Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 710230 Details for
Bug 921334
CVE-2013-1856 rubygem-activesupport: jdom: XML Parsing Vulnerability affecting JRuby users
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
3-0-jdom.patch
3-0-jdom.patch (text/plain), 4.69 KB, created by
Kurt Seifried
on 2013-03-14 20:32:07 UTC
(
hide
)
Description:
3-0-jdom.patch
Filename:
MIME Type:
Creator:
Kurt Seifried
Created:
2013-03-14 20:32:07 UTC
Size:
4.69 KB
patch
obsolete
>From 6d930adfeaae6cbed22d1e97ccd401bbc61407ab Mon Sep 17 00:00:00 2001 >From: Ben Murphy <benmmurphy@gmail.com> >Date: Fri, 8 Feb 2013 02:48:22 +0000 >Subject: [PATCH] JDOM XXE Protection > >Conflicts: > activesupport/test/xml_mini/jdom_engine_test.rb > >Conflicts: > activesupport/test/xml_mini/jdom_engine_test.rb >--- > activesupport/lib/active_support/xml_mini/jdom.rb | 6 ++++ > activesupport/test/fixtures/xml/jdom_doctype.dtd | 1 + > activesupport/test/fixtures/xml/jdom_entities.txt | 1 + > activesupport/test/fixtures/xml/jdom_include.txt | 1 + > activesupport/test/xml_mini/jdom_engine_test.rb | 40 ++++++++++++++++++++--- > 5 files changed, 45 insertions(+), 4 deletions(-) > create mode 100644 activesupport/test/fixtures/xml/jdom_doctype.dtd > create mode 100644 activesupport/test/fixtures/xml/jdom_entities.txt > create mode 100644 activesupport/test/fixtures/xml/jdom_include.txt > >diff --git a/activesupport/lib/active_support/xml_mini/jdom.rb b/activesupport/lib/active_support/xml_mini/jdom.rb >index 102b9be..0e3522f 100644 >--- a/activesupport/lib/active_support/xml_mini/jdom.rb >+++ b/activesupport/lib/active_support/xml_mini/jdom.rb >@@ -38,6 +38,12 @@ module ActiveSupport > {} > else > @dbf = DocumentBuilderFactory.new_instance >+ # secure processing of java xml >+ # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html >+ @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false) >+ @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false) >+ @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false) >+ @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true) > xml_string_reader = StringReader.new(data) > xml_input_source = InputSource.new(xml_string_reader) > doc = @dbf.new_document_builder.parse(xml_input_source) >diff --git a/activesupport/test/fixtures/xml/jdom_doctype.dtd b/activesupport/test/fixtures/xml/jdom_doctype.dtd >new file mode 100644 >index 0000000..8948049 >--- /dev/null >+++ b/activesupport/test/fixtures/xml/jdom_doctype.dtd >@@ -0,0 +1 @@ >+<!ENTITY a "external entity"> >diff --git a/activesupport/test/fixtures/xml/jdom_entities.txt b/activesupport/test/fixtures/xml/jdom_entities.txt >new file mode 100644 >index 0000000..0337fda >--- /dev/null >+++ b/activesupport/test/fixtures/xml/jdom_entities.txt >@@ -0,0 +1 @@ >+<!ENTITY a "hello"> >diff --git a/activesupport/test/fixtures/xml/jdom_include.txt b/activesupport/test/fixtures/xml/jdom_include.txt >new file mode 100644 >index 0000000..239ca3a >--- /dev/null >+++ b/activesupport/test/fixtures/xml/jdom_include.txt >@@ -0,0 +1 @@ >+include me >diff --git a/activesupport/test/xml_mini/jdom_engine_test.rb b/activesupport/test/xml_mini/jdom_engine_test.rb >index ae35dbc..9a4661e 100644 >--- a/activesupport/test/xml_mini/jdom_engine_test.rb >+++ b/activesupport/test/xml_mini/jdom_engine_test.rb >@@ -3,10 +3,11 @@ if RUBY_PLATFORM =~ /java/ > require 'active_support/xml_mini' > require 'active_support/core_ext/hash/conversions' > >- >- class JDOMEngineTest < Test::Unit::TestCase >+ class JDOMEngineTest < ActiveSupport::TestCase > include ActiveSupport > >+ FILES_DIR = File.dirname(__FILE__) + '/../fixtures/xml' >+ > def setup > @default_backend = XmlMini.backend > XmlMini.backend = 'JDOM' >@@ -31,10 +32,41 @@ if RUBY_PLATFORM =~ /java/ > assert_equal 'image/png', file.content_type > end > >+ def test_not_allowed_to_expand_entities_to_files >+ attack_xml = <<-EOT >+ <!DOCTYPE member [ >+ <!ENTITY a SYSTEM "file://#{FILES_DIR}/jdom_include.txt"> >+ ]> >+ <member>x&a;</member> >+ EOT >+ assert_equal 'x', Hash.from_xml(attack_xml)["member"] >+ end >+ >+ def test_not_allowed_to_expand_parameter_entities_to_files >+ attack_xml = <<-EOT >+ <!DOCTYPE member [ >+ <!ENTITY % b SYSTEM "file://#{FILES_DIR}/jdom_entities.txt"> >+ %b; >+ ]> >+ <member>x&a;</member> >+ EOT >+ assert_raise Java::OrgXmlSax::SAXParseException do >+ assert_equal 'x', Hash.from_xml(attack_xml)["member"] >+ end >+ end >+ >+ >+ def test_not_allowed_to_load_external_doctypes >+ attack_xml = <<-EOT >+ <!DOCTYPE member SYSTEM "file://#{FILES_DIR}/jdom_doctype.dtd"> >+ <member>x&a;</member> >+ EOT >+ assert_equal 'x', Hash.from_xml(attack_xml)["member"] >+ end >+ > def test_exception_thrown_on_expansion_attack >- assert_raise NativeException do >+ assert_raise Java::OrgXmlSax::SAXParseException do > attack_xml = <<-EOT >- <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE member [ > <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;"> > <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;"> >-- >1.8.1.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=710230">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 921334
: 710230 |
710231
|
710232