packages/dom4j
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:6349da3c87699b58c8c10500ff2139fe64c0ea0c
Branches Tags
packages:main
...
compare: packages:c448a2c8de632fed9ab7f42f3833426d62b1cee9
Branches Tags
packages:main

11 Commits
6349da3c87 ... c448a2c8de

Author SHA1 Message Date
openeuler-ci-bot
c448a2c8de
!5 License compliance rectification 
From: @wang--ge 
Reviewed-by: @wangchong1995924 
Signed-off-by: @wangchong1995924
 2022-05-12 07:00:27 +00:00
wang--ge
1922b629eb License compliance rectification 2022-05-11 14:19:04 +08:00
openeuler-ci-bot
431ffd41e5 !4 Fix CVE-2020-10683 
Merge pull request !4 from ultra_planet/master
 2020-06-20 09:14:26 +08:00
lingsheng
e08632136f Fix CVE-2020-10683 2020-06-19 15:50:08 +08:00
openeuler-ci-bot
8485dd1ef0 !3 patch 
Merge pull request !3 from jinjin/yang
 2019-12-17 14:06:03 +08:00
yang_lijin@qq.com
5c3940c3d4 init 2019-12-17 13:58:16 +08:00
openeuler-ci-bot
f614c1dd83 !2 add patch 
Merge pull request !2 from jinjin/yang
 2019-12-17 11:44:35 +08:00
yang_lijin@qq.com
f5f8fee8fe add patch 2019-12-17 11:42:57 +08:00
yang_lijin@qq.com
07578962c8 patch 2019-12-17 11:42:28 +08:00
openeuler-ci-bot
2266b5328d !1 init 
Merge pull request !1 from jinjin/yang
 2019-12-17 10:01:39 +08:00
yang_lijin@qq.com
712d62d6cf init 2019-12-17 09:54:03 +08:00
11 changed files with 2890 additions and 75 deletions
Show Stats Expand all files Collapse all files

152
CVE-2018-1000632-pre.patch Normal file
View File

@ -0,0 +1,152 @@
From 92d87957c4c4948d048ff7729c77ba10474f73ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20Jirs=C3=A1k?= <filip@jirsak.org>
Date: Sun, 1 Jul 2018 13:06:18 +0200
Subject: [PATCH] Fix tests with invalid QNames.
---
.../java/org/dom4j/datatype/SchemaParser.java | 29 +++++++++++--------
src/test/java/org/dom4j/IteratorTest.java | 20 ++++++-------
src/test/java/org/dom4j/dom/DOMTest.java | 2 +-
3 files changed, 28 insertions(+), 23 deletions(-)
diff --git a/src/main/java/org/dom4j/datatype/SchemaParser.java b/src/main/java/org/dom4j/datatype/SchemaParser.java
index c35806ba..ab299d82 100644
--- a/src/main/java/org/dom4j/datatype/SchemaParser.java
+++ b/src/main/java/org/dom4j/datatype/SchemaParser.java
@@ -180,15 +180,19 @@ private void onDatatypeElement(Element xsdElement,
DocumentFactory parentFactory) {
String name = xsdElement.attributeValue("name");
String type = xsdElement.attributeValue("type");
- QName qname = getQName(name);
- DatatypeElementFactory factory = getDatatypeElementFactory(qname);
+ QName qname = null;
+ DatatypeElementFactory factory = null;
+ if (name != null) {
+ qname = getQName(name);
+ factory = getDatatypeElementFactory(qname);
+ }
if (type != null) {
// register type with this element name
XSDatatype dataType = getTypeByName(type);
- if (dataType != null) {
+ if (dataType != null && factory != null) {
factory.setChildElementXSDatatype(qname, dataType);
} else {
QName typeQName = getQName(type);
@@ -205,24 +209,25 @@ private void onDatatypeElement(Element xsdElement,
if (xsdSimpleType != null) {
XSDatatype dataType = loadXSDatatypeFromSimpleType(xsdSimpleType);
- if (dataType != null) {
+ if (dataType != null && factory != null) {
factory.setChildElementXSDatatype(qname, dataType);
}
}
Element schemaComplexType = xsdElement.element(XSD_COMPLEXTYPE);
- if (schemaComplexType != null) {
+ if (schemaComplexType != null && factory != null) {
onSchemaComplexType(schemaComplexType, factory);
}
- Iterator<Element> iter = xsdElement.elementIterator(XSD_ATTRIBUTE);
-
- if (iter.hasNext()) {
- do {
- onDatatypeAttribute(xsdElement, factory, iter
- .next());
- } while (iter.hasNext());
+ if (factory != null) {
+ Iterator<Element> iter = xsdElement.elementIterator(XSD_ATTRIBUTE);
+ if (iter.hasNext()) {
+ do {
+ onDatatypeAttribute(xsdElement, factory, iter
+ .next());
+ } while (iter.hasNext());
+ }
}
}
diff --git a/src/test/java/org/dom4j/IteratorTest.java b/src/test/java/org/dom4j/IteratorTest.java
index 76a2eef8..53091ae9 100644
--- a/src/test/java/org/dom4j/IteratorTest.java
+++ b/src/test/java/org/dom4j/IteratorTest.java
@@ -31,7 +31,7 @@ public void setUp() throws Exception {
Element root = iterDocument.addElement("root");
for (int i = 0; i < NUMELE; i++) {
- root.addElement("iterator test").addAttribute("instance",
+ root.addElement("iterator-test").addAttribute("instance",
Integer.toString(i));
}
}
@@ -42,7 +42,7 @@ public void testElementCount() throws Exception {
Element root = iterDocument.getRootElement();
assertTrue("Has root element", root != null);
- List elements = root.elements("iterator test");
+ List elements = root.elements("iterator-test");
int elementSize = elements.size();
assertTrue("Root has " + elementSize + " children", (elements != null)
&& (elementSize == NUMELE));
@@ -50,8 +50,8 @@ public void testElementCount() throws Exception {
public void testPlainIteration() throws Exception {
Element root = iterDocument.getRootElement();
- List elements = root.elements("iterator test");
- Iterator iter = root.elementIterator("iterator test");
+ List elements = root.elements("iterator-test");
+ Iterator iter = root.elementIterator("iterator-test");
int elementSize = elements.size();
int count = 0;
@@ -69,8 +69,8 @@ public void testPlainIteration() throws Exception {
public void testSkipAlternates() throws Exception {
Element root = iterDocument.getRootElement();
- List elements = root.elements("iterator test");
- Iterator iter = root.elementIterator("iterator test");
+ List elements = root.elements("iterator-test");
+ Iterator iter = root.elementIterator("iterator-test");
int elementSize = elements.size();
int count = 0;
@@ -89,8 +89,8 @@ public void testSkipAlternates() throws Exception {
public void testNoHasNext() throws Exception {
Element root = iterDocument.getRootElement();
- List elements = root.elements("iterator test");
- Iterator iter = root.elementIterator("iterator test");
+ List elements = root.elements("iterator-test");
+ Iterator iter = root.elementIterator("iterator-test");
int elementSize = elements.size();
int count = 0;
Element e = null;
@@ -121,8 +121,8 @@ public void testNoHasNext() throws Exception {
public void testExtraHasNexts() throws Exception {
Element root = iterDocument.getRootElement();
- List elements = root.elements("iterator test");
- Iterator iter = root.elementIterator("iterator test");
+ List elements = root.elements("iterator-test");
+ Iterator iter = root.elementIterator("iterator-test");
int elementSize = elements.size();
int count = 0;
diff --git a/src/test/java/org/dom4j/dom/DOMTest.java b/src/test/java/org/dom4j/dom/DOMTest.java
index f44d3e80..4b1f9c85 100644
--- a/src/test/java/org/dom4j/dom/DOMTest.java
+++ b/src/test/java/org/dom4j/dom/DOMTest.java
@@ -109,7 +109,7 @@ public void testReplaceChild() throws Exception {
assertEquals(newFirst, firstChild);
/* try to replace a node that doesn't exist */
- org.w3c.dom.Element badNode = document.createElement("No Child");
+ org.w3c.dom.Element badNode = document.createElement("No-Child");
try {
parent.replaceChild(newFirst, badNode);

258
CVE-2018-1000632.patch Normal file
View File

@ -0,0 +1,258 @@
diff --git a/src/main/java/org/dom4j/Namespace.java b/src/main/java/org/dom4j/Namespace.java
index fd123b93..8f948ad8 100644
--- a/src/main/java/org/dom4j/Namespace.java
+++ b/src/main/java/org/dom4j/Namespace.java
@@ -49,6 +49,10 @@
public Namespace(String prefix, String uri) {
this.prefix = (prefix != null) ? prefix : "";
this.uri = (uri != null) ? uri : "";
+
+ if (!this.prefix.isEmpty()) {
+ QName.validateNCName(this.prefix);
+ }
}
/**
diff --git a/src/main/java/org/dom4j/QName.java b/src/main/java/org/dom4j/QName.java
index 9ac0d4d8..e9b2170e 100644
--- a/src/main/java/org/dom4j/QName.java
+++ b/src/main/java/org/dom4j/QName.java
@@ -11,6 +11,7 @@
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.Serializable;
+import java.util.regex.Pattern;
import org.dom4j.tree.QNameCache;
import org.dom4j.util.SingletonStrategy;
@@ -21,11 +22,86 @@
* object is immutable.
*
* @author <a href="mailto:jstrachan@apache.org">James Strachan </a>
+ * @author Filip Jirsák
*/
public class QName implements Serializable {
/** The Singleton instance */
private static SingletonStrategy<QNameCache> singleton = null;
+ /**
+ * {@code NameStartChar} without colon.
+ *
+ * <pre>NameStartChar ::= ":" | [A-Z] | "_" | [a-z] | [#xC0-#xD6] | [#xD8-#xF6] | [#xF8-#x2FF] | [#x370-#x37D] | [#x37F-#x1FFF] | [#x200C-#x200D] | [#x2070-#x218F] | [#x2C00-#x2FEF] | [#x3001-#xD7FF] | [#xF900-#xFDCF] | [#xFDF0-#xFFFD] | [#x10000-#xEFFFF]</pre>
+ *
+ * @see <a href="https://www.w3.org/TR/xml/#sec-common-syn">XML 1.0 2.3 Common Syntactic Constructs</a>
+ * @see <a href="https://www.w3.org/TR/2006/REC-xml11-20060816/#sec-common-syn">XML 1.1 2.3 Common Syntactic Constructs</a>
+ */
+ private static final String NAME_START_CHAR = "_A-Za-z\u00C0-\u00D6\u00D8-\u00F6\u00F8-\u02FF\u0370-\u037D\u037F-\u1FFF\u200C-\u200D\u2070-\u218F\u2C00-\u2FEF\u3001-\uD7FF\uF900-\uFDCF\uFDF0-\uFFFD";
+
+ /**
+ * {@code NameChar} without colon.
+ *
+ * <pre>NameChar ::= NameStartChar | "-" | "." | [0-9] | #xB7 | [#x0300-#x036F] | [#x203F-#x2040]</pre>
+ *
+ * @see <a href="https://www.w3.org/TR/xml/#sec-common-syn">XML 1.0 2.3 Common Syntactic Constructs</a>
+ * @see <a href="https://www.w3.org/TR/2006/REC-xml11-20060816/#sec-common-syn">XML 1.1 2.3 Common Syntactic Constructs</a>
+ */
+ private static final String NAME_CHAR = NAME_START_CHAR + "-.0-9\u00B7\u0300-\u036F\u203F-\u2040";
+
+ /**
+ * {@code NCName}
+ *
+ * <pre>
+ * NCName ::= NCNameStartChar NCNameChar* (An XML Name, minus the ":")
+ * NCNameChar ::= NameChar -':'
+ * NCNameStartChar ::= NameStartChar -':'
+ * </pre>
+ *
+ * @see <a href="https://www.w3.org/TR/xml-names/#ns-qualnames">Namespaces in XML 1.0 4 Qualified Names</a>
+ * @see <a href="https://www.w3.org/TR/2006/REC-xml-names11-20060816/#ns-qualnames">Namespaces in XML 1.1 4 Qualified Names</a>
+ */
+ private static final String NCNAME = "["+NAME_START_CHAR+"]["+NAME_CHAR+"]*";
+
+ /**
+ * Regular expression for {@code Name} (with colon).
+ *
+ * <pre>Name ::= NameStartChar (NameChar)*</pre>
+ *
+ * @see <a href="https://www.w3.org/TR/xml/#sec-common-syn">XML 1.0 2.3 Common Syntactic Constructs</a>
+ * @see <a href="https://www.w3.org/TR/2006/REC-xml11-20060816/#sec-common-syn">XML 1.1 2.3 Common Syntactic Constructs</a>
+ */
+ private static final Pattern RE_NAME = Pattern.compile("[:"+NAME_START_CHAR+"][:"+NAME_CHAR+"]*");
+
+ /**
+ * Regular expression for {@code NCName}.
+ *
+ * <pre>
+ * NCName ::= NCNameStartChar NCNameChar* (An XML Name, minus the ":")
+ * NCNameChar ::= NameChar -':'
+ * NCNameStartChar ::= NameStartChar -':'
+ * </pre>
+ *
+ * @see <a href="https://www.w3.org/TR/xml-names/#ns-qualnames">Namespaces in XML 1.0 4 Qualified Names</a>
+ * @see <a href="https://www.w3.org/TR/2006/REC-xml-names11-20060816/#ns-qualnames">Namespaces in XML 1.1 4 Qualified Names</a>
+ */
+ private static final Pattern RE_NCNAME = Pattern.compile(NCNAME);
+
+ /**
+ * Regular expression for {@code QName}.
+ *
+ * <pre>
+ * QName ::= PrefixedName | UnprefixedName
+ * PrefixedName ::= Prefix ':' LocalPart
+ * UnprefixedName ::= LocalPart
+ * Prefix ::= NCName
+ * LocalPart ::= NCName
+ * </pre>
+ *
+ * @see <a href="https://www.w3.org/TR/xml-names/#ns-qualnames">Namespaces in XML 1.0 4 Qualified Names</a>
+ * @see <a href="https://www.w3.org/TR/2006/REC-xml-names11-20060816/#ns-qualnames">Namespaces in XML 1.1 4 Qualified Names</a>
+ */
+ private static final Pattern RE_QNAME = Pattern.compile("(?:"+NCNAME+":)?"+NCNAME);
+
static {
try {
String defaultSingletonClass = "org.dom4j.util.SimpleSingleton";
@@ -71,6 +147,11 @@ public QName(String name, Namespace namespace) {
this.name = (name == null) ? "" : name;
this.namespace = (namespace == null) ? Namespace.NO_NAMESPACE
: namespace;
+ if (this.namespace.equals(Namespace.NO_NAMESPACE)) {
+ validateName(this.name);
+ } else {
+ validateNCName(this.name);
+ }
}
public QName(String name, Namespace namespace, String qualifiedName) {
@@ -78,6 +159,8 @@ public QName(String name, Namespace namespace, String qualifiedName) {
this.qualifiedName = qualifiedName;
this.namespace = (namespace == null) ? Namespace.NO_NAMESPACE
: namespace;
+ validateNCName(this.name);
+ validateQName(this.qualifiedName);
}
public static QName get(String name) {
@@ -251,6 +334,24 @@ private static QNameCache getCache() {
QNameCache cache = singleton.instance();
return cache;
}
+
+ private static void validateName(String name) {
+ if (!RE_NAME.matcher(name).matches()) {
+ throw new IllegalArgumentException(String.format("Illegal character in name: '%s'.", name));
+ }
+ }
+
+ protected static void validateNCName(String ncname) {
+ if (!RE_NCNAME.matcher(ncname).matches()) {
+ throw new IllegalArgumentException(String.format("Illegal character in local name: '%s'.", ncname));
+ }
+ }
+
+ private static void validateQName(String qname) {
+ if (!RE_QNAME.matcher(qname).matches()) {
+ throw new IllegalArgumentException(String.format("Illegal character in qualified name: '%s'.", qname));
+ }
+ }
}
diff --git a/src/main/java/org/dom4j/tree/QNameCache.java b/src/main/java/org/dom4j/tree/QNameCache.java
index 330f3794..d37e8aaa 100644
--- a/src/main/java/org/dom4j/tree/QNameCache.java
+++ b/src/main/java/org/dom4j/tree/QNameCache.java
@@ -152,6 +152,8 @@ public QName get(String qualifiedName, String uri) {
if (index < 0) {
return get(qualifiedName, Namespace.get(uri));
+ } else if (index == 0){
+ throw new IllegalArgumentException("Qualified name cannot start with ':'.");
} else {
String name = qualifiedName.substring(index + 1);
String prefix = qualifiedName.substring(0, index);
diff --git a/src/test/java/org/dom4j/AllowedCharsTest.java b/src/test/java/org/dom4j/AllowedCharsTest.java
new file mode 100644
index 00000000..20c1de0b
--- /dev/null
+++ b/src/test/java/org/dom4j/AllowedCharsTest.java
@@ -0,0 +1,78 @@
+package org.dom4j;
+
+import org.testng.annotations.Test;
+
+/**
+ * @author Filip Jirsák
+ */
+public class AllowedCharsTest {
+ @Test
+ public void localName() {
+ QName.get("element");
+ QName.get(":element");
+ QName.get("elem:ent");
+ }
+
+ @Test(expectedExceptions = IllegalArgumentException.class)
+ public void localNameFail() {
+ QName.get("!element");
+ }
+
+ @Test
+ public void qname() {
+ QName.get("element", "http://example.com/namespace");
+ QName.get("ns:element", "http://example.com/namespace");
+ }
+
+ @Test(expectedExceptions = IllegalArgumentException.class)
+ public void qnameFail1() {
+ QName.get("ns:elem:ent", "http://example.com/namespace");
+ }
+
+ @Test(expectedExceptions = IllegalArgumentException.class)
+ public void qnameFail2() {
+ QName.get(":nselement", "http://example.com/namespace");
+ }
+
+ @Test(expectedExceptions = IllegalArgumentException.class)
+ public void createElementLT() {
+ DocumentHelper.createElement("element<name");
+ }
+
+ @Test(expectedExceptions = IllegalArgumentException.class)
+ public void createElementGT() {
+ DocumentHelper.createElement("element>name");
+ }
+
+ @Test(expectedExceptions = IllegalArgumentException.class)
+ public void createElementAmpersand() {
+ DocumentHelper.createElement("element&name");
+ }
+
+ @Test(expectedExceptions = IllegalArgumentException.class)
+ public void addElement() {
+ Element root = DocumentHelper.createElement("root");
+ root.addElement("element>name");
+ }
+
+ @Test(expectedExceptions = IllegalArgumentException.class)
+ public void addElementQualified() {
+ Element root = DocumentHelper.createElement("root");
+ root.addElement("element>name", "http://example.com/namespace");
+ }
+
+ @Test(expectedExceptions = IllegalArgumentException.class)
+ public void addElementQualifiedPrefix() {
+ Element root = DocumentHelper.createElement("root");
+ root.addElement("ns:element>name", "http://example.com/namespace");
+ }
+
+ @Test(expectedExceptions = IllegalArgumentException.class)
+ public void addElementPrefix() {
+ Element root = DocumentHelper.createElement("root");
+ root.addElement("ns>:element", "http://example.com/namespace");
+ }
+
+ //TODO It is illegal to create element or attribute with namespace prefix and empty namespace IRI.
+ //See https://www.w3.org/TR/2006/REC-xml-names11-20060816/#scoping
+}

36
README.en.md
View File

@ -1,36 +0,0 @@
# dom4j
#### Description
{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
#### Software Architecture
Software architecture description
#### Installation
1. xxxx
2. xxxx
3. xxxx
#### Instructions
1. xxxx
2. xxxx
3. xxxx
#### Contribution
1. Fork the repository
2. Create Feat_xxx branch
3. Commit your code
4. Create Pull Request
#### Gitee Feature
1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
2. Gitee blog [blog.gitee.com](https://blog.gitee.com)
3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
4. The most valuable open source project [GVP](https://gitee.com/gvp)
5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

39
README.md
View File

@ -1,39 +0,0 @@
# dom4j
#### 介绍
{**以下是码云平台说明,您可以替换此简介**
码云是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN。专为开发者提供稳定、高效、安全的云端软件开发协作平台
无论是个人、团队、或是企业,都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
#### 软件架构
软件架构说明
#### 安装教程
1. xxxx
2. xxxx
3. xxxx
#### 使用说明
1. xxxx
2. xxxx
3. xxxx
#### 参与贡献
1. Fork 本仓库
2. 新建 Feat_xxx 分支
3. 提交代码
4. 新建 Pull Request
#### 码云特技
1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md
2. 码云官方博客 [blog.gitee.com](https://blog.gitee.com)
3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目
4. [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目,是码云综合评定出的优秀开源项目
5. 码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
6. 码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

2205
backport-CVE-2020-10683-SAXReader-uses-system-default-XMLReader-with-its-defaults.patch Normal file
View File

File diff suppressed because it is too large Load Diff

97
backport-Default-SAXParser-features-are-set-when-SAXParser-is.patch Normal file
View File

@ -0,0 +1,97 @@
From a16aaa7a192f5e5258dd941cb6a4344c1ca80839 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20Jirs=C3=A1k?= <filip@jirsak.org>
Date: Sun, 1 Jul 2018 13:20:26 +0200
Subject: [PATCH] #44 Default SAXParser features are set when SAXParser is
created, so they can be overriden.
(cherry picked from commit 161078a8a520dcd1db6d451190f2434d56547664)
---
src/main/java/org/dom4j/io/SAXHelper.java | 15 +++++++++++++++
src/main/java/org/dom4j/io/SAXReader.java | 23 +----------------------
src/test/java/org/dom4j/io/DTDTest.java | 2 ++
3 files changed, 18 insertions(+), 22 deletions(-)
diff --git a/src/main/java/org/dom4j/io/SAXHelper.java b/src/main/java/org/dom4j/io/SAXHelper.java
index 0810a90c..f120337f 100644
--- a/src/main/java/org/dom4j/io/SAXHelper.java
+++ b/src/main/java/org/dom4j/io/SAXHelper.java
@@ -103,6 +103,21 @@ public static XMLReader createXMLReader(boolean validating)
throw new SAXException("Couldn't create SAX reader");
}
+ // configure namespace support
+ SAXHelper.setParserFeature(reader, "http://xml.org/sax/features/namespaces", true);
+ SAXHelper.setParserFeature(reader, "http://xml.org/sax/features/namespace-prefixes", false);
+
+ // external entites
+// SAXHelper.setParserFeature(reader, "http://xml.org/sax/properties/external-general-entities", false);
+// SAXHelper.setParserFeature(reader, "http://xml.org/sax/properties/external-parameter-entities", false);
+
+ // external DTD
+ SAXHelper.setParserFeature(reader,"http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+
+
+ // use Locator2 if possible
+ SAXHelper.setParserFeature(reader,"http://xml.org/sax/features/use-locator2", true);
+
return reader;
}
diff --git a/src/main/java/org/dom4j/io/SAXReader.java b/src/main/java/org/dom4j/io/SAXReader.java
index 23559e49..6bb3d926 100644
--- a/src/main/java/org/dom4j/io/SAXReader.java
+++ b/src/main/java/org/dom4j/io/SAXReader.java
@@ -65,11 +65,7 @@
public class SAXReader {
private static final String SAX_STRING_INTERNING =
"http://xml.org/sax/features/string-interning";
- private static final String SAX_NAMESPACE_PREFIXES =
- "http://xml.org/sax/features/namespace-prefixes";
- private static final String SAX_NAMESPACES =
- "http://xml.org/sax/features/namespaces";
- private static final String SAX_DECL_HANDLER =
+ private static final String SAX_DECL_HANDLER =
"http://xml.org/sax/properties/declaration-handler";
private static final String SAX_LEXICAL_HANDLER =
"http://xml.org/sax/properties/lexical-handler";
@@ -902,27 +898,10 @@ protected void configureReader(XMLReader reader, DefaultHandler handler)
SAXHelper.setParserProperty(reader, SAX_DECL_HANDLER, handler);
}
- // configure namespace support
- SAXHelper.setParserFeature(reader, SAX_NAMESPACES, true);
-
- SAXHelper.setParserFeature(reader, SAX_NAMESPACE_PREFIXES, false);
-
// string interning
SAXHelper.setParserFeature(reader, SAX_STRING_INTERNING,
isStringInternEnabled());
- // external entites
- /*
- * SAXHelper.setParserFeature( reader,
- * "http://xml.org/sax/properties/external-general-entities",
- * includeExternalGeneralEntities ); SAXHelper.setParserFeature( reader,
- * "http://xml.org/sax/properties/external-parameter-entities",
- * includeExternalParameterEntities );
- */
- // use Locator2 if possible
- SAXHelper.setParserFeature(reader,
- "http://xml.org/sax/features/use-locator2", true);
-
try {
// configure validation support
reader.setFeature("http://xml.org/sax/features/validation",
diff --git a/src/test/java/org/dom4j/io/DTDTest.java b/src/test/java/org/dom4j/io/DTDTest.java
index ff77e4be..1c432328 100644
--- a/src/test/java/org/dom4j/io/DTDTest.java
+++ b/src/test/java/org/dom4j/io/DTDTest.java
@@ -445,6 +445,8 @@ protected Document readDocument(String resourceName,
reader.setEntityResolver(new MyEntityResolver(DTD_FILE,
DTD_PUBLICID, DTD_SYSTEM_ID));
+ reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", true);
+
return getDocument(resourceName, reader);
}

31
backport-Disable-downloading-external-resources-with-1.patch Normal file
View File

@ -0,0 +1,31 @@
From c8d112e458799721d0c78959bc591b90e2f8d199 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20Jirs=C3=A1k?= <filip@jirsak.org>
Date: Sun, 1 Jul 2018 12:45:33 +0200
Subject: [PATCH] #28 Disable downloading external resources with
DocumentHelper.parseText() helper.
(cherry picked from commit 8f6a7f6001d679176c1079ac65871d4e493360db)
---
src/main/java/org/dom4j/DocumentHelper.java | 3 +++
diff --git a/src/main/java/org/dom4j/DocumentHelper.java b/src/main/java/org/dom4j/DocumentHelper.java
index 26569e2d..a3a69dca 100644
--- a/src/main/java/org/dom4j/DocumentHelper.java
+++ b/src/main/java/org/dom4j/DocumentHelper.java
@@ -18,6 +18,7 @@
import org.jaxen.VariableContext;
import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
/**
* <code>DocumentHelper</code> is a collection of helper methods for using
@@ -256,6 +257,8 @@ public static void sort(List<Node> list, String expression, boolean distinct) {
* <code>parseText</code> parses the given text as an XML document and
* returns the newly created Document.
* </p>
+ *
+ * Loading external DTD and entities is disabled (if it is possible) for security reasons.
*
* @param text
* the XML text to be parsed

30
backport-Disable-downloading-external-resources-with-2.patch Normal file
View File

@ -0,0 +1,30 @@
From 1707bf3d898a8ada3b213acb0e3b38f16eaae73d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Filip=20Jirs=C3=A1k?= <filip@jirsak.org>
Date: Sat, 11 Apr 2020 19:27:36 +0200
Subject: [PATCH] #28 Disable downloading external resources with
DocumentHelper.parseText() helper.
(cherry picked from commit 8f6a7f6001d679176c1079ac65871d4e493360db)
---
src/main/java/org/dom4j/DocumentHelper.java | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/src/main/java/org/dom4j/DocumentHelper.java b/src/main/java/org/dom4j/DocumentHelper.java
index a3a69dca..6ceed9a3 100644
--- a/src/main/java/org/dom4j/DocumentHelper.java
+++ b/src/main/java/org/dom4j/DocumentHelper.java
@@ -270,6 +270,14 @@ public static void sort(List<Node> list, String expression, boolean distinct) {
*/
public static Document parseText(String text) throws DocumentException {
SAXReader reader = new SAXReader();
+ try {
+ reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+ reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ } catch (SAXException e) {
+ //Parse with external resources downloading allowed.
+ }
+
String encoding = getEncoding(text);
InputSource source = new InputSource(new StringReader(text));

55
dom4j-2.0.0.pom Normal file
View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="UTF-8"?>
<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<modelVersion>4.0.0</modelVersion>
<groupId>org.dom4j</groupId>
<artifactId>dom4j</artifactId>
<version>2.0.0</version>
<name>dom4j</name>
<description>flexible XML framework for Java</description>
<url>http://dom4j.github.io/</url>
<licenses>
<license>
<name>BSD 3-clause New License</name>
<url>https://github.com/dom4j/dom4j/blob/master/LICENSE</url>
</license>
</licenses>
<developers>
<developer>
<name>Filip Jirsák</name>
<email>filip@jirsak.org</email>
<url>https://github.com/FilipJirsak</url>
</developer>
</developers>
<scm>
<connection>scm:git:git@github.com:dom4j/dom4j.git</connection>
<developerConnection>scm:git:git@github.com:dom4j/dom4j.git</developerConnection>
<url>git@github.com:dom4j/dom4j.git</url>
</scm>
<dependencies>
<dependency>
<groupId>org.testng</groupId>
<artifactId>testng</artifactId>
<version>6.8.21</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>jaxen</groupId>
<artifactId>jaxen</artifactId>
<version>1.1.6</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
<version>2.7.2</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.11.0</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>

62
dom4j.spec Normal file
View File

@ -0,0 +1,62 @@
Name: dom4j
Version: 2.0.0
Release: 9
Summary: Flexible XML framework for Java
License: Plexus
URL: https://dom4j.github.io/
Source0: https://github.com/%{name}/%{name}/archive/v%{version}.tar.gz
Source1: https://repo1.maven.org/maven2/org/%{name}/%{name}/%{version}/%{name}-%{version}.pom
Patch6000: CVE-2018-1000632-pre.patch
Patch6001: CVE-2018-1000632.patch
Patch6002: backport-Disable-downloading-external-resources-with-1.patch
Patch6003: backport-Disable-downloading-external-resources-with-2.patch
Patch6004: backport-Default-SAXParser-features-are-set-when-SAXParser-is.patch
Patch6005: backport-CVE-2020-10683-SAXReader-uses-system-default-XMLReader-with-its-defaults.patch
BuildArch: noarch
BuildRequires: maven-local, mvn(jaxen:jaxen), mvn(net.java.dev.msv:xsdlib), mvn(xpp3:xpp3), mvn(javax.xml.bind:jaxb-api)
BuildRequires: mvn(org.testng:testng), mvn(xerces:xercesImpl), mvn(xalan:xalan)
Obsoletes: %{name}-demo < 2.0.0, %{name}-manual < 2.0.0
Provides: %{name}-javadoc%{?_isa} %{name}-javadoc
Obsoletes: %{name}-javadoc
%description
dom4j is an easy to use, open source library for working with XML, XPath and XSLT on the Java platform
using the Java Collections Framework and with full support for DOM, SAX and JAXP.
%prep
%autosetup -p1
%mvn_alias org.%{name}:%{name} %{name}:%{name}
%mvn_file : %{name}/%{name} %{name}
cp %{SOURCE1} pom.xml
%pom_add_dep xpp3:xpp3::provided
%pom_add_dep net.java.dev.msv:xsdlib::provided
%pom_add_dep javax.xml.bind:jaxb-api::provided
rm -rf src/main/java/org/dom4j/xpp
rm -rf src/main/java/org/dom4j/io/XPPReader.java
rm -rf src/test/java/org/dom4j/util/PerThreadSingletonTest.java
%build
%mvn_build -- -Dproject.build.sourceEncoding=UTF-8
%install
%mvn_install
%files -f .mfiles
%license LICENSE
%doc README.md
%{_javadocdir}/%{name}/*
%changelog
* Wed May 11 2022 Ge Wang <wangge20@h-partner.com> - 2.0.0-9
- License compliance rectification
* Fri Jun 19 2020 lingsheng <lingsheng@huawei.com> - 2.0.0-8
- Fix CVE-2020-10683
* Fri Dec 13 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.0.0-7
- Package init

BIN
v2.0.0.tar.gz Normal file
View File

Binary file not shown.