rpms / xmlrpc3

Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f7 f8 f9 main rawhide
  1.   f14
  2.   xmlrpc3-CVE-2011-3600.patch
Blob Blame History Raw 
diff -up ./common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java.fix ./common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java
--- ./common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java.fix	2011-10-07 18:26:38.000000000 -0400
+++ ./common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java	2011-10-07 18:26:21.000000000 -0400
@@ -16,6 +16,20 @@ public class SAXParsers {
 		spf = SAXParserFactory.newInstance();
 		spf.setNamespaceAware(true);
 		spf.setValidating(false);
+		try {        
+			spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+		} catch (javax.xml.parsers.ParserConfigurationException e) {
+			// Ignore it
+		} catch (org.xml.sax.SAXException e) {
+			// Ignore it
+		}                    
+		try {        
+			spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+		} catch (javax.xml.parsers.ParserConfigurationException e) {
+			// Ignore it
+		} catch (org.xml.sax.SAXException e) {
+			// Ignore it
+		}    
 	}
 
 	/** Creates a new instance of {@link XMLReader}.
diff -up ./pom.xml.fix ./pom.xml
--- ./pom.xml.fix	2011-10-07 18:17:04.000000000 -0400
+++ ./pom.xml	2011-10-07 18:18:52.000000000 -0400
@@ -173,6 +173,10 @@
             <name>Ken Weiner</name>
             <email>kweiner@gmail.com</email>
         </contributor>
+        <contributor>
+            <name>Johan H&#244;gre</name>
+            <email>johan.hagre@home.se</email>
+        </contributor>
     </contributors>
     <scm>
         <connection>scm:svn:scm:svn:https://svn.apache.org/repos/asf/webservices/xmlrpc/tags/XMLRPC_3_0</connection>
diff -up ./src/changes/changes.xml.fix ./src/changes/changes.xml
--- ./src/changes/changes.xml.fix	2011-10-07 18:22:58.000000000 -0400
+++ ./src/changes/changes.xml	2011-10-07 18:22:40.000000000 -0400
@@ -65,6 +65,13 @@
           due-to-email="Catalin.Hritcu@gmail.com" issue="XMLRPC-109">
         Fixed an invalid FAQ example.
       </action>
+       </action>
+      <action dev="jochen" type="fix" due-to="Johan H&#244;gre"
+          due-to-email="johan.hagre@home.se">
+        Fixed a potential security hole: The client has been able to 
+        include server side resources
+        into the request by using external entities.
+      </action>
     </release>
     <release version="3.0rc1" date="27-Jul-2006">
       <action dev="jochen" type="fix" due-to="Alan Burlison"
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.