jackson/CVE-2019-10172-2.patch

From 2361ec46b5fbf940bafe8247e421e64f9cb7f7b1 Mon Sep 17 00:00:00 2001
From: PJ Fanning <pj.fanning@workday.com>
Date: Fri, 1 Jul 2016 22:57:06 +0100
Subject: [PATCH] setExpandEntityReferences(false)

---
 .../java/org/codehaus/jackson/map/ext/DOMDeserializer.java     | 1 +
 .../org/codehaus/jackson/xc/DomElementJsonDeserializer.java    | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
index 3a486b9e4..97f76af97 100644
--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
+++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java
@@ -24,6 +24,7 @@
         _parserFactory = DocumentBuilderFactory.newInstance();
         // yup, only cave men do XML without recognizing namespaces...
         _parserFactory.setNamespaceAware(true);
+        _parserFactory.setExpandEntityReferences(false);
         try {
             _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
         } catch(ParserConfigurationException pce) {
diff --git a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
index ccd631aa3..8b1de578a 100644
--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
+++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java
@@ -30,10 +30,11 @@ public DomElementJsonDeserializer()
         try {
             DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance();
             bf.setNamespaceAware(true);
+            bf.setExpandEntityReferences(false);
             bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
             builder = bf.newDocumentBuilder();
         } catch (ParserConfigurationException e) {
-            throw new RuntimeException();
+            throw new RuntimeException("Problem creating DocumentBuilder: " + e.toString());
         }
     }
fix CVE-2019-10172 2021-09-13 14:40:37 +08:00			`From 2361ec46b5fbf940bafe8247e421e64f9cb7f7b1 Mon Sep 17 00:00:00 2001`
			`From: PJ Fanning <pj.fanning@workday.com>`
			`Date: Fri, 1 Jul 2016 22:57:06 +0100`
			`Subject: [PATCH] setExpandEntityReferences(false)`

			`---`
			`.../java/org/codehaus/jackson/map/ext/DOMDeserializer.java \| 1 +`
			`.../org/codehaus/jackson/xc/DomElementJsonDeserializer.java \| 3 ++-`
			`2 files changed, 3 insertions(+), 1 deletion(-)`

			`diff --git a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java`
			`index 3a486b9e4..97f76af97 100644`
			`--- a/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java`
			`+++ b/src/mapper/java/org/codehaus/jackson/map/ext/DOMDeserializer.java`
			`@@ -24,6 +24,7 @@`
			`_parserFactory = DocumentBuilderFactory.newInstance();`
			`// yup, only cave men do XML without recognizing namespaces...`
			`_parserFactory.setNamespaceAware(true);`
			`+ _parserFactory.setExpandEntityReferences(false);`
			`try {`
			`_parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);`
			`} catch(ParserConfigurationException pce) {`
			`diff --git a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java`
			`index ccd631aa3..8b1de578a 100644`
			`--- a/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java`
			`+++ b/src/xc/java/org/codehaus/jackson/xc/DomElementJsonDeserializer.java`
			`@@ -30,10 +30,11 @@ public DomElementJsonDeserializer()`
			`try {`
			`DocumentBuilderFactory bf = DocumentBuilderFactory.newInstance();`
			`bf.setNamespaceAware(true);`
			`+ bf.setExpandEntityReferences(false);`
			`bf.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);`
			`builder = bf.newDocumentBuilder();`
			`} catch (ParserConfigurationException e) {`
			`- throw new RuntimeException();`
			`+ throw new RuntimeException("Problem creating DocumentBuilder: " + e.toString());`
			`}`
			`}`