File fix-XXE-in-initDocumentParser.patch of Package quartz
Index: src/quartz-quartz-2.3.0/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
===================================================================
--- src.orig/quartz-quartz-2.3.0/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
+++ src/quartz-quartz-2.3.0/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
@@ -173,7 +173,14 @@ public class XMLSchedulingDataProcessor
docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaLanguage", "http://www.w3.org/2001/XMLSchema");
docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource", resolveSchemaSource());
-
+
+ docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ docBuilderFactory.setXIncludeAware(false);
+ docBuilderFactory.setExpandEntityReferences(false);
+
docBuilder = docBuilderFactory.newDocumentBuilder();
docBuilder.setErrorHandler(this);
Index: src/quartz-quartz-2.3.0/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
===================================================================
--- src.orig/quartz-quartz-2.3.0/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
+++ src/quartz-quartz-2.3.0/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
@@ -30,6 +30,7 @@ import org.quartz.simpl.CascadingClassLo
import org.quartz.simpl.SimpleThreadPool;
import org.quartz.spi.ClassLoadHelper;
import org.quartz.utils.DBConnectionManager;
+import org.xml.sax.SAXParseException;
/**
* Unit test for XMLSchedulingDataProcessor.
@@ -204,6 +205,31 @@ public class XMLSchedulingDataProcessorT
}
}
+ public void testXmlParserConfiguration() throws Exception {
+ Scheduler scheduler = null;
+ try {
+ StdSchedulerFactory factory = new StdSchedulerFactory("org/quartz/xml/quartz-test.properties");
+ scheduler = factory.getScheduler();
+ ClassLoadHelper clhelper = new CascadingClassLoadHelper();
+ clhelper.initialize();
+ XMLSchedulingDataProcessor processor = new XMLSchedulingDataProcessor(clhelper);
+ processor.processFileAndScheduleJobs("org/quartz/xml/bad-job-config.xml", scheduler);
+
+
+ final JobKey jobKey = scheduler.getJobKeys(GroupMatcher.jobGroupEquals("native")).iterator().next();
+ final JobDetail jobDetail = scheduler.getJobDetail(jobKey);
+ final String description = jobDetail.getDescription();
+
+
+ fail("Expected parser configuration to block DOCTYPE. The following was injected into the job description field: " + description);
+ } catch (SAXParseException e) {
+ assertTrue(e.getMessage().contains("DOCTYPE is disallowed"));
+ } finally {
+ if (scheduler != null)
+ scheduler.shutdown();
+ }
+ }
+
private Date dateOfGMT_UTC(int hour, int minute, int second, int dayOfMonth, int month, int year) {
final GregorianCalendar calendar = new GregorianCalendar(TimeZone.getTimeZone("GMT"));
calendar.set(year, month, dayOfMonth, hour, minute, second);
Index: src/quartz-quartz-2.3.0/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml
===================================================================
--- /dev/null
+++ src/quartz-quartz-2.3.0/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [<!ELEMENT foo ANY >
+ <!ENTITY xxe SYSTEM "/" >]>
+<job-scheduling-data xmlns="http://www.quartz-scheduler.org/xml/JobSchedulingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.quartz-scheduler.org/xml/JobSchedulingData http://www.quartz-scheduler.org/xml/job_scheduling_data_2_0.xsd" version="2.0">
+ <schedule>
+ <job>
+ <name>xxe</name>
+ <group>native</group>
+ <description>&xxe;</description>
+ <job-class>org.quartz.xml.XMLSchedulingDataProcessorTest$MyJob</job-class>
+ <durability>true</durability>
+ <recover>false</recover>
+ </job>
+ </schedule>
+</job-scheduling-data>
