Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:13.2
castor
castor-0.9.5-CVE-2014-3004.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File castor-0.9.5-CVE-2014-3004.patch of Package castor
diff -urN castor-0.9.5.old/src/doc/conf-lib.xml castor-0.9.5/src/doc/conf-lib.xml --- castor-0.9.5.old/src/doc/conf-lib.xml 2014-06-12 13:41:30.342969269 +0200 +++ castor-0.9.5/src/doc/conf-lib.xml 2014-06-12 14:12:10.220139402 +0200 @@ -45,7 +45,12 @@ # Comma separated list of SAX 2 features that should be enabled # for the default parser # - org.exolab.castor.features= + org.exolab.castor.sax.features= + + # Comma separated list of SAX 2 features that should be disabled + # for the default parser + # + org.exolab.castor.sax.features-to-disable= # True if should produce verbose messages # diff -urN castor-0.9.5.old/src/etc/castor.properties castor-0.9.5/src/etc/castor.properties --- castor-0.9.5.old/src/etc/castor.properties 2014-06-12 13:41:30.344969269 +0200 +++ castor-0.9.5/src/etc/castor.properties 2014-06-12 13:55:57.979049499 +0200 @@ -24,6 +24,21 @@ # #org.exolab.castor.indent=true +# Comma separated list of SAX 2 features that should be disabled for the +# default parser. +# +# Possible values: +# - <null> +# - A list if SAX 2 features (comma-separated) to be disabled. (default) +# +# <pre> +# org.exolab.castor.sax.features-to-disable +# </pre> +# +org.exolab.castor.sax.features-to-disable=\ + http://xml.org/sax/features/external-general-entities,\ + http://xml.org/sax/features/external-parameter-entities,\ + http://apache.org/xml/features/nonvalidating/load-external-dtd # True if xml documents should be validated by the SAX Parser @@ -38,7 +53,7 @@ # Comma separated list of SAX 2 features that should be enabled # for the default parser. # -#org.exolab.castor.features= +#org.exolab.castor.sax.features= # True if should produce verbose messages diff -urN castor-0.9.5.old/src/main/org/exolab/castor/util/Configuration.java castor-0.9.5/src/main/org/exolab/castor/util/Configuration.java --- castor-0.9.5.old/src/main/org/exolab/castor/util/Configuration.java 2014-06-12 13:41:30.336969268 +0200 +++ castor-0.9.5/src/main/org/exolab/castor/util/Configuration.java 2014-06-12 16:59:51.975069813 +0200 @@ -58,6 +58,8 @@ import java.util.Hashtable; import java.net.URL; import org.xml.sax.SAXException; +import org.xml.sax.SAXNotRecognizedException; +import org.xml.sax.SAXNotSupportedException; import org.xml.sax.DocumentHandler; import org.xml.sax.Parser; import org.xml.sax.XMLReader; @@ -183,6 +185,15 @@ */ public static final String ParserFeatures = "org.exolab.castor.sax.features"; + /** + * Property specifying features to be disbaled on the underlying SAX parser. + * This value contains a comma separated list of features to be disabled. + * <pre> + * org.exolab.castor.sax.features-to-disable + * </pre> + */ + public static final String ParserFeaturesToDisable = "org.exolab.castor.sax.features-to-disable"; + public static final String ParserFeatureSeparator = ","; /** @@ -555,29 +566,74 @@ prop, except ) ); } - if ( parser instanceof XMLReader ) { - StringTokenizer token; - boolean flag; - XMLReader xmlReader = (XMLReader)parser; - try { - xmlReader.setFeature( Features.Validation, validation ); - xmlReader.setFeature( Features.Namespaces, namespaces ); - features = getDefault().getProperty( Property.ParserFeatures, features ); - if ( features != null ) { - token = new StringTokenizer( features, ", " ); - while ( token.hasMoreTokens() ) { - xmlReader.setFeature( token.nextToken(), true ); - } - } - } - catch ( SAXException except ) { - Logger.getSystemLogger().println( Messages.format( "conf.configurationError", except ) ); - } + if (parser instanceof XMLReader) { + XMLReader xmlReader = (XMLReader) parser; + setFeaturesOnXmlReader(features, validation, namespaces, xmlReader); } return parser; } /** + * Sets features on XML reader instance. + * @param features + * @param validation Whether to enable validation or not. + * @param namespaces Whether to enable namespace support for not. + * @param xmlReader The XMLReader instance to configure. + */ + protected static void setFeaturesOnXmlReader(String features, + final boolean validation, + final boolean namespaces, + final XMLReader xmlReader) { + StringTokenizer token; + try { + xmlReader.setFeature(Features.Validation, validation); + xmlReader.setFeature(Features.Namespaces, namespaces); + features = getDefault().getProperty(Property.ParserFeatures, features); + enableFeatures(features, xmlReader); + String featuresToDisable = getDefault().getProperty(Property.ParserFeaturesToDisable, ""); + disableFeatures(featuresToDisable, xmlReader); + } catch (SAXException except) { + Logger.getSystemLogger().println(Messages.format("conf.configurationError", except)); + } + } + + /** + * Enables selected features on the XMLReader instance + * @param features Features to enable + * @param xmlReader XMLReader instance to be configured. + * @throws SAXNotRecognizedException If the feature is not recognized by the XMLReader. + * @throws SAXNotSupportedException If the feature is not supported by the XMLReader. + */ + private static void enableFeatures(final String features, final XMLReader xmlReader) + throws SAXNotRecognizedException, SAXNotSupportedException { + StringTokenizer token; + if (features != null) { + token = new StringTokenizer(features, ", "); + while (token.hasMoreTokens()) { + xmlReader.setFeature(token.nextToken(), true); + } + } + } + + /** + * Disables selected features on the XMLReader instance + * @param features Features to disable + * @param xmlReader XMLReader instance to be configured. + * @throws SAXNotRecognizedException If the feature is not recognized by the XMLReader. + * @throws SAXNotSupportedException If the feature is not supported by the XMLReader. + */ + private static void disableFeatures(String features, final XMLReader xmlReader) + throws SAXNotRecognizedException, SAXNotSupportedException { + StringTokenizer token; + if (features != null) { + token = new StringTokenizer(features, ", "); + while (token.hasMoreTokens()) { + xmlReader.setFeature(token.nextToken(), true); + } + } + } + + /** * Returns the currently configured NodeType to use for Java * primitives. A null value will be returned if no NodeType was * specified, indicating the default NodeType should be used. diff -urN castor-0.9.5.old/src/main/org/exolab/castor/util/LocalConfiguration.java castor-0.9.5/src/main/org/exolab/castor/util/LocalConfiguration.java --- castor-0.9.5.old/src/main/org/exolab/castor/util/LocalConfiguration.java 2014-06-12 13:41:30.336969268 +0200 +++ castor-0.9.5/src/main/org/exolab/castor/util/LocalConfiguration.java 2014-06-12 14:09:12.421122961 +0200 @@ -326,25 +326,11 @@ prop, except ) ); } - if ( parser instanceof XMLReader ) { - StringTokenizer token; - boolean flag; - XMLReader xmlReader = (XMLReader)parser; - try { - xmlReader.setFeature( Features.Validation, validation ); - xmlReader.setFeature( Features.Namespaces, namespaces ); - features = getDefault().getProperty( Property.ParserFeatures, features ); - if ( features != null ) { - token = new StringTokenizer( features, ", " ); - while ( token.hasMoreTokens() ) { - xmlReader.setFeature( token.nextToken(), true ); - } - } - } - catch ( SAXException except ) { - Logger.getSystemLogger().println( Messages.format( "conf.configurationError", except ) ); - } + if (parser instanceof XMLReader) { + XMLReader xmlReader = (XMLReader) parser; + setFeaturesOnXmlReader(features, validation, namespaces, xmlReader); } + return parser; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor