Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
xalan-j2
xalan-j2-CVE-2014-0107.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File xalan-j2-CVE-2014-0107.patch of Package xalan-j2
diff -urN xalan-j_2_7_0.old/src/org/apache/xalan/processor/TransformerFactoryImpl.java xalan-j_2_7_0/src/org/apache/xalan/processor/TransformerFactoryImpl.java --- xalan-j_2_7_0.old/src/org/apache/xalan/processor/TransformerFactoryImpl.java 2014-06-23 10:04:20.937647966 +0200 +++ xalan-j_2_7_0/src/org/apache/xalan/processor/TransformerFactoryImpl.java 2014-06-23 10:05:21.555653572 +0200 @@ -333,6 +333,11 @@ reader = XMLReaderFactory.createXMLReader(); } + if(m_isSecureProcessing) + { + reader.setFeature("http://xml.org/sax/features/external-general-entities",false); + } + // Need to set options! reader.setContentHandler(handler); reader.parse(isource); diff -urN xalan-j_2_7_0.old/src/org/apache/xalan/processor/XSLTElementProcessor.java xalan-j_2_7_0/src/org/apache/xalan/processor/XSLTElementProcessor.java --- xalan-j_2_7_0.old/src/org/apache/xalan/processor/XSLTElementProcessor.java 2014-06-23 10:04:20.938647967 +0200 +++ xalan-j_2_7_0/src/org/apache/xalan/processor/XSLTElementProcessor.java 2014-06-23 10:07:05.642663197 +0200 @@ -333,17 +333,31 @@ } else { - // Can we switch the order here: - - boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, - attributes.getQName(i), attributes.getValue(i), - target); - - // Now we only add the element if it passed a validation check - if (success) - processedDefs.addElement(attrDef); + //handle secure processing + if(handler.getStylesheetProcessor()==null) + System.out.println("stylesheet processor null"); + if(attrDef.getName().compareTo("*")==0 && handler.getStylesheetProcessor().isSecureProcessing()) + { + //foreign attributes are not allowed in secure processing mode + // Then barf, because this element does not allow this attribute. + handler.error(XSLTErrorResources.ER_ATTR_NOT_ALLOWED, new Object[]{attributes.getQName(i), rawName}, null);//"\""+attributes.getQName(i)+"\"" + //+ " attribute is not allowed on the " + rawName + // + " element!", null); + } else - errorDefs.addElement(attrDef); + { + + + boolean success = attrDef.setAttrValue(handler, attrUri, attrLocalName, + attributes.getQName(i), attributes.getValue(i), + target); + + // Now we only add the element if it passed a validation check + if (success) + processedDefs.add(attrDef); + else + errorDefs.add(attrDef); + } } } diff -urN xalan-j_2_7_0.old/src/org/apache/xalan/transformer/TransformerImpl.java xalan-j_2_7_0/src/org/apache/xalan/transformer/TransformerImpl.java --- xalan-j_2_7_0.old/src/org/apache/xalan/transformer/TransformerImpl.java 2014-06-23 10:04:20.937647966 +0200 +++ xalan-j_2_7_0/src/org/apache/xalan/transformer/TransformerImpl.java 2014-06-23 10:07:54.640667728 +0200 @@ -438,7 +438,9 @@ try { if (sroot.getExtensions() != null) - m_extensionsTable = new ExtensionsTable(sroot); + //only load extensions if secureProcessing is disabled + if(!sroot.isSecureProcessing()) + m_extensionsTable = new ExtensionsTable(sroot); } catch (javax.xml.transform.TransformerException te) {te.printStackTrace();} diff -urN xalan-j_2_7_0.old/src/org/apache/xpath/functions/FuncSystemProperty.java xalan-j_2_7_0/src/org/apache/xpath/functions/FuncSystemProperty.java --- xalan-j_2_7_0.old/src/org/apache/xpath/functions/FuncSystemProperty.java 2014-06-23 10:04:20.930647966 +0200 +++ xalan-j_2_7_0/src/org/apache/xpath/functions/FuncSystemProperty.java 2014-06-23 10:09:30.433676586 +0200 @@ -56,7 +56,7 @@ String fullName = m_arg0.execute(xctxt).str(); int indexOfNSSep = fullName.indexOf(':'); - String result; + String result = null; String propName = ""; // List of properties where the name of the @@ -96,14 +96,20 @@ try { - result = System.getProperty(propName); - - if (null == result) - { - - // result = System.getenv(propName); - return XString.EMPTYSTRING; - } + //if secure procession is enabled only handle required properties do not not map any valid system property + if(!xctxt.isSecureProcessing()) + { + result = System.getProperty(propName); + } + else + { + warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, + new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName); + } + if (null == result) + { + return XString.EMPTYSTRING; + } } catch (SecurityException se) { @@ -118,14 +124,20 @@ { try { - result = System.getProperty(fullName); - - if (null == result) - { - - // result = System.getenv(fullName); - return XString.EMPTYSTRING; - } + //if secure procession is enabled only handle required properties do not not map any valid system property + if(!xctxt.isSecureProcessing()) + { + result = System.getProperty(fullName); + } + else + { + warn(xctxt, XPATHErrorResources.WG_SECURITY_EXCEPTION, + new Object[]{ fullName }); //"SecurityException when trying to access XSL system property: "+fullName); + } + if (null == result) + { + return XString.EMPTYSTRING; + } } catch (SecurityException se) {
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
