1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
|
From: Markus Koschany <apo@debian.org>
Date: Mon, 24 Feb 2020 12:33:58 +0100
Subject: CVE-2018-1000825
Bug-Debian: https://bugs.debian.org/917023
Origin: https://github.com/FreeCol/freecol/commit/8963506897e3270a75b062f28486934bcb79b1e3
---
src/net/sf/freecol/common/io/FreeColXMLReader.java | 19 +++++++++++++++++--
src/net/sf/freecol/common/model/FreeColObject.java | 3 +++
src/net/sf/freecol/common/networking/Connection.java | 3 +++
src/net/sf/freecol/common/networking/DOMMessage.java | 3 +++
src/net/sf/freecol/tools/GenerateDocumentation.java | 3 +++
5 files changed, 29 insertions(+), 2 deletions(-)
diff --git a/src/net/sf/freecol/common/io/FreeColXMLReader.java b/src/net/sf/freecol/common/io/FreeColXMLReader.java
index dd78a40..abbaba6 100644
--- a/src/net/sf/freecol/common/io/FreeColXMLReader.java
+++ b/src/net/sf/freecol/common/io/FreeColXMLReader.java
@@ -88,7 +88,7 @@ public class FreeColXMLReader extends StreamReaderDelegate
super();
try {
- XMLInputFactory xif = XMLInputFactory.newInstance();
+ XMLInputFactory xif = newXMLInputFactory();
setParent(xif.createXMLStreamReader(inputStream, "UTF-8"));
} catch (XMLStreamException e) {
throw new IOException(e);
@@ -109,7 +109,7 @@ public class FreeColXMLReader extends StreamReaderDelegate
super();
try {
- XMLInputFactory xif = XMLInputFactory.newInstance();
+ XMLInputFactory xif = newXMLInputFactory();
setParent(xif.createXMLStreamReader(reader));
} catch (XMLStreamException e) {
throw new IOException(e);
@@ -118,6 +118,21 @@ public class FreeColXMLReader extends StreamReaderDelegate
this.readScope = ReadScope.NORMAL;
}
+ /**
+ * Create a new XMLInputFactory.
+ *
+ * Respond to CVE 2018-1000825.
+ *
+ * @return A new <code>XMLInputFactory</code>.
+ */
+ private static XMLInputFactory newXMLInputFactory() {
+ XMLInputFactory xif = XMLInputFactory.newInstance();
+ // This disables DTDs entirely for that factory
+ xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+ // disable external entities
+ xif.setProperty("javax.xml.stream.isSupportingExternalEntities", false);
+ return xif;
+ }
/**
* Should reads from this stream intern their objects into the
diff --git a/src/net/sf/freecol/common/model/FreeColObject.java b/src/net/sf/freecol/common/model/FreeColObject.java
index 01c9887..d8f3754 100644
--- a/src/net/sf/freecol/common/model/FreeColObject.java
+++ b/src/net/sf/freecol/common/model/FreeColObject.java
@@ -49,6 +49,7 @@ import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
+import javax.xml.XMLConstants;
import net.sf.freecol.common.ObjectWithId;
import net.sf.freecol.common.io.FreeColXMLReader;
@@ -895,6 +896,8 @@ public abstract class FreeColObject
public void readFromXMLElement(Element element) {
try {
TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer xmlTransformer = factory.newTransformer();
StringWriter stringWriter = new StringWriter();
xmlTransformer.transform(new DOMSource(element),
diff --git a/src/net/sf/freecol/common/networking/Connection.java b/src/net/sf/freecol/common/networking/Connection.java
index f88d2ed..48954bd 100644
--- a/src/net/sf/freecol/common/networking/Connection.java
+++ b/src/net/sf/freecol/common/networking/Connection.java
@@ -40,6 +40,7 @@ import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
+import javax.xml.XMLConstants;
import net.sf.freecol.common.FreeColException;
import net.sf.freecol.common.debug.FreeColDebugger;
@@ -101,6 +102,8 @@ public class Connection implements Closeable {
Transformer myTransformer = null;
try {
TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
myTransformer = factory.newTransformer();
myTransformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION,
"yes");
diff --git a/src/net/sf/freecol/common/networking/DOMMessage.java b/src/net/sf/freecol/common/networking/DOMMessage.java
index 7181a7d..8fe7295 100644
--- a/src/net/sf/freecol/common/networking/DOMMessage.java
+++ b/src/net/sf/freecol/common/networking/DOMMessage.java
@@ -37,6 +37,7 @@ import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
import javax.xml.transform.dom.DOMSource;
import javax.xml.transform.stream.StreamResult;
+import javax.xml.XMLConstants;
import net.sf.freecol.common.io.FreeColXMLWriter;
import net.sf.freecol.common.debug.FreeColDebugger;
@@ -448,6 +449,8 @@ public class DOMMessage {
public static String elementToString(Element element) {
try {
TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Transformer xt = factory.newTransformer();
StringWriter sw = new StringWriter();
xt.transform(new DOMSource(element), new StreamResult(sw));
diff --git a/src/net/sf/freecol/tools/GenerateDocumentation.java b/src/net/sf/freecol/tools/GenerateDocumentation.java
index aac0f55..a52cf5b 100644
--- a/src/net/sf/freecol/tools/GenerateDocumentation.java
+++ b/src/net/sf/freecol/tools/GenerateDocumentation.java
@@ -35,6 +35,7 @@ import javax.xml.transform.Source;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
import javax.xml.transform.TransformerFactory;
+import javax.xml.XMLConstants;
import net.sf.freecol.common.i18n.Messages;
import net.sf.freecol.common.model.StringTemplate;
@@ -192,6 +193,8 @@ public class GenerateDocumentation {
Messages.loadMessageBundle(Messages.getLocale(languageCode));
try {
TransformerFactory factory = TransformerFactory.newInstance();
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Source xsl = new StreamSource(new File("doc", XSL));
Transformer stylesheet;
try {
|
