File: 100_CVE-2018-1000652_XXE-vulnerability.patch

package info (click to toggle)
jabref 3.8.1%2Bds-3%2Bdeb9u1
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 18,336 kB
  • sloc: java: 114,114; xml: 3,985; python: 283; sh: 282; perl: 200; ruby: 22; makefile: 6
file content (81 lines) | stat: -rw-r--r-- 3,218 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
From 89f855d76713b4cd25ac0830c719cd61c511851e Mon Sep 17 00:00:00 2001
From: Nick <nick.s.weatherley@protonmail.com>
Date: Mon, 30 Jul 2018 16:06:07 +0000
Subject: [PATCH] Fix importer vulnerability (#4240)

* Fix importer vulnerability
Fixed issue #4229  where importer was vulnerable to XXE attacks by
disabling DTDs along with adding warning to logger if features are
unavailable. fixes #4229

Bugs-Debian: https://bugs.debian.org/921772
Bug: https://github.com/JabRef/jabref/issues/4229

--- a/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java
+++ b/src/main/java/net/sf/jabref/logic/importer/fileformat/MsBibImporter.java
@@ -6,12 +6,15 @@
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 
 import net.sf.jabref.logic.importer.Importer;
 import net.sf.jabref.logic.importer.ParserResult;
 import net.sf.jabref.logic.msbib.MSBibDatabase;
 import net.sf.jabref.logic.util.FileExtensions;
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.w3c.dom.Document;
 import org.xml.sax.InputSource;
 
@@ -23,6 +26,10 @@
  */
 public class MsBibImporter extends Importer {
 
+    private static final Log LOGGER = LogFactory.getLog(MsBibImporter.class);
+    private static final String DISABLEDTD = "http://apache.org/xml/features/disallow-doctype-decl";
+    private static final String DISABLEEXTERNALDTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
     @Override
     public boolean isRecognizedFormat(BufferedReader reader) throws IOException {
         Objects.requireNonNull(reader);
@@ -34,7 +41,7 @@
          */
         Document docin;
         try {
-            DocumentBuilder dbuild = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            DocumentBuilder dbuild = makeSafeDocBuilderFactory(DocumentBuilderFactory.newInstance()).newDocumentBuilder();
             docin = dbuild.parse(new InputSource(reader));
         } catch (Exception e) {
             return false;
@@ -65,4 +72,29 @@
         return "Importer for the MS Office 2007 XML bibliography format.";
     }
 
+    /**
+     * DocumentBuilderFactory makes a XXE safe Builder factory from dBuild. If not supported by current
+     * XML then returns original builder given and logs error.
+     * @param dBuild | DocumentBuilderFactory to be made XXE safe.
+     * @return If supported, XXE safe DocumentBuilderFactory. Else, returns original builder given
+     */
+    private DocumentBuilderFactory makeSafeDocBuilderFactory(DocumentBuilderFactory dBuild) {
+        String feature = null;
+
+        try {
+            feature = DISABLEDTD;
+            dBuild.setFeature(feature, true);
+
+            feature = DISABLEEXTERNALDTD;
+            dBuild.setFeature(feature, false);
+
+            dBuild.setXIncludeAware(false);
+            dBuild.setExpandEntityReferences(false);
+
+        } catch (ParserConfigurationException e) {
+            LOGGER.warn("Builder not fully configured. Feature:'" + feature + "' is probably not supported by current XML processor.", e);
+        }
+
+        return dBuild;
+    }
 }