Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP6
eclipse-emf
eclipse-emf-CVE-2023-4218.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File eclipse-emf-CVE-2023-4218.patch of Package eclipse-emf
--- a/org.eclipse.emf/plugins/org.eclipse.emf.ecore.xmi/src/org/eclipse/emf/ecore/xmi/impl/XMLHandler.java 2024-03-19 08:45:36.707562642 +0100 +++ b/org.eclipse.emf/plugins/org.eclipse.emf.ecore.xmi/src/org/eclipse/emf/ecore/xmi/impl/XMLHandler.java 2024-03-19 08:46:07.550942989 +0100 @@ -14,6 +14,7 @@ import java.io.IOException; import java.io.InputStream; +import java.io.StringReader; import java.io.UnsupportedEncodingException; import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; @@ -347,6 +348,10 @@ /** */ + protected boolean resolveEntities; + + /** + */ public XMLHandler(XMLResource xmlResource, XMLHelper helper, Map<?, ?> options) { this.xmlResource = xmlResource; @@ -509,6 +514,7 @@ usePackageNsURIAsLocation = !Boolean.FALSE.equals(options.get(XMLResource.OPTION_USE_PACKAGE_NS_URI_AS_LOCATION)); missingPackageHandler = (XMLResource.MissingPackageHandler)options.get(XMLResource.OPTION_MISSING_PACKAGE_HANDLER); + resolveEntities = Boolean.TRUE.equals(options.get(XMLResource.OPTION_RESOLVE_ENTITIES)); } protected void setExtendedMetaDataOption(Object extendedMetaDataOption) @@ -804,6 +810,11 @@ @Override public InputSource resolveEntity(String publicId, String systemId) throws SAXException { + if (!resolveEntities) + { + return new InputSource(new StringReader("")); //$NON-NLS-1$ + } + try { Map<Object, Object> options = new HashMap<Object, Object>(); --- a/org.eclipse.emf/plugins/org.eclipse.emf.ecore.xmi/src/org/eclipse/emf/ecore/xmi/XMLResource.java 2024-03-19 08:45:36.707562642 +0100 +++ b/org.eclipse.emf/plugins/org.eclipse.emf.ecore.xmi/src/org/eclipse/emf/ecore/xmi/XMLResource.java 2024-03-19 08:46:07.550942989 +0100 @@ -563,6 +563,13 @@ */ String OPTION_MISSING_PACKAGE_HANDLER = "MISSING_PACKAGE_HANDLER"; + /** + * A load option that specifies whether external entities should be resolved during XML loading. + * The default value is false. + * @since 2.35 + */ + String OPTION_RESOLVE_ENTITIES = "RESOLVED_ENTITIES"; + String HREF = "href"; String NIL = "nil"; String TYPE = "type"; --- a/org.eclipse.emf/tests/org.eclipse.emf.test.xml/data/xmi/root.dtd 1970-01-01 01:00:00.000000000 +0100 +++ b/org.eclipse.emf/tests/org.eclipse.emf.test.xml/data/xmi/root.dtd 2024-03-19 08:46:07.554276328 +0100 @@ -0,0 +1 @@ +<!ELEMENT root (#PCDATA)> --- a/org.eclipse.emf/tests/org.eclipse.emf.test.xml/data/xmi/test-with-external-entity.xmi 1970-01-01 01:00:00.000000000 +0100 +++ b/org.eclipse.emf/tests/org.eclipse.emf.test.xml/data/xmi/test-with-external-entity.xmi 2024-03-19 08:46:07.554276328 +0100 @@ -0,0 +1,3 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE root SYSTEM "root.dtd"> +<root/> \ No newline at end of file --- a/org.eclipse.emf/tests/org.eclipse.emf.test.xml/src/org/eclipse/emf/test/xml/DTDTest.java 2024-03-19 08:45:36.837562840 +0100 +++ b/org.eclipse.emf/tests/org.eclipse.emf.test.xml/src/org/eclipse/emf/test/xml/DTDTest.java 2024-03-19 08:46:07.554276328 +0100 @@ -45,6 +45,7 @@ public void setUp() throws Exception { resourceSet = new ResourceSetImpl(); + resourceSet.getLoadOptions().put(XMLResource.OPTION_RESOLVE_ENTITIES, Boolean.TRUE); resourceSet.getResourceFactoryRegistry().getExtensionToFactoryMap().put (Resource.Factory.Registry.DEFAULT_EXTENSION, new GenericXMLResourceFactoryImpl()); } --- a/org.eclipse.emf/tests/org.eclipse.emf.test.xml/src/org/eclipse/emf/test/xml/xmi/URIHandlerTest.java 2024-03-19 08:45:36.837562840 +0100 +++ b/org.eclipse.emf/tests/org.eclipse.emf.test.xml/src/org/eclipse/emf/test/xml/xmi/URIHandlerTest.java 2024-03-19 08:46:07.554276328 +0100 @@ -13,9 +13,13 @@ import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; +import java.io.FileNotFoundException; import java.io.StringReader; import java.io.StringWriter; +import java.util.Collections; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -49,6 +53,7 @@ public class URIHandlerTest { + final static String BASE_XMI_URI = TestUtil.getPluginDirectory(AllSuites.PLUGIN_ID) + "/data/xmi/"; final static String BASE_XML_URI = TestUtil.getPluginDirectory(AllSuites.PLUGIN_ID) + "/data/xml/"; final static String LF = System.getProperty("line.separator"); @@ -169,4 +174,32 @@ Book reloadedFirstBook = reloadedFirstAuthor.getBooks().get(0); assertEquals(firstLibraryResource.getURI(), reloadedFirstBook.eResource().getURI()); } + + @Test + public void testEntityResolver() throws Exception + { + // Expecting external entities not to be resolved by default. + // So the redirection of that external reference to a non-existent location should not result in a file not found exception. + // + resourceSet.getURIConverter().getURIMap().put(URI.createFileURI(BASE_XMI_URI + "/root.dtd"), URI.createFileURI(BASE_XMI_URI + "/not-found.dtd")); + Resource resource = resourceSet.getResource(URI.createFileURI(BASE_XMI_URI + "/test-with-external-entity.xmi"), true); + + try + { + // Load it again, but resolving external entities. + // + resource.unload(); + resource.load(Collections.singletonMap(XMLResource.OPTION_RESOLVE_ENTITIES, Boolean.TRUE)); + + // We should not get here, we should get an exception. + // + fail("Expecting the URI to be loaded to the redirected bogus location, causing a FileNotFoundException"); + } + catch (FileNotFoundException ex) + { + // The exception should refer to the redirected URI. + // + assertTrue("Expecting the entity reference to be loaded to the redirected bogus location", ex.toString().contains("not-found.dtd")); + } + } } \ No newline at end of file
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor