Skip to main content
summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBrian de Alwis2017-08-30 19:47:56 +0000
committerThomas Watson2017-09-06 12:59:25 +0000
commitf94c9ac9bd27522cf55784111380d5f4aebc4bab (patch)
treef6df7429532793e4b56631a512511746172ef3e8
parent6ab4441a4442b39f8e06608299ad0d894276a873 (diff)
downloadrt.equinox.p2-M20170920-1700.tar.gz
rt.equinox.p2-M20170920-1700.tar.xz
rt.equinox.p2-M20170920-1700.zip
Ensure XML processors are configured to use XMLConstants.FEATURE_SECURE_PROCESSING=true to avoid accessing external DTDs and expanding external entities. (Backport to 4.7) Change-Id: Icabb6e0d55dd546a66ad506cde7e24a996484f1a Signed-off-by: Brian de Alwis <bsd@mt.ca> Signed-off-by: Thomas Watson <tjwatson@us.ibm.com>
-rw-r--r--bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java7
-rw-r--r--bundles/org.eclipse.equinox.p2.core/META-INF/MANIFEST.MF2
-rw-r--r--bundles/org.eclipse.equinox.p2.core/pom.xml2
-rw-r--r--bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java75
-rw-r--r--bundles/org.eclipse.equinox.p2.discovery.compatibility/META-INF/MANIFEST.MF2
-rw-r--r--bundles/org.eclipse.equinox.p2.discovery.compatibility/pom.xml2
-rw-r--r--bundles/org.eclipse.equinox.p2.discovery.compatibility/src/org/eclipse/equinox/internal/p2/discovery/compatibility/DirectoryParser.java4
-rw-r--r--bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF2
-rw-r--r--bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml2
-rw-r--r--bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java3
-rw-r--r--bundles/org.eclipse.equinox.p2.publisher.eclipse/META-INF/MANIFEST.MF2
-rw-r--r--bundles/org.eclipse.equinox.p2.publisher.eclipse/pom.xml2
-rw-r--r--bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java3
-rw-r--r--bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java5
-rw-r--r--bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF2
-rw-r--r--bundles/org.eclipse.equinox.p2.repository/pom.xml2
-rw-r--r--bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/persistence/XMLParser.java14
-rw-r--r--bundles/org.eclipse.equinox.p2.touchpoint.eclipse/META-INF/MANIFEST.MF2
-rw-r--r--bundles/org.eclipse.equinox.p2.touchpoint.eclipse/pom.xml2
-rw-r--r--bundles/org.eclipse.equinox.p2.touchpoint.eclipse/src/org/eclipse/equinox/internal/p2/update/ConfigurationParser.java3
-rw-r--r--bundles/org.eclipse.equinox.p2.ui/META-INF/MANIFEST.MF2
-rw-r--r--bundles/org.eclipse.equinox.p2.ui/pom.xml2
-rw-r--r--bundles/org.eclipse.equinox.p2.ui/src/org/eclipse/equinox/internal/p2/ui/UpdateManagerCompatibility.java3
-rw-r--r--bundles/org.eclipse.equinox.p2.updatesite/META-INF/MANIFEST.MF2
-rw-r--r--bundles/org.eclipse.equinox.p2.updatesite/pom.xml2
-rw-r--r--bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/CategoryParser.java5
-rw-r--r--bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DefaultSiteParser.java7
-rw-r--r--bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DigestParser.java3
28 files changed, 124 insertions, 40 deletions
diff --git a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java
index 8e7fae428..a8cf92c71 100644
--- a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java
+++ b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java
@@ -24,8 +24,7 @@ import java.util.*;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.eclipse.core.runtime.*;
-import org.eclipse.equinox.internal.p2.core.helpers.LogHelper;
-import org.eclipse.equinox.internal.p2.core.helpers.Tracing;
+import org.eclipse.equinox.internal.p2.core.helpers.*;
import org.eclipse.equinox.internal.p2.repository.DownloadStatus;
import org.eclipse.equinox.internal.p2.repository.Transport;
import org.eclipse.equinox.p2.repository.IRepository;
@@ -266,7 +265,7 @@ public class MirrorSelector {
}
mirrorsURL = mirrorsURL + "countryCode=" + countryCode + "&timeZone=" + timeZone + "&format=xml"; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
- DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory domFactory = SecureXMLUtil.newSecureDocumentBuilderFactory();
DocumentBuilder builder = domFactory.newDocumentBuilder();
Document document = null;
// Use Transport to read the mirrors list (to benefit from proxy support, authentication, etc)
@@ -292,7 +291,7 @@ public class MirrorSelector {
|| mirrorsURL.startsWith("https://") //$NON-NLS-1$
|| mirrorsURL.startsWith("file://") //$NON-NLS-1$
|| mirrorsURL.startsWith("ftp://") //$NON-NLS-1$
- || mirrorsURL.startsWith("jar://"))) //$NON-NLS-1$
+ || mirrorsURL.startsWith("jar://"))) //$NON-NLS-1$
log("Error processing mirrors URL: " + mirrorsURL, e); //$NON-NLS-1$
return null;
}
diff --git a/bundles/org.eclipse.equinox.p2.core/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.core/META-INF/MANIFEST.MF
index 4c3a8fb40..18590e966 100644
--- a/bundles/org.eclipse.equinox.p2.core/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.core/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: %pluginName
Bundle-SymbolicName: org.eclipse.equinox.p2.core;singleton:=true
-Bundle-Version: 2.4.100.qualifier
+Bundle-Version: 2.4.101.qualifier
Bundle-ClassPath: .
Bundle-Activator: org.eclipse.equinox.internal.p2.core.Activator
Bundle-Vendor: %providerName
diff --git a/bundles/org.eclipse.equinox.p2.core/pom.xml b/bundles/org.eclipse.equinox.p2.core/pom.xml
index a4c2ecbcc..3d2761a9d 100644
--- a/bundles/org.eclipse.equinox.p2.core/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.core/pom.xml
@@ -9,6 +9,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.core</artifactId>
- <version>2.4.100-SNAPSHOT</version>
+ <version>2.4.101-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java b/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java
new file mode 100644
index 000000000..4a0fc45c7
--- /dev/null
+++ b/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java
@@ -0,0 +1,75 @@
+/*******************************************************************************
+ * Copyright (c) 20017 Manumitting Technologies Inc and others.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Manumitting Technologies Inc - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.equinox.internal.p2.core.helpers;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.*;
+import org.eclipse.core.runtime.IStatus;
+import org.eclipse.core.runtime.Status;
+import org.eclipse.equinox.internal.p2.core.Activator;
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
+
+/**
+ * A utility class for processing XML data in a secure fashion,
+ * avoiding XML Entity Expansion problems
+ */
+public class SecureXMLUtil {
+ /**
+ * Create a new {@link DocumentBuilderFactory} suitable for processing
+ * XML data from possibly malicious sources. For example, data retrieved
+ * from remote p2 metadata and artifacts repositories.
+ */
+ public static DocumentBuilderFactory newSecureDocumentBuilderFactory() {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ // FEATURE_SECURE_PROCESSING is documented as must be supported by all implementations
+ try {
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ }
+ return factory;
+ }
+
+ /**
+ * Create a new {@link SAXParserFactory} suitable for processing
+ * XML data from possibly malicious sources. For example, data retrieved
+ * from remote p2 metadata and artifacts repositories.
+ */
+ public static SAXParserFactory newSecureSAXParserFactory() {
+ SAXParserFactory factory = SAXParserFactory.newInstance();
+ // FEATURE_SECURE_PROCESSING is documented as must be supported by all implementations
+ try {
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ } catch (SAXException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ }
+ return factory;
+ }
+
+ /**
+ * Create a new {@link XMLReader} suitable for processing
+ * XML data from possibly malicious sources. For example, data retrieved
+ * from remote p2 metadata and artifacts repositories.
+ */
+ public static XMLReader newSecureXMLReader() throws SAXException {
+ XMLReader reader = XMLReaderFactory.createXMLReader();
+ try {
+ reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (SAXException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ }
+ return reader;
+ }
+}
diff --git a/bundles/org.eclipse.equinox.p2.discovery.compatibility/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.discovery.compatibility/META-INF/MANIFEST.MF
index 2d139b642..ad98f49c0 100644
--- a/bundles/org.eclipse.equinox.p2.discovery.compatibility/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.discovery.compatibility/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: %Bundle-Name
Bundle-SymbolicName: org.eclipse.equinox.p2.discovery.compatibility;singleton:=true
-Bundle-Version: 1.0.200.qualifier
+Bundle-Version: 1.0.201.qualifier
Bundle-Vendor: %Bundle-Vendor
Bundle-RequiredExecutionEnvironment: J2SE-1.5
Require-Bundle: org.eclipse.core.runtime;bundle-version="3.3.0",
diff --git a/bundles/org.eclipse.equinox.p2.discovery.compatibility/pom.xml b/bundles/org.eclipse.equinox.p2.discovery.compatibility/pom.xml
index b580d47a5..537d3ba32 100644
--- a/bundles/org.eclipse.equinox.p2.discovery.compatibility/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.discovery.compatibility/pom.xml
@@ -19,6 +19,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.discovery.compatibility</artifactId>
- <version>1.0.200-SNAPSHOT</version>
+ <version>1.0.201-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.discovery.compatibility/src/org/eclipse/equinox/internal/p2/discovery/compatibility/DirectoryParser.java b/bundles/org.eclipse.equinox.p2.discovery.compatibility/src/org/eclipse/equinox/internal/p2/discovery/compatibility/DirectoryParser.java
index 251b721ad..98ec85241 100644
--- a/bundles/org.eclipse.equinox.p2.discovery.compatibility/src/org/eclipse/equinox/internal/p2/discovery/compatibility/DirectoryParser.java
+++ b/bundles/org.eclipse.equinox.p2.discovery.compatibility/src/org/eclipse/equinox/internal/p2/discovery/compatibility/DirectoryParser.java
@@ -13,12 +13,12 @@ package org.eclipse.equinox.internal.p2.discovery.compatibility;
import java.io.IOException;
import java.io.Reader;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
import org.eclipse.equinox.internal.p2.discovery.compatibility.Directory.Entry;
import org.eclipse.equinox.internal.p2.discovery.compatibility.util.DefaultSaxErrorHandler;
import org.eclipse.equinox.internal.p2.discovery.compatibility.util.IOWithCauseException;
import org.eclipse.osgi.util.NLS;
import org.xml.sax.*;
-import org.xml.sax.helpers.XMLReaderFactory;
/**
* A parser for {@link Directory directories}.
@@ -38,7 +38,7 @@ public class DirectoryParser {
public Directory parse(Reader directoryContents) throws IOException {
XMLReader xmlReader;
try {
- xmlReader = XMLReaderFactory.createXMLReader();
+ xmlReader = SecureXMLUtil.newSecureXMLReader();
} catch (SAXException e) {
throw new IOWithCauseException(e.getMessage(), e);
}
diff --git a/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF
index 06c6ee6f8..b8fdf1036 100644
--- a/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: %pluginName
Bundle-SymbolicName: org.eclipse.equinox.p2.metadata.repository;singleton:=true
-Bundle-Version: 1.2.400.qualifier
+Bundle-Version: 1.2.401.qualifier
Bundle-Activator: org.eclipse.equinox.internal.p2.metadata.repository.Activator
Bundle-Vendor: %providerName
Bundle-Localization: plugin
diff --git a/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml b/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml
index b2d98ee6b..0ea826cd9 100644
--- a/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml
@@ -19,6 +19,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.metadata.repository</artifactId>
- <version>1.2.400-SNAPSHOT</version>
+ <version>1.2.401-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java b/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java
index 63ace1841..cd7b0202a 100644
--- a/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java
+++ b/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java
@@ -15,6 +15,7 @@ import java.io.InputStream;
import java.util.Arrays;
import java.util.Collection;
import javax.xml.parsers.*;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
import org.eclipse.equinox.internal.p2.metadata.repository.io.MetadataParser;
import org.eclipse.equinox.internal.p2.persistence.Messages;
import org.eclipse.equinox.p2.metadata.IInstallableUnit;
@@ -33,7 +34,7 @@ public class IUDeserializer {
* Construct a new instance of the deserializer.
*/
public IUDeserializer() {
- deserializer = new IUDeserializerParser(SAXParserFactory.newInstance());
+ deserializer = new IUDeserializerParser(SecureXMLUtil.newSecureSAXParserFactory());
}
/**
diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.publisher.eclipse/META-INF/MANIFEST.MF
index 3b28e9fed..57a31059f 100644
--- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: %bundleName
Bundle-SymbolicName: org.eclipse.equinox.p2.publisher.eclipse;singleton:=true
-Bundle-Version: 1.2.200.qualifier
+Bundle-Version: 1.2.201.qualifier
Bundle-Activator: org.eclipse.pde.internal.publishing.Activator
Bundle-ActivationPolicy: lazy
Bundle-Vendor: %providerName
diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/pom.xml b/bundles/org.eclipse.equinox.p2.publisher.eclipse/pom.xml
index 00d164118..69281b278 100644
--- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/pom.xml
@@ -10,6 +10,6 @@
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.publisher.eclipse</artifactId>
- <version>1.2.200-SNAPSHOT</version>
+ <version>1.2.201-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java
index 955bf2ff1..e5274dda4 100644
--- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java
+++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java
@@ -19,6 +19,7 @@ import java.util.ArrayList;
import java.util.List;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
import org.eclipse.equinox.p2.metadata.VersionRange;
import org.eclipse.equinox.p2.publisher.eclipse.Feature;
import org.eclipse.equinox.p2.publisher.eclipse.FeatureEntry;
@@ -33,7 +34,7 @@ import org.xml.sax.helpers.DefaultHandler;
*/
public class FeatureManifestParser extends DefaultHandler {
- private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+ private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory();
private SAXParser parser;
protected Feature result;
private URL url;
diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java
index 2f89f0460..bfe9c256c 100644
--- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java
+++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java
@@ -25,8 +25,7 @@ import java.util.Map.Entry;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
import org.eclipse.equinox.frameworkadmin.BundleInfo;
-import org.eclipse.equinox.internal.p2.core.helpers.ServiceHelper;
-import org.eclipse.equinox.internal.p2.core.helpers.URLUtil;
+import org.eclipse.equinox.internal.p2.core.helpers.*;
import org.eclipse.equinox.p2.metadata.IVersionedId;
import org.eclipse.equinox.p2.metadata.VersionedId;
import org.eclipse.equinox.p2.publisher.eclipse.FeatureEntry;
@@ -67,7 +66,7 @@ public class ProductFile extends DefaultHandler implements IProductDescriptor {
private static final String PROPERTY_ECLIPSE_APPLICATION = "eclipse.application"; //$NON-NLS-1$
private static final String PROPERTY_ECLIPSE_PRODUCT = "eclipse.product"; //$NON-NLS-1$
- private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+ private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory();
private static final String PROGRAM_ARGS = "programArgs"; //$NON-NLS-1$
private static final String PROGRAM_ARGS_LINUX = "programArgsLin"; //$NON-NLS-1$
diff --git a/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF
index 6c8562e53..212c76c5e 100644
--- a/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: %pluginName
Bundle-SymbolicName: org.eclipse.equinox.p2.repository;singleton:=true
-Bundle-Version: 2.3.300.qualifier
+Bundle-Version: 2.3.301.qualifier
Bundle-Activator: org.eclipse.equinox.internal.p2.repository.Activator
Bundle-Vendor: %providerName
Bundle-Localization: plugin
diff --git a/bundles/org.eclipse.equinox.p2.repository/pom.xml b/bundles/org.eclipse.equinox.p2.repository/pom.xml
index ad34fe52f..28a60bf8d 100644
--- a/bundles/org.eclipse.equinox.p2.repository/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.repository/pom.xml
@@ -9,6 +9,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.repository</artifactId>
- <version>2.3.300-SNAPSHOT</version>
+ <version>2.3.301-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/persistence/XMLParser.java b/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/persistence/XMLParser.java
index abc7032fa..b0c84f837 100644
--- a/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/persistence/XMLParser.java
+++ b/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/persistence/XMLParser.java
@@ -15,8 +15,7 @@ import java.util.*;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
import org.eclipse.equinox.internal.p2.core.Activator;
-import org.eclipse.equinox.internal.p2.core.helpers.OrderedProperties;
-import org.eclipse.equinox.internal.p2.core.helpers.Tracing;
+import org.eclipse.equinox.internal.p2.core.helpers.*;
import org.eclipse.equinox.p2.metadata.Version;
import org.eclipse.equinox.p2.metadata.VersionRange;
import org.eclipse.osgi.util.NLS;
@@ -72,7 +71,16 @@ public abstract class XMLParser extends DefaultHandler implements XMLConstants {
xmlTracker = new ServiceTracker<SAXParserFactory, SAXParserFactory>(context, SAXParserFactory.class, null);
xmlTracker.open();
}
- return xmlTracker.getService();
+ // FEATURE_SECURE_PROCESSING is documented as must be supported by all implementations
+ SAXParserFactory factory = xmlTracker.getService();
+ try {
+ factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ } catch (SAXException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ }
+ return factory;
}
protected synchronized static void releaseXMLParsing() {
diff --git a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/META-INF/MANIFEST.MF
index b3688d8b1..dea79245c 100644
--- a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: %pluginName
Bundle-SymbolicName: org.eclipse.equinox.p2.touchpoint.eclipse;singleton:=true
-Bundle-Version: 2.1.500.qualifier
+Bundle-Version: 2.1.501.qualifier
Bundle-Activator: org.eclipse.equinox.internal.p2.touchpoint.eclipse.Activator
Bundle-Vendor: %providerName
Bundle-Localization: plugin
diff --git a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/pom.xml b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/pom.xml
index 8a5ef79c7..3c8ae9f15 100644
--- a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/pom.xml
@@ -9,6 +9,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.touchpoint.eclipse</artifactId>
- <version>2.1.500-SNAPSHOT</version>
+ <version>2.1.501-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/src/org/eclipse/equinox/internal/p2/update/ConfigurationParser.java b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/src/org/eclipse/equinox/internal/p2/update/ConfigurationParser.java
index da32cc115..d5297eb8f 100644
--- a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/src/org/eclipse/equinox/internal/p2/update/ConfigurationParser.java
+++ b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/src/org/eclipse/equinox/internal/p2/update/ConfigurationParser.java
@@ -16,6 +16,7 @@ import java.util.ArrayList;
import java.util.StringTokenizer;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.URIUtil;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
import org.eclipse.equinox.p2.core.ProvisionException;
import org.eclipse.osgi.util.NLS;
import org.w3c.dom.*;
@@ -177,7 +178,7 @@ public class ConfigurationParser implements ConfigurationConstants {
*/
private Document load(InputStream input) throws ParserConfigurationException, IOException, SAXException {
// load the feature xml
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = SecureXMLUtil.newSecureDocumentBuilderFactory();
DocumentBuilder builder = factory.newDocumentBuilder();
input = new BufferedInputStream(input);
try {
diff --git a/bundles/org.eclipse.equinox.p2.ui/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.ui/META-INF/MANIFEST.MF
index 7e7a0604a..4511fcd58 100644
--- a/bundles/org.eclipse.equinox.p2.ui/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.ui/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: %bundleName
Bundle-SymbolicName: org.eclipse.equinox.p2.ui;singleton:=true
-Bundle-Version: 2.5.0.qualifier
+Bundle-Version: 2.5.1.qualifier
Bundle-Activator: org.eclipse.equinox.internal.p2.ui.ProvUIActivator
Bundle-Vendor: %providerName
Bundle-Localization: plugin
diff --git a/bundles/org.eclipse.equinox.p2.ui/pom.xml b/bundles/org.eclipse.equinox.p2.ui/pom.xml
index d80f7033f..1ca11291d 100644
--- a/bundles/org.eclipse.equinox.p2.ui/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.ui/pom.xml
@@ -19,6 +19,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.ui</artifactId>
- <version>2.5.0-SNAPSHOT</version>
+ <version>2.5.1-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.ui/src/org/eclipse/equinox/internal/p2/ui/UpdateManagerCompatibility.java b/bundles/org.eclipse.equinox.p2.ui/src/org/eclipse/equinox/internal/p2/ui/UpdateManagerCompatibility.java
index b0173c2cc..192667109 100644
--- a/bundles/org.eclipse.equinox.p2.ui/src/org/eclipse/equinox/internal/p2/ui/UpdateManagerCompatibility.java
+++ b/bundles/org.eclipse.equinox.p2.ui/src/org/eclipse/equinox/internal/p2/ui/UpdateManagerCompatibility.java
@@ -17,6 +17,7 @@ import java.util.Iterator;
import java.util.Vector;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
import org.eclipse.equinox.internal.p2.ui.model.MetadataRepositoryElement;
import org.eclipse.equinox.p2.engine.IProvisioningPlan;
import org.eclipse.equinox.p2.metadata.IInstallableUnit;
@@ -41,7 +42,6 @@ public class UpdateManagerCompatibility {
// This value was copied from MetadataGeneratorHelper. Must be the same.
private static final String ECLIPSE_INSTALL_HANDLER_PROP = "org.eclipse.update.installHandler"; //$NON-NLS-1$
- private static final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
private static void parse(String fileName, Vector<MetadataRepositoryElement> bookmarks) {
File file = new File(fileName);
@@ -49,6 +49,7 @@ public class UpdateManagerCompatibility {
return;
try {
+ DocumentBuilderFactory documentBuilderFactory = SecureXMLUtil.newSecureDocumentBuilderFactory();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder parser = documentBuilderFactory.newDocumentBuilder();
Document doc = parser.parse(file);
diff --git a/bundles/org.eclipse.equinox.p2.updatesite/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.updatesite/META-INF/MANIFEST.MF
index 69b7047c1..51a21af1c 100644
--- a/bundles/org.eclipse.equinox.p2.updatesite/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.updatesite/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@ Manifest-Version: 1.0
Bundle-ManifestVersion: 2
Bundle-Name: %pluginName
Bundle-SymbolicName: org.eclipse.equinox.p2.updatesite;singleton:=true
-Bundle-Version: 1.0.600.qualifier
+Bundle-Version: 1.0.601.qualifier
Bundle-Activator: org.eclipse.equinox.internal.p2.updatesite.Activator
Bundle-Vendor: %providerName
Bundle-Localization: plugin
diff --git a/bundles/org.eclipse.equinox.p2.updatesite/pom.xml b/bundles/org.eclipse.equinox.p2.updatesite/pom.xml
index ea87f73b6..8cd3b6ae7 100644
--- a/bundles/org.eclipse.equinox.p2.updatesite/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.updatesite/pom.xml
@@ -9,6 +9,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.updatesite</artifactId>
- <version>1.0.600-SNAPSHOT</version>
+ <version>1.0.601-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/CategoryParser.java b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/CategoryParser.java
index 6871ab164..61501dc6a 100644
--- a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/CategoryParser.java
+++ b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/CategoryParser.java
@@ -18,8 +18,7 @@ import java.net.URISyntaxException;
import java.util.*;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
-import org.eclipse.equinox.internal.p2.core.helpers.LogHelper;
-import org.eclipse.equinox.internal.p2.core.helpers.Tracing;
+import org.eclipse.equinox.internal.p2.core.helpers.*;
import org.eclipse.equinox.p2.publisher.eclipse.URLEntry;
import org.eclipse.equinox.p2.repository.IRepository;
import org.eclipse.equinox.p2.repository.spi.RepositoryReference;
@@ -32,7 +31,7 @@ import org.xml.sax.helpers.DefaultHandler;
* This class was initially copied from org.eclipse.update.core.model.DefaultSiteParser.
*/
public class CategoryParser extends DefaultHandler {
- private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+ private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory();
private static final String PLUGIN_ID = Activator.ID;
private static final String ARCHIVE = "archive"; //$NON-NLS-1$
diff --git a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DefaultSiteParser.java b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DefaultSiteParser.java
index be4972703..47c2de70a 100644
--- a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DefaultSiteParser.java
+++ b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DefaultSiteParser.java
@@ -16,8 +16,7 @@ import java.net.URI;
import java.util.*;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
-import org.eclipse.equinox.internal.p2.core.helpers.LogHelper;
-import org.eclipse.equinox.internal.p2.core.helpers.Tracing;
+import org.eclipse.equinox.internal.p2.core.helpers.*;
import org.eclipse.equinox.p2.publisher.eclipse.URLEntry;
import org.eclipse.osgi.util.NLS;
import org.w3c.dom.*;
@@ -42,7 +41,7 @@ public class DefaultSiteParser extends DefaultHandler {
private static final String BUNDLE = "bundle"; //$NON-NLS-1$
private static final String FEATURES = "features/"; //$NON-NLS-1$
private static final String PLUGINS = "plugins/"; //$NON-NLS-1$
- private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+ private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory();
private static final String PLUGIN_ID = Activator.ID;
private static final String SITE = "site"; //$NON-NLS-1$
@@ -85,7 +84,7 @@ public class DefaultSiteParser extends DefaultHandler {
private static URLEntry[] getAssociateSites(String associateSitesURL) {
try {
- DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory domFactory = SecureXMLUtil.newSecureDocumentBuilderFactory();
DocumentBuilder builder = domFactory.newDocumentBuilder();
Document document = builder.parse(associateSitesURL);
if (document == null)
diff --git a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DigestParser.java b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DigestParser.java
index 86fabf2ce..b062065ac 100644
--- a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DigestParser.java
+++ b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DigestParser.java
@@ -20,6 +20,7 @@ import javax.xml.parsers.*;
import org.eclipse.core.runtime.IStatus;
import org.eclipse.core.runtime.Status;
import org.eclipse.equinox.internal.p2.core.helpers.LogHelper;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
import org.eclipse.equinox.internal.p2.publisher.eclipse.FeatureManifestParser;
import org.eclipse.equinox.p2.publisher.eclipse.Feature;
import org.eclipse.osgi.util.NLS;
@@ -34,7 +35,7 @@ import org.xml.sax.helpers.DefaultHandler;
*/
public class DigestParser extends DefaultHandler {
- private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+ private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory();
private SAXParser parser;
private final List<Feature> features = new ArrayList<Feature>();
private final FeatureManifestParser featureHandler = new FeatureManifestParser(false);

Back to the top