packages/jdom2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!7 Fix CVE-2021-33813

Browse Source 
From: @starlet-dx 
Reviewed-by: @wangchong1995924 
Signed-off-by: @wangchong1995924
This commit is contained in:
openeuler-ci-bot 2022-04-20 07:07:00 +00:00 committed by Gitee
commit d4e51cf4c5
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
3 changed files with 111 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

69
CVE-2021-33813-1.patch Normal file
View File

@ -0,0 +1,69 @@
From bd3ab78370098491911d7fe9d7a43b97144a234e Mon Sep 17 00:00:00 2001
From: Esti <esther.burs@gmail.com>
Date: Thu, 18 Feb 2021 16:40:01 +0200
Subject: [PATCH] fix setFeature bug and add test case
---
core/src/java/org/jdom2/input/SAXBuilder.java | 10 ++++------
.../test/cases/input/TestSAXBuilder.java | 20 +++++++++++++++++++
2 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/core/src/java/org/jdom2/input/SAXBuilder.java b/core/src/java/org/jdom2/input/SAXBuilder.java
index d7105ec6..a1462334 100644
--- a/core/src/java/org/jdom2/input/SAXBuilder.java
+++ b/core/src/java/org/jdom2/input/SAXBuilder.java
@@ -971,11 +971,6 @@ protected void configureParser(final XMLReader parser, final SAXHandler contentH
}
}
- // Set any user-specified features on the parser.
- for (final Map.Entry<String, Boolean> me : features.entrySet()) {
- internalSetFeature(parser, me.getKey(), me.getValue().booleanValue(), me.getKey());
- }
-
// Set any user-specified properties on the parser.
for (final Map.Entry<String, Object> me : properties.entrySet()) {
internalSetProperty(parser, me.getKey(), me.getValue(), me.getKey());
@@ -1007,7 +1002,10 @@ protected void configureParser(final XMLReader parser, final SAXHandler contentH
// No lexical reporting available
}
}
-
+ // Set any user-specified features on the parser.
+ for (final Map.Entry<String, Boolean> me : features.entrySet()) {
+ internalSetFeature(parser, me.getKey(), me.getValue().booleanValue(), me.getKey());
+ }
}
/**
diff --git a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
index 4ef34834..a69380ba 100644
--- a/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
+++ b/test/src/java/org/jdom2/test/cases/input/TestSAXBuilder.java
@@ -600,6 +600,26 @@ public void testSetFeature() {
}
}
+ @Test
+ public void testSetExternalFeature() {
+ String feature = "http://xml.org/sax/features/external-general-entities";
+ MySAXBuilder sb = new MySAXBuilder();
+ try {
+ sb.setFeature(feature, true);
+ XMLReader reader = sb.createParser();
+ assertNotNull(reader);
+ assertTrue(reader.getFeature(feature));
+ sb.setFeature(feature, false);
+ reader = sb.createParser();
+ assertNotNull(reader);
+ assertFalse(reader.getFeature(feature));
+
+ } catch (Exception e) {
+ e.printStackTrace();
+ fail("Could not create parser: " + e.getMessage());
+ }
+ }
+
@Test
public void testSetProperty() {
LexicalHandler lh = new LexicalHandler() {

34
CVE-2021-33813-2.patch Normal file
View File

@ -0,0 +1,34 @@
From dd4f3c2fc7893edd914954c73eb577f925a7d361 Mon Sep 17 00:00:00 2001
From: Rolf Lear <rolf@tuis.net>
Date: Thu, 1 Jul 2021 23:42:05 -0400
Subject: [PATCH] Addresses #189 - synchronizes external entity expansion
setting
---
core/src/java/org/jdom2/input/SAXBuilder.java | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/core/src/java/org/jdom2/input/SAXBuilder.java b/core/src/java/org/jdom2/input/SAXBuilder.java
index a1462334..514b026d 100644
--- a/core/src/java/org/jdom2/input/SAXBuilder.java
+++ b/core/src/java/org/jdom2/input/SAXBuilder.java
@@ -82,6 +82,7 @@ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
import org.jdom2.DocType;
import org.jdom2.Document;
import org.jdom2.EntityRef;
+import org.jdom2.JDOMConstants;
import org.jdom2.JDOMException;
import org.jdom2.JDOMFactory;
import org.jdom2.Verifier;
@@ -797,6 +798,11 @@ public void setFastReconfigure(final boolean fastReconfigure) {
public void setFeature(final String name, final boolean value) {
// Save the specified feature for later.
features.put(name, value ? Boolean.TRUE : Boolean.FALSE);
+ if (JDOMConstants.SAX_FEATURE_EXTERNAL_ENT.equals(name)) {
+ // See issue https://github.com/hunterhacker/jdom/issues/189
+ // And PR https://github.com/hunterhacker/jdom/pull/188
+ setExpandEntities(value);
+ }
engine = null;
}

9
jdom2.spec
View File

@ -1,6 +1,6 @@
Name: jdom2
Version: 2.0.6
Release: 15
Release: 16
Summary: Classes representing the components of an XML document
License: Saxpath
URL: http://www.jdom.org/
@ -10,6 +10,10 @@ Source1: jdom-contrib-template.pom
Source2: jdom-junit-template.pom
Source3: bnd.properties
Patch0001: 0001-Adapt-build.patch
#https://github.com/hunterhacker/jdom/commit/bd3ab783700984919.patch
Patch0002: CVE-2021-33813-1.patch
#https://github.com/hunterhacker/jdom/commit/dd4f3c2fc7893edd9.patch
Patch0003: CVE-2021-33813-2.patch
BuildRequires: javapackages-local ant ant-junit isorelax jaxen xalan-j2 xerces-j2 xml-commons-apis log4j12 aqute-bnd
%description
@ -56,6 +60,9 @@ mv build/package/jdom-%{version}.bar build/package/jdom-%{version}.jar
%doc CHANGES.txt COMMITTERS.txt README.txt TODO.txt
%changelog
* Wed Apr 20 2022 yaoxin <yaoxin30@h-partners.com> - 2.0.6-16
- Fix CVE-2021-33813
* Mon Feb 14 2022 wangkai <wangkai385@huawei.com> - 2.0.6-15
- Rebuild for fix log4j1.x cves