Overview

File xalan-j2-CVE-2014-0107.patch of Package xalan-j2

diff -urN xalan-j_2_7_0.old/src/org/apache/xalan/processor/TransformerFactoryImpl.java xalan-j_2_7_0/src/org/apache/xalan/processor/TransformerFactoryImpl.java
--- xalan-j_2_7_0.old/src/org/apache/xalan/processor/TransformerFactoryImpl.java	2014-06-23 10:04:20.937647966 +0200
+++ xalan-j_2_7_0/src/org/apache/xalan/processor/TransformerFactoryImpl.java	2014-06-23 10:05:21.555653572 +0200
@@ -333,6 +333,11 @@
           reader = XMLReaderFactory.createXMLReader();
         }
 
+        if(m_isSecureProcessing)
+        {
+          reader.setFeature("http://xml.org/sax/features/external-general-entities",false);
+        }
+
         // Need to set options!
         reader.setContentHandler(handler);
         reader.parse(isource);
diff -urN xalan-j_2_7_0.old/src/org/apache/xalan/processor/XSLTElementProcessor.java xalan-j_2_7_0/src/org/apache/xalan/processor/XSLTElementProcessor.java
--- xalan-j_2_7_0.old/src/org/apache/xalan/processor/XSLTElementProcessor.java	2014-06-23 10:04:20.938647967 +0200
+++ xalan-j_2_7_0/src/org/apache/xalan/processor/XSLTElementProcessor.java	2014-06-23 10:07:05.642663197 +0200
@@ -333,17 +333,31 @@
       }
       else
       {
-        // Can we switch the order here:
-
-        boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
-                             attributes.getQName(i), attributes.getValue(i),
-                             target);
-                             
-        // Now we only add the element if it passed a validation check
-        if (success)
-            processedDefs.addElement(attrDef);
+        //handle secure processing
+        if(handler.getStylesheetProcessor()==null)
+            System.out.println("stylesheet processor null");
+        if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing())
+        {
+            //foreign attributes are not allowed in secure processing mode
+            // Then barf, because this element does not allow this attribute.
+            handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\""
+            //+ " attribute is not allowed on the " + rawName
+            // + " element!", null);
+        }
         else
-            errorDefs.addElement(attrDef);
+        {
+
+
+            boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName,
+                                 attributes.getQName(i), attributes.getValue(i),
+                                 target);
+
+            // Now we only add the element if it passed a validation check
+            if (success)
+                processedDefs.add(attrDef);
+            else
+                errorDefs.add(attrDef);
+        }
       }
     }
 
diff -urN xalan-j_2_7_0.old/src/org/apache/xalan/transformer/TransformerImpl.java xalan-j_2_7_0/src/org/apache/xalan/transformer/TransformerImpl.java
--- xalan-j_2_7_0.old/src/org/apache/xalan/transformer/TransformerImpl.java	2014-06-23 10:04:20.937647966 +0200
+++ xalan-j_2_7_0/src/org/apache/xalan/transformer/TransformerImpl.java	2014-06-23 10:07:54.640667728 +0200
@@ -438,7 +438,9 @@
     try
     {
       if (sroot.getExtensions() != null)
-        m_extensionsTable = new ExtensionsTable(sroot);
+        //only load extensions if secureProcessing is disabled
+        if(!sroot.isSecureProcessing())
+            m_extensionsTable = new ExtensionsTable(sroot);
     }
     catch (javax.xml.transform.TransformerException te)
     {te.printStackTrace();}
diff -urN xalan-j_2_7_0.old/src/org/apache/xpath/functions/FuncSystemProperty.java xalan-j_2_7_0/src/org/apache/xpath/functions/FuncSystemProperty.java
--- xalan-j_2_7_0.old/src/org/apache/xpath/functions/FuncSystemProperty.java	2014-06-23 10:04:20.930647966 +0200
+++ xalan-j_2_7_0/src/org/apache/xpath/functions/FuncSystemProperty.java	2014-06-23 10:09:30.433676586 +0200
@@ -56,7 +56,7 @@
 
     String fullName = m_arg0.execute(xctxt).str();
     int indexOfNSSep = fullName.indexOf(':');
-    String result;
+    String result = null;
     String propName = "";
 
     // List of properties where the name of the
@@ -96,14 +96,20 @@
 
         try
         {
-          result = System.getProperty(propName);
-
-          if (null == result)
-          {
-
-            // result = System.getenv(propName);
-            return XString.EMPTYSTRING;
-          }
+            //if secure procession is enabled only handle required properties do not not map any valid system property
+            if(!xctxt.isSecureProcessing())
+            {
+                result = System.getProperty(propName);
+            }
+            else
+            {
+                warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
+                        new Object[]{ fullName });  //"SecurityException when trying to access XSL system property: "+fullName);
+            }
+            if (null == result)
+            {
+                return XString.EMPTYSTRING;
+            }
         }
         catch (SecurityException se)
         {
@@ -118,14 +124,20 @@
     {
       try
       {
-        result = System.getProperty(fullName);
-
-        if (null == result)
-        {
-
-          // result = System.getenv(fullName);
-          return XString.EMPTYSTRING;
-        }
+          //if secure procession is enabled only handle required properties do not not map any valid system property
+          if(!xctxt.isSecureProcessing())
+          {
+              result = System.getProperty(fullName);
+          }
+          else
+          {
+              warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION,
+                      new Object[]{ fullName });  //"SecurityException when trying to access XSL system property: "+fullName);
+          }
+          if (null == result)
+          {
+              return XString.EMPTYSTRING;
+          }
       }
       catch (SecurityException se)
       {
openSUSE Build Service is sponsored by
Places