From c683da407b7dd4f5cb84908a7e951bf4ccdfdd4f Mon Sep 17 00:00:00 2001
From: Nitin Dahyabhai
Date: Sun, 26 Feb 2017 23:42:56 -0500
Subject: [508083] XML External Entity vulnerability, increment
org.eclipse.wst.xml.core for WTP 3.8.2
---
bundles/org.eclipse.wst.xml.core/META-INF/MANIFEST.MF | 2 +-
bundles/org.eclipse.wst.xml.core/pom.xml | 2 +-
.../wst/xml/core/internal/validation/ValidatorHelper.java | 9 ++++++++-
.../wst/xml/core/internal/validation/XMLValidator.java | 15 ++++++++++++---
4 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/bundles/org.eclipse.wst.xml.core/META-INF/MANIFEST.MF b/bundles/org.eclipse.wst.xml.core/META-INF/MANIFEST.MF
index 4f6bbc2985..0ba0e1becb 100644
--- a/bundles/org.eclipse.wst.xml.core/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.wst.xml.core/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: %pluginName
Bundle-SymbolicName: org.eclipse.wst.xml.core; singleton:=true
-Bundle-Version: 1.1.1000.qualifier
+Bundle-Version: 1.1.1001.qualifier
Bundle-Activator: org.eclipse.wst.xml.core.internal.XMLCorePlugin
Bundle-Vendor: %providerName
Bundle-Localization: plugin
diff --git a/bundles/org.eclipse.wst.xml.core/pom.xml b/bundles/org.eclipse.wst.xml.core/pom.xml
index 972eb8f354..6c7c1d29cf 100644
--- a/bundles/org.eclipse.wst.xml.core/pom.xml
+++ b/bundles/org.eclipse.wst.xml.core/pom.xml
@@ -21,6 +21,6 @@
org.eclipse.webtools.sourceediting
org.eclipse.wst.xml.core
- 1.1.1000-SNAPSHOT
+ 1.1.1001-SNAPSHOT
eclipse-plugin
diff --git a/bundles/org.eclipse.wst.xml.core/src-validation/org/eclipse/wst/xml/core/internal/validation/ValidatorHelper.java b/bundles/org.eclipse.wst.xml.core/src-validation/org/eclipse/wst/xml/core/internal/validation/ValidatorHelper.java
index d030ecb0df..ff40831d67 100644
--- a/bundles/org.eclipse.wst.xml.core/src-validation/org/eclipse/wst/xml/core/internal/validation/ValidatorHelper.java
+++ b/bundles/org.eclipse.wst.xml.core/src-validation/org/eclipse/wst/xml/core/internal/validation/ValidatorHelper.java
@@ -1,5 +1,5 @@
/*******************************************************************************
- * Copyright (c) 2001, 2012 IBM Corporation and others.
+ * Copyright (c) 2001, 2017 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
@@ -81,6 +81,13 @@ public class ValidatorHelper
reader.setFeature("http://xml.org/sax/features/namespace-prefixes", true); //$NON-NLS-1$
reader.setFeature("http://xml.org/sax/features/namespaces", false); //$NON-NLS-1$
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); //$NON-NLS-1$
+
+ // http://bugs.eclipse.org/508083
+ if (!Boolean.valueOf(System.getProperty("xmlvalidation.resolve-external-entities")).booleanValue()) {//$NON-NLS-1$
+ reader.setFeature("http://xml.org/sax/features/external-general-entities", false); //$NON-NLS-1$
+ reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false); //$NON-NLS-1$
+ }
+
reader.setContentHandler(new MyContentHandler(uri));
reader.setErrorHandler(new InternalErrorHandler());
diff --git a/bundles/org.eclipse.wst.xml.core/src-validation/org/eclipse/wst/xml/core/internal/validation/XMLValidator.java b/bundles/org.eclipse.wst.xml.core/src-validation/org/eclipse/wst/xml/core/internal/validation/XMLValidator.java
index 806f1797b3..d655e95815 100644
--- a/bundles/org.eclipse.wst.xml.core/src-validation/org/eclipse/wst/xml/core/internal/validation/XMLValidator.java
+++ b/bundles/org.eclipse.wst.xml.core/src-validation/org/eclipse/wst/xml/core/internal/validation/XMLValidator.java
@@ -1,5 +1,5 @@
/*******************************************************************************
- * Copyright (c) 2001, 2014 IBM Corporation and others.
+ * Copyright (c) 2001, 2017 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
@@ -34,6 +34,7 @@ import java.util.TreeSet;
import org.apache.xerces.impl.XMLErrorReporter;
import org.apache.xerces.impl.msg.XMLMessageFormatter;
import org.apache.xerces.parsers.XIncludeAwareParserConfiguration;
+import org.apache.xerces.parsers.XML11Configuration;
import org.apache.xerces.xni.Augmentations;
import org.apache.xerces.xni.NamespaceContext;
import org.apache.xerces.xni.QName;
@@ -830,8 +831,16 @@ public class XMLValidator
*/
public MyStandardParserConfiguration(XMLValidationInfo valinfo)
{
- this.valinfo = valinfo;
-
+ this.valinfo = valinfo;
+
+ // http://bugs.eclipse.org/508083
+ if (!Boolean.valueOf(System.getProperty("xmlvalidation.resolve-external-entities")).booleanValue()) //$NON-NLS-1$
+ {
+ setFeature(XML11Configuration.EXTERNAL_GENERAL_ENTITIES, false);
+ setFeature(XML11Configuration.EXTERNAL_PARAMETER_ENTITIES, false);
+ resetCommon();
+ }
+
XMLErrorReporter errorReporter = createErrorReporter();
if (errorReporter.getMessageFormatter(XMLMessageFormatter.XML_DOMAIN) == null) {
XMLMessageFormatter xmft = new XMLMessageFormatter();
--
cgit v1.2.3