File castor-0.9.5-CVE-2014-3004.patch of Package castor
diff -urN castor-0.9.5.old/src/doc/conf-lib.xml castor-0.9.5/src/doc/conf-lib.xml
--- castor-0.9.5.old/src/doc/conf-lib.xml 2014-06-12 13:41:30.342969269 +0200
+++ castor-0.9.5/src/doc/conf-lib.xml 2014-06-12 14:12:10.220139402 +0200
@@ -45,7 +45,12 @@
# Comma separated list of SAX 2 features that should be enabled
# for the default parser
#
- org.exolab.castor.features=
+ org.exolab.castor.sax.features=
+
+ # Comma separated list of SAX 2 features that should be disabled
+ # for the default parser
+ #
+ org.exolab.castor.sax.features-to-disable=
# True if should produce verbose messages
#
diff -urN castor-0.9.5.old/src/etc/castor.properties castor-0.9.5/src/etc/castor.properties
--- castor-0.9.5.old/src/etc/castor.properties 2014-06-12 13:41:30.344969269 +0200
+++ castor-0.9.5/src/etc/castor.properties 2014-06-12 13:55:57.979049499 +0200
@@ -24,6 +24,21 @@
#
#org.exolab.castor.indent=true
+# Comma separated list of SAX 2 features that should be disabled for the
+# default parser.
+#
+# Possible values:
+# - <null>
+# - A list if SAX 2 features (comma-separated) to be disabled. (default)
+#
+# <pre>
+# org.exolab.castor.sax.features-to-disable
+# </pre>
+#
+org.exolab.castor.sax.features-to-disable=\
+ http://xml.org/sax/features/external-general-entities,\
+ http://xml.org/sax/features/external-parameter-entities,\
+ http://apache.org/xml/features/nonvalidating/load-external-dtd
# True if xml documents should be validated by the SAX Parser
@@ -38,7 +53,7 @@
# Comma separated list of SAX 2 features that should be enabled
# for the default parser.
#
-#org.exolab.castor.features=
+#org.exolab.castor.sax.features=
# True if should produce verbose messages
diff -urN castor-0.9.5.old/src/main/org/exolab/castor/util/Configuration.java castor-0.9.5/src/main/org/exolab/castor/util/Configuration.java
--- castor-0.9.5.old/src/main/org/exolab/castor/util/Configuration.java 2014-06-12 13:41:30.336969268 +0200
+++ castor-0.9.5/src/main/org/exolab/castor/util/Configuration.java 2014-06-12 16:59:51.975069813 +0200
@@ -58,6 +58,8 @@
import java.util.Hashtable;
import java.net.URL;
import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
import org.xml.sax.DocumentHandler;
import org.xml.sax.Parser;
import org.xml.sax.XMLReader;
@@ -183,6 +185,15 @@
*/
public static final String ParserFeatures = "org.exolab.castor.sax.features";
+ /**
+ * Property specifying features to be disbaled on the underlying SAX parser.
+ * This value contains a comma separated list of features to be disabled.
+ * <pre>
+ * org.exolab.castor.sax.features-to-disable
+ * </pre>
+ */
+ public static final String ParserFeaturesToDisable = "org.exolab.castor.sax.features-to-disable";
+
public static final String ParserFeatureSeparator = ",";
/**
@@ -555,29 +566,74 @@
prop, except ) );
}
- if ( parser instanceof XMLReader ) {
- StringTokenizer token;
- boolean flag;
- XMLReader xmlReader = (XMLReader)parser;
- try {
- xmlReader.setFeature( Features.Validation, validation );
- xmlReader.setFeature( Features.Namespaces, namespaces );
- features = getDefault().getProperty( Property.ParserFeatures, features );
- if ( features != null ) {
- token = new StringTokenizer( features, ", " );
- while ( token.hasMoreTokens() ) {
- xmlReader.setFeature( token.nextToken(), true );
- }
- }
- }
- catch ( SAXException except ) {
- Logger.getSystemLogger().println( Messages.format( "conf.configurationError", except ) );
- }
+ if (parser instanceof XMLReader) {
+ XMLReader xmlReader = (XMLReader) parser;
+ setFeaturesOnXmlReader(features, validation, namespaces, xmlReader);
}
return parser;
}
/**
+ * Sets features on XML reader instance.
+ * @param features
+ * @param validation Whether to enable validation or not.
+ * @param namespaces Whether to enable namespace support for not.
+ * @param xmlReader The XMLReader instance to configure.
+ */
+ protected static void setFeaturesOnXmlReader(String features,
+ final boolean validation,
+ final boolean namespaces,
+ final XMLReader xmlReader) {
+ StringTokenizer token;
+ try {
+ xmlReader.setFeature(Features.Validation, validation);
+ xmlReader.setFeature(Features.Namespaces, namespaces);
+ features = getDefault().getProperty(Property.ParserFeatures, features);
+ enableFeatures(features, xmlReader);
+ String featuresToDisable = getDefault().getProperty(Property.ParserFeaturesToDisable, "");
+ disableFeatures(featuresToDisable, xmlReader);
+ } catch (SAXException except) {
+ Logger.getSystemLogger().println(Messages.format("conf.configurationError", except));
+ }
+ }
+
+ /**
+ * Enables selected features on the XMLReader instance
+ * @param features Features to enable
+ * @param xmlReader XMLReader instance to be configured.
+ * @throws SAXNotRecognizedException If the feature is not recognized by the XMLReader.
+ * @throws SAXNotSupportedException If the feature is not supported by the XMLReader.
+ */
+ private static void enableFeatures(final String features, final XMLReader xmlReader)
+ throws SAXNotRecognizedException, SAXNotSupportedException {
+ StringTokenizer token;
+ if (features != null) {
+ token = new StringTokenizer(features, ", ");
+ while (token.hasMoreTokens()) {
+ xmlReader.setFeature(token.nextToken(), true);
+ }
+ }
+ }
+
+ /**
+ * Disables selected features on the XMLReader instance
+ * @param features Features to disable
+ * @param xmlReader XMLReader instance to be configured.
+ * @throws SAXNotRecognizedException If the feature is not recognized by the XMLReader.
+ * @throws SAXNotSupportedException If the feature is not supported by the XMLReader.
+ */
+ private static void disableFeatures(String features, final XMLReader xmlReader)
+ throws SAXNotRecognizedException, SAXNotSupportedException {
+ StringTokenizer token;
+ if (features != null) {
+ token = new StringTokenizer(features, ", ");
+ while (token.hasMoreTokens()) {
+ xmlReader.setFeature(token.nextToken(), true);
+ }
+ }
+ }
+
+ /**
* Returns the currently configured NodeType to use for Java
* primitives. A null value will be returned if no NodeType was
* specified, indicating the default NodeType should be used.
diff -urN castor-0.9.5.old/src/main/org/exolab/castor/util/LocalConfiguration.java castor-0.9.5/src/main/org/exolab/castor/util/LocalConfiguration.java
--- castor-0.9.5.old/src/main/org/exolab/castor/util/LocalConfiguration.java 2014-06-12 13:41:30.336969268 +0200
+++ castor-0.9.5/src/main/org/exolab/castor/util/LocalConfiguration.java 2014-06-12 14:09:12.421122961 +0200
@@ -326,25 +326,11 @@
prop, except ) );
}
- if ( parser instanceof XMLReader ) {
- StringTokenizer token;
- boolean flag;
- XMLReader xmlReader = (XMLReader)parser;
- try {
- xmlReader.setFeature( Features.Validation, validation );
- xmlReader.setFeature( Features.Namespaces, namespaces );
- features = getDefault().getProperty( Property.ParserFeatures, features );
- if ( features != null ) {
- token = new StringTokenizer( features, ", " );
- while ( token.hasMoreTokens() ) {
- xmlReader.setFeature( token.nextToken(), true );
- }
- }
- }
- catch ( SAXException except ) {
- Logger.getSystemLogger().println( Messages.format( "conf.configurationError", except ) );
- }
+ if (parser instanceof XMLReader) {
+ XMLReader xmlReader = (XMLReader) parser;
+ setFeaturesOnXmlReader(features, validation, namespaces, xmlReader);
}
+
return parser;
}
