File: CVE-2020-11988.patch

package info (click to toggle)
xmlgraphics-commons 2.3-1%2Bdeb10u1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 5,328 kB
  • sloc: java: 35,593; xml: 2,127; makefile: 6
file content (77 lines) | stat: -rw-r--r-- 3,147 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
From: Markus Koschany <apo@debian.org>
Date: Mon, 2 Aug 2021 07:47:01 +0200
Subject: CVE-2020-11988

Bug-Debian: https://bugs.debian.org/984949
Origin: https://github.com/apache/xmlgraphics-commons/commit/57393912eb87b994c7fed39ddf30fb778a275183
---
 .../java/org/apache/xmlgraphics/xmp/XMPParser.java    |  3 +++
 .../org/apache/xmlgraphics/xmp/XMPParserTestCase.java | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
index b7c0e5f..4c58a11 100644
--- a/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
+++ b/src/main/java/org/apache/xmlgraphics/xmp/XMPParser.java
@@ -21,6 +21,7 @@ package org.apache.xmlgraphics.xmp;
 
 import java.net.URL;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.Source;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
@@ -54,6 +55,8 @@ public final class XMPParser {
      */
     public static Metadata parseXMP(Source src) throws TransformerException {
         TransformerFactory tFactory = TransformerFactory.newInstance();
+        tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
         Transformer transformer = tFactory.newTransformer();
         XMPHandler handler = createXMPHandler();
         SAXResult res = new SAXResult(handler);
diff --git a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
index 02c4cf6..5f2ef05 100644
--- a/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
+++ b/src/test/java/org/apache/xmlgraphics/xmp/XMPParserTestCase.java
@@ -19,16 +19,21 @@
 
 package org.apache.xmlgraphics.xmp;
 
+import java.io.StringReader;
 import java.net.URL;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.TimeZone;
 
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.stream.StreamSource;
+
 import org.junit.Test;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
 
 import org.apache.xmlgraphics.xmp.schemas.DublinCoreAdapter;
 import org.apache.xmlgraphics.xmp.schemas.DublinCoreSchema;
@@ -189,4 +194,18 @@ public class XMPParserTestCase {
         assertNull(title); //Empty value treated same as not existant
     }
 
+    @Test
+    public void testExternalDTD() {
+        String payload = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+                + "<!DOCTYPE root [\n<!ENTITY % remote SYSTEM \"http://127.0.0.1:9999/eval.xml\">\n%remote;]>\n"
+                + "<root></root>";
+        StreamSource streamSource = new StreamSource(new StringReader(payload));
+        String msg = "";
+        try {
+            XMPParser.parseXMP(streamSource);
+        } catch (TransformerException e) {
+            msg = e.getMessage();
+        }
+        assertTrue(msg, msg.contains("access is not allowed"));
+    }
 }