+++ This bug was initially created as a clone of Bug #1164401 +++ Description of problem: Upgrade resteasy to resolve the linked issues
qa_nacking because SP4 contains more changes than expected, problem is in commit for BZ 1165331. Details: The commit - http://git.app.eng.bos.redhat.com/git/resteasy.git/commit/?id=d50bc0a4e36894e0256f0d62fb2cd7a25f042ac2&h=2.3.8.SP4-redhat contains code which was added in resteasy 2.3.9 as part of the https://bugzilla.redhat.com/show_bug.cgi?id=1090487, which adds secure processing to resteasy. The patch has enableSecureProcessingFeature and disableDTDs in addition. DocumentBuilder will set up hardcoded values and user has no option to customize them. The resteasy.document.secure.disableDTDs and resteasy.document.secure.processing.feature options for web.xml were introduced in resteasy 2.3.9 and we are talking about 2.3.8 here.
Hi Rostislav, Only the fix for CVE-2014-7839 will be needed, is that correct? Then I'll only include this patch and rebuild 2.3.8.SP4-redhat: diff --git a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DocumentProvider.java b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DocumentProvider.java index 56e0b31..40bb968 100644 --- a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DocumentProvider.java +++ b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DocumentProvider.java @@ -90,6 +90,8 @@ public Document readFrom(Class<Document> clazz, Type type, try { documentBuilder.setExpandEntityReferences(expandEntityReferences); + documentBuilder.setFeature("http://xml.org/sax/features/external-general-entities", expandEntityReferences); + documentBuilder.setFeature("http://xml.org/sax/features/external-parameter-entities", expandEntityReferences); documentBuilder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, enableSecureProcessingFeature); documentBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", disableDTDs); return documentBuilder.newDocumentBuilder().parse(input);
Hi Weinan, yes correct, the diff in the comment 6 is the patch for CVE-2014-7839. The resteasy 2.3.8.SP4-redhat build should also contain the fix for https://bugzilla.redhat.com/show_bug.cgi?id=1163547 which is acked as well for 6.3.3.
2.3.9 feature removed: ^Cpower:resteasy-prod-2.3.8 weinanli$ git diff diff --git a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DocumentProvider.java b/ index af299b7..534230e 100644 --- a/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DocumentProvider.java +++ b/resteasy-jaxrs/src/main/java/org/jboss/resteasy/plugins/providers/DocumentProvider.java @@ -42,8 +42,6 @@ public class DocumentProvider extends AbstractEntityProvider<Document> private final TransformerFactory transformerFactory; private final DocumentBuilderFactory documentBuilder; private boolean expandEntityReferences = false; - private boolean enableSecureProcessingFeature = true; - private boolean disableDTDs = true; public DocumentProvider(@Context ResteasyConfiguration config) { @@ -76,8 +74,6 @@ public class DocumentProvider extends AbstractEntityProvider<Document> documentBuilder.setExpandEntityReferences(expandEntityReferences); documentBuilder.setFeature("http://xml.org/sax/features/external-general-entities", expandEn documentBuilder.setFeature("http://xml.org/sax/features/external-parameter-entities", expand - documentBuilder.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, enableSecureProcessingFea - documentBuilder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", disableDT return documentBuilder.newDocumentBuilder().parse(input); } catch (Exception e)
https://github.com/jbossas/jboss-eap/pull/2027/files updated
In EAP 6.3.3.CP.CR1 Resteasy was upgraded to 2.3.8.SP4-redhat-2.