConverter HttpMessageConverter} that can read -@@ -49,6 +57,21 @@ - */ - public class Jaxb2RootElementHttpMessageConverter extends AbstractJaxb2HttpMessageConverter<Object> { - -+ private boolean processExternalEntities = false; -+ -+ -+ /** -+ * Indicates whether external XML entities are processed when converting to a Source. -+ * <p>Default is {@code false}, meaning that external entities are not resolved. -+ */ -+ public void setProcessExternalEntities(boolean processExternalEntities) { -+ this.processExternalEntities = processExternalEntities; -+ } -+ -+ public boolean isProcessExternalEntities() { -+ return this.processExternalEntities; -+ } -+ - @Override - public boolean canRead(Class<?> clazz, MediaType mediaType) { - return (clazz.isAnnotationPresent(XmlRootElement.class) || clazz.isAnnotationPresent(XmlType.class)) && -@@ -69,6 +92,7 @@ - @Override - protected Object readFromSource(Class<?> clazz, HttpHeaders headers, Source source) throws IOException { - try { -+ source = processSource(source); - Unmarshaller unmarshaller = createUnmarshaller(clazz); - if (clazz.isAnnotationPresent(XmlRootElement.class)) { - return unmarshaller.unmarshal(source); -@@ -87,6 +111,29 @@ - } - } - -+ protected Source processSource(Source source) { -+ if (source instanceof StreamSource) { -+ StreamSource streamSource = (StreamSource) source; -+ InputSource inputSource = new InputSource(streamSource.getInputStream()); -+ try { -+ XMLReader xmlReader = XMLReaderFactory.createXMLReader(); -+ String featureName = "http://xml.org/sax/features/external-general-entities";; -+ xmlReader.setFeature(featureName, isProcessExternalEntities()); -+ if (!isProcessExternalEntities()) { -+ xmlReader.setEntityResolver(NO_OP_ENTITY_RESOLVER); -+ } -+ return new SAXSource(xmlReader, inputSource); -+ } -+ catch (SAXException ex) { -+ logger.warn("Processing of external entities could not be disabled", ex); -+ return source; -+ } -+ } -+ else { -+ return source; -+ } -+ } -+ - @Override - protected void writeToResult(Object o, HttpHeaders headers, Result result) throws IOException { - try { -@@ -109,4 +156,11 @@ - } - } - -+ -+ private static final EntityResolver NO_OP_ENTITY_RESOLVER = new EntityResolver() { -+ public InputSource resolveEntity(String publicId, String systemId) { -+ return new InputSource(new StringReader("")); -+ } -+ }; -+ - } ---- a/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java -+++ b/projects/org.springframework.web/src/main/java/org/springframework/http/converter/xml/SourceHttpMessageConverter.java -@@ -21,9 +21,11 @@ - import java.io.IOException; - import java.io.InputStream; - import java.io.OutputStream; -+import java.io.StringReader; - import javax.xml.parsers.DocumentBuilder; - import javax.xml.parsers.DocumentBuilderFactory; - import javax.xml.parsers.ParserConfigurationException; -+import javax.xml.stream.XMLResolver; - import javax.xml.stream.XMLInputFactory; - import javax.xml.stream.XMLStreamException; - import javax.xml.stream.XMLStreamReader; -@@ -38,6 +40,7 @@ - import javax.xml.transform.stream.StreamSource; - - import org.w3c.dom.Document; -+import org.xml.sax.EntityResolver; - import org.xml.sax.InputSource; - import org.xml.sax.SAXException; - import org.xml.sax.XMLReader; -@@ -125,8 +128,11 @@ - try { - DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); - documentBuilderFactory.setNamespaceAware(true); -- documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, processExternalEntities); -+ documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities";, isProcessExternalEntities()); - DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); -+ if (!isProcessExternalEntities()) { -+ documentBuilder.setEntityResolver(NO_OP_ENTITY_RESOLVER); -+ } - Document document = documentBuilder.parse(body); - return new DOMSource(document); - } -@@ -141,8 +147,11 @@ - private SAXSource readSAXSource(InputStream body) throws IOException { - try { - XMLReader reader = XMLReaderFactory.createXMLReader(); -- reader.setFeature("http://xml.org/sax/features/external-general-entities";, processExternalEntities); -+ reader.setFeature("http://xml.org/sax/features/external-general-entities";, isProcessExternalEntities()); - byte[] bytes = StreamUtils.copyToByteArray(body); -+ if (!isProcessExternalEntities()) { -+ reader.setEntityResolver(NO_OP_ENTITY_RESOLVER); -+ } - return new SAXSource(reader, new InputSource(new ByteArrayInputStream(bytes))); - } - catch (SAXException ex) { -@@ -219,4 +228,17 @@ - } - } - -+ -+ private static final EntityResolver NO_OP_ENTITY_RESOLVER = new EntityResolver() { -+ public InputSource resolveEntity(String publicId, String systemId) { -+ return new InputSource(new StringReader("")); -+ } -+ }; -+ -+ private static final XMLResolver NO_OP_XML_RESOLVER = new XMLResolver() { -+ public Object resolveEntity(String publicID, String systemID, String base, String ns) { -+ return new ByteArrayInputStream(new byte[0]); -+ } -+ }; -+ - } ---- a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTest.java -+++ b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/Jaxb2RootElementHttpMessageConverterTest.java -@@ -98,6 +98,33 @@ - assertEquals("Invalid result", "Hello World", result.s); - } - -+ @Test -+ public void readXmlRootElementExternalEntityDisabled() throws Exception { -+ Resource external = new ClassPathResource("external.txt", getClass()); -+ String content = "<!DOCTYPE root SYSTEM \"http://192.168.28.42/1.jsp\"; [" + -+ " <!ELEMENT external ANY >\n" + -+ " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]>" + -+ " <rootElement><external>&ext;</external></rootElement>"; -+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8")); -+ RootElement rootElement = (RootElement) converter.read(RootElement.class, inputMessage); -+ -+ assertEquals("", rootElement.external); -+ } -+ -+ @Test -+ public void readXmlRootElementExternalEntityEnabled() throws Exception { -+ Resource external = new ClassPathResource("external.txt", getClass()); -+ String content = "<!DOCTYPE root [" + -+ " <!ELEMENT external ANY >\n" + -+ " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]>" + -+ " <rootElement><external>&ext;</external></rootElement>"; -+ MockHttpInputMessage inputMessage = new MockHttpInputMessage(content.getBytes("UTF-8")); -+ this.converter.setProcessExternalEntities(true); -+ RootElement rootElement = (RootElement) converter.read(RootElement.class, inputMessage); -+ -+ assertEquals("Foo Bar", rootElement.external); -+ } -+ - @Test - public void writeXmlRootElement() throws Exception { - MockHttpOutputMessage outputMessage = new MockHttpOutputMessage(); ---- a/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java -+++ b/projects/org.springframework.web/src/test/java/org/springframework/http/converter/xml/SourceHttpMessageConverterTests.java -@@ -67,9 +67,10 @@ - converter = new SourceHttpMessageConverter<Source>(); - Resource external = new ClassPathResource("external.txt", getClass()); - -- bodyExternal = "<!DOCTYPE root [" + -- " <!ELEMENT root ANY >\n" + -- " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]><root>&ext;</root>"; -+ bodyExternal = "<!DOCTYPE root SYSTEM \"http://192.168.28.42/1.jsp\"; [" + -+ " <!ELEMENT root ANY >\n" + -+ " <!ENTITY ext SYSTEM \"" + external.getURI() + "\" >]><root>&ext;</root>"; -+ - } - - @Test diff --git a/debian/patches/CVE-2014-1904.patch b/debian/patches/CVE-2014-1904.patch deleted file mode 100644 index d9274d1..0000000 --- a/debian/patches/CVE-2014-1904.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Miguel Landaeta <[email protected]> -Date: Mon, 24 Mar 2014 17:07:58 -0300 -Subject: CVE-2014-1904 - -Bug: http://bugs.debian.org/741604 - -diff --git a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java -index 2e9cc84..b416084 100644 ---- a/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java -+++ b/projects/org.springframework.web.servlet/src/main/java/org/springframework/web/servlet/tags/form/FormTag.java -@@ -1,5 +1,5 @@ - /* -- * Copyright 2002-2010 the original author or authors. -+ * Copyright 2002-2014 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. -@@ -21,11 +21,14 @@ import javax.servlet.http.HttpServletResponse; - import javax.servlet.jsp.JspException; - import javax.servlet.jsp.PageContext; - -+import java.io.UnsupportedEncodingException; -+ - import org.springframework.beans.PropertyAccessor; - import org.springframework.core.Conventions; - import org.springframework.util.ObjectUtils; - import org.springframework.util.StringUtils; - import org.springframework.web.util.HtmlUtils; -+import org.springframework.web.util.UriUtils; - - /** - * Databinding-aware JSP tag for rendering an HTML '<code>form</code>' whose -@@ -397,6 +400,13 @@ public class FormTag extends AbstractHtmlElementTag { - } - else { - String requestUri = getRequestContext().getRequestUri(); -+ String encoding = pageContext.getResponse().getCharacterEncoding(); -+ try { -+ requestUri = UriUtils.encodePath(requestUri, encoding); -+ } -+ catch (UnsupportedEncodingException e) { -+ throw new JspException(e); -+ } - ServletResponse response = this.pageContext.getResponse(); - if (response instanceof HttpServletResponse) { - requestUri = ((HttpServletResponse) response).encodeURL(requestUri); diff --git a/debian/patches/series b/debian/patches/series index ce0d404..ffdb73a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,10 +10,5 @@ 0010_velocity_17.diff 0011-java7-compat.patch Add-processExternalEntities-to-JAXB2Marshaller.patch -CVE-2013-6429.patch -CVE-2013-6430.patch -CVE-2014-0054.patch -CVE-2014-1904.patch -CVE-2014-0225.patch 0012_use_debian_asm4.patch 0013-disable-struts-bundle.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/libspring-java.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
