diff options
author | Brian de Alwis | 2017-08-30 19:47:56 +0000 |
---|---|---|
committer | Thomas Watson | 2017-09-06 12:59:25 +0000 |
commit | f94c9ac9bd27522cf55784111380d5f4aebc4bab (patch) | |
tree | f6df7429532793e4b56631a512511746172ef3e8 | |
parent | 6ab4441a4442b39f8e06608299ad0d894276a873 (diff) | |
download | rt.equinox.p2-M20170926-1700.tar.gz rt.equinox.p2-M20170926-1700.tar.xz rt.equinox.p2-M20170926-1700.zip |
Bug 518031 - XML External Entity Vulnerability in Eclipse IDEY20170921-1000Y20170920-1000Y20170919-1000Y20170918-1000Y20170917-1000Y20170916-1000Y20170915-1000Y20170914-1000Y20170913-1335Y20170913-1000Y20170912-1000Y20170911-1000Y20170907-1000U20170928-0110U20170927-1900U20170927-0115U20170926-1200U20170922-1005U20170922-0835U20170922-0750U20170921-1315U20170921-0520U20170921-0430U20170921-0400U20170914-0400U20170913-1405U20170913-1050U20170913-0250U20170912-1305U20170912-0740U20170907-0400S4_7_1_aRC1S4_7_1_RC4R4_7_1M20170927-1700M20170927-0400M20170926-1700M20170926-1000M20170925-0650M20170922-1005M20170922-0855M20170922-0740M20170921-1315M20170921-0255M20170920-2345M20170920-1700M20170920-0400M20170919-1155M20170919-0830M20170918-1300M20170906-1700
Ensure XML processors are configured to use
XMLConstants.FEATURE_SECURE_PROCESSING=true
to avoid accessing external DTDs and expanding external entities.
(Backport to 4.7)
Change-Id: Icabb6e0d55dd546a66ad506cde7e24a996484f1a
Signed-off-by: Brian de Alwis <bsd@mt.ca>
Signed-off-by: Thomas Watson <tjwatson@us.ibm.com>
28 files changed, 124 insertions, 40 deletions
diff --git a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java index 8e7fae428..a8cf92c71 100644 --- a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java +++ b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java @@ -24,8 +24,7 @@ import java.util.*; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import org.eclipse.core.runtime.*; -import org.eclipse.equinox.internal.p2.core.helpers.LogHelper; -import org.eclipse.equinox.internal.p2.core.helpers.Tracing; +import org.eclipse.equinox.internal.p2.core.helpers.*; import org.eclipse.equinox.internal.p2.repository.DownloadStatus; import org.eclipse.equinox.internal.p2.repository.Transport; import org.eclipse.equinox.p2.repository.IRepository; @@ -266,7 +265,7 @@ public class MirrorSelector { } mirrorsURL = mirrorsURL + "countryCode=" + countryCode + "&timeZone=" + timeZone + "&format=xml"; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$ - DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory domFactory = SecureXMLUtil.newSecureDocumentBuilderFactory(); DocumentBuilder builder = domFactory.newDocumentBuilder(); Document document = null; // Use Transport to read the mirrors list (to benefit from proxy support, authentication, etc) @@ -292,7 +291,7 @@ public class MirrorSelector { || mirrorsURL.startsWith("https://") //$NON-NLS-1$ || mirrorsURL.startsWith("file://") //$NON-NLS-1$ || mirrorsURL.startsWith("ftp://") //$NON-NLS-1$ - || mirrorsURL.startsWith("jar://"))) //$NON-NLS-1$ + || mirrorsURL.startsWith("jar://"))) //$NON-NLS-1$ log("Error processing mirrors URL: " + mirrorsURL, e); //$NON-NLS-1$ return null; } diff --git a/bundles/org.eclipse.equinox.p2.core/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.core/META-INF/MANIFEST.MF index 4c3a8fb40..18590e966 100644 --- a/bundles/org.eclipse.equinox.p2.core/META-INF/MANIFEST.MF +++ b/bundles/org.eclipse.equinox.p2.core/META-INF/MANIFEST.MF @@ -2,7 +2,7 @@ Manifest-Version: 1.0 Bundle-ManifestVersion: 2 Bundle-Name: %pluginName Bundle-SymbolicName: org.eclipse.equinox.p2.core;singleton:=true -Bundle-Version: 2.4.100.qualifier +Bundle-Version: 2.4.101.qualifier Bundle-ClassPath: . Bundle-Activator: org.eclipse.equinox.internal.p2.core.Activator Bundle-Vendor: %providerName diff --git a/bundles/org.eclipse.equinox.p2.core/pom.xml b/bundles/org.eclipse.equinox.p2.core/pom.xml index a4c2ecbcc..3d2761a9d 100644 --- a/bundles/org.eclipse.equinox.p2.core/pom.xml +++ b/bundles/org.eclipse.equinox.p2.core/pom.xml @@ -9,6 +9,6 @@ </parent> <groupId>org.eclipse.equinox</groupId> <artifactId>org.eclipse.equinox.p2.core</artifactId> - <version>2.4.100-SNAPSHOT</version> + <version>2.4.101-SNAPSHOT</version> <packaging>eclipse-plugin</packaging> </project> diff --git a/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java b/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java new file mode 100644 index 000000000..4a0fc45c7 --- /dev/null +++ b/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java @@ -0,0 +1,75 @@ +/******************************************************************************* + * Copyright (c) 20017 Manumitting Technologies Inc and others. + * All rights reserved. This program and the accompanying materials + * are made available under the terms of the Eclipse Public License v1.0 + * which accompanies this distribution, and is available at + * http://www.eclipse.org/legal/epl-v10.html + * + * Contributors: + * Manumitting Technologies Inc - initial API and implementation + *******************************************************************************/ +package org.eclipse.equinox.internal.p2.core.helpers; + +import javax.xml.XMLConstants; +import javax.xml.parsers.*; +import org.eclipse.core.runtime.IStatus; +import org.eclipse.core.runtime.Status; +import org.eclipse.equinox.internal.p2.core.Activator; +import org.xml.sax.SAXException; +import org.xml.sax.XMLReader; +import org.xml.sax.helpers.XMLReaderFactory; + +/** + * A utility class for processing XML data in a secure fashion, + * avoiding XML Entity Expansion problems + */ +public class SecureXMLUtil { + /** + * Create a new {@link DocumentBuilderFactory} suitable for processing + * XML data from possibly malicious sources. For example, data retrieved + * from remote p2 metadata and artifacts repositories. + */ + public static DocumentBuilderFactory newSecureDocumentBuilderFactory() { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + // FEATURE_SECURE_PROCESSING is documented as must be supported by all implementations + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$ + } + return factory; + } + + /** + * Create a new {@link SAXParserFactory} suitable for processing + * XML data from possibly malicious sources. For example, data retrieved + * from remote p2 metadata and artifacts repositories. + */ + public static SAXParserFactory newSecureSAXParserFactory() { + SAXParserFactory factory = SAXParserFactory.newInstance(); + // FEATURE_SECURE_PROCESSING is documented as must be supported by all implementations + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$ + } catch (SAXException e) { + LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$ + } + return factory; + } + + /** + * Create a new {@link XMLReader} suitable for processing + * XML data from possibly malicious sources. For example, data retrieved + * from remote p2 metadata and artifacts repositories. + */ + public static XMLReader newSecureXMLReader() throws SAXException { + XMLReader reader = XMLReaderFactory.createXMLReader(); + try { + reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (SAXException e) { + LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$ + } + return reader; + } +} diff --git a/bundles/org.eclipse.equinox.p2.discovery.compatibility/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.discovery.compatibility/META-INF/MANIFEST.MF index 2d139b642..ad98f49c0 100644 --- a/bundles/org.eclipse.equinox.p2.discovery.compatibility/META-INF/MANIFEST.MF +++ b/bundles/org.eclipse.equinox.p2.discovery.compatibility/META-INF/MANIFEST.MF @@ -2,7 +2,7 @@ Manifest-Version: 1.0 Bundle-ManifestVersion: 2 Bundle-Name: %Bundle-Name Bundle-SymbolicName: org.eclipse.equinox.p2.discovery.compatibility;singleton:=true -Bundle-Version: 1.0.200.qualifier +Bundle-Version: 1.0.201.qualifier Bundle-Vendor: %Bundle-Vendor Bundle-RequiredExecutionEnvironment: J2SE-1.5 Require-Bundle: org.eclipse.core.runtime;bundle-version="3.3.0", diff --git a/bundles/org.eclipse.equinox.p2.discovery.compatibility/pom.xml b/bundles/org.eclipse.equinox.p2.discovery.compatibility/pom.xml index b580d47a5..537d3ba32 100644 --- a/bundles/org.eclipse.equinox.p2.discovery.compatibility/pom.xml +++ b/bundles/org.eclipse.equinox.p2.discovery.compatibility/pom.xml @@ -19,6 +19,6 @@ </parent> <groupId>org.eclipse.equinox</groupId> <artifactId>org.eclipse.equinox.p2.discovery.compatibility</artifactId> - <version>1.0.200-SNAPSHOT</version> + <version>1.0.201-SNAPSHOT</version> <packaging>eclipse-plugin</packaging> </project> diff --git a/bundles/org.eclipse.equinox.p2.discovery.compatibility/src/org/eclipse/equinox/internal/p2/discovery/compatibility/DirectoryParser.java b/bundles/org.eclipse.equinox.p2.discovery.compatibility/src/org/eclipse/equinox/internal/p2/discovery/compatibility/DirectoryParser.java index 251b721ad..98ec85241 100644 --- a/bundles/org.eclipse.equinox.p2.discovery.compatibility/src/org/eclipse/equinox/internal/p2/discovery/compatibility/DirectoryParser.java +++ b/bundles/org.eclipse.equinox.p2.discovery.compatibility/src/org/eclipse/equinox/internal/p2/discovery/compatibility/DirectoryParser.java @@ -13,12 +13,12 @@ package org.eclipse.equinox.internal.p2.discovery.compatibility; import java.io.IOException; import java.io.Reader; +import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil; import org.eclipse.equinox.internal.p2.discovery.compatibility.Directory.Entry; import org.eclipse.equinox.internal.p2.discovery.compatibility.util.DefaultSaxErrorHandler; import org.eclipse.equinox.internal.p2.discovery.compatibility.util.IOWithCauseException; import org.eclipse.osgi.util.NLS; import org.xml.sax.*; -import org.xml.sax.helpers.XMLReaderFactory; /** * A parser for {@link Directory directories}. @@ -38,7 +38,7 @@ public class DirectoryParser { public Directory parse(Reader directoryContents) throws IOException { XMLReader xmlReader; try { - xmlReader = XMLReaderFactory.createXMLReader(); + xmlReader = SecureXMLUtil.newSecureXMLReader(); } catch (SAXException e) { throw new IOWithCauseException(e.getMessage(), e); } diff --git a/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF index 06c6ee6f8..b8fdf1036 100644 --- a/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF +++ b/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF @@ -2,7 +2,7 @@ Manifest-Version: 1.0 Bundle-ManifestVersion: 2 Bundle-Name: %pluginName Bundle-SymbolicName: org.eclipse.equinox.p2.metadata.repository;singleton:=true -Bundle-Version: 1.2.400.qualifier +Bundle-Version: 1.2.401.qualifier Bundle-Activator: org.eclipse.equinox.internal.p2.metadata.repository.Activator Bundle-Vendor: %providerName Bundle-Localization: plugin diff --git a/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml b/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml index b2d98ee6b..0ea826cd9 100644 --- a/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml +++ b/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml @@ -19,6 +19,6 @@ </parent> <groupId>org.eclipse.equinox</groupId> <artifactId>org.eclipse.equinox.p2.metadata.repository</artifactId> - <version>1.2.400-SNAPSHOT</version> + <version>1.2.401-SNAPSHOT</version> <packaging>eclipse-plugin</packaging> </project> diff --git a/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java b/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java index 63ace1841..cd7b0202a 100644 --- a/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java +++ b/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java @@ -15,6 +15,7 @@ import java.io.InputStream; import java.util.Arrays; import java.util.Collection; import javax.xml.parsers.*; +import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil; import org.eclipse.equinox.internal.p2.metadata.repository.io.MetadataParser; import org.eclipse.equinox.internal.p2.persistence.Messages; import org.eclipse.equinox.p2.metadata.IInstallableUnit; @@ -33,7 +34,7 @@ public class IUDeserializer { * Construct a new instance of the deserializer. */ public IUDeserializer() { - deserializer = new IUDeserializerParser(SAXParserFactory.newInstance()); + deserializer = new IUDeserializerParser(SecureXMLUtil.newSecureSAXParserFactory()); } /** diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.publisher.eclipse/META-INF/MANIFEST.MF index 3b28e9fed..57a31059f 100644 --- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/META-INF/MANIFEST.MF +++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/META-INF/MANIFEST.MF @@ -2,7 +2,7 @@ Manifest-Version: 1.0 Bundle-ManifestVersion: 2 Bundle-Name: %bundleName Bundle-SymbolicName: org.eclipse.equinox.p2.publisher.eclipse;singleton:=true -Bundle-Version: 1.2.200.qualifier +Bundle-Version: 1.2.201.qualifier Bundle-Activator: org.eclipse.pde.internal.publishing.Activator Bundle-ActivationPolicy: lazy Bundle-Vendor: %providerName diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/pom.xml b/bundles/org.eclipse.equinox.p2.publisher.eclipse/pom.xml index 00d164118..69281b278 100644 --- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/pom.xml +++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/pom.xml @@ -10,6 +10,6 @@ <groupId>org.eclipse.equinox</groupId> <artifactId>org.eclipse.equinox.p2.publisher.eclipse</artifactId> - <version>1.2.200-SNAPSHOT</version> + <version>1.2.201-SNAPSHOT</version> <packaging>eclipse-plugin</packaging> </project> diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java index 955bf2ff1..e5274dda4 100644 --- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java +++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java @@ -19,6 +19,7 @@ import java.util.ArrayList; import java.util.List; import javax.xml.parsers.*; import org.eclipse.core.runtime.*; +import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil; import org.eclipse.equinox.p2.metadata.VersionRange; import org.eclipse.equinox.p2.publisher.eclipse.Feature; import org.eclipse.equinox.p2.publisher.eclipse.FeatureEntry; @@ -33,7 +34,7 @@ import org.xml.sax.helpers.DefaultHandler; */ public class FeatureManifestParser extends DefaultHandler { - private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance(); + private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory(); private SAXParser parser; protected Feature result; private URL url; diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java index 2f89f0460..bfe9c256c 100644 --- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java +++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java @@ -25,8 +25,7 @@ import java.util.Map.Entry; import javax.xml.parsers.*; import org.eclipse.core.runtime.*; import org.eclipse.equinox.frameworkadmin.BundleInfo; -import org.eclipse.equinox.internal.p2.core.helpers.ServiceHelper; -import org.eclipse.equinox.internal.p2.core.helpers.URLUtil; +import org.eclipse.equinox.internal.p2.core.helpers.*; import org.eclipse.equinox.p2.metadata.IVersionedId; import org.eclipse.equinox.p2.metadata.VersionedId; import org.eclipse.equinox.p2.publisher.eclipse.FeatureEntry; @@ -67,7 +66,7 @@ public class ProductFile extends DefaultHandler implements IProductDescriptor { private static final String PROPERTY_ECLIPSE_APPLICATION = "eclipse.application"; //$NON-NLS-1$ private static final String PROPERTY_ECLIPSE_PRODUCT = "eclipse.product"; //$NON-NLS-1$ - private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance(); + private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory(); private static final String PROGRAM_ARGS = "programArgs"; //$NON-NLS-1$ private static final String PROGRAM_ARGS_LINUX = "programArgsLin"; //$NON-NLS-1$ diff --git a/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF index 6c8562e53..212c76c5e 100644 --- a/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF +++ b/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF @@ -2,7 +2,7 @@ Manifest-Version: 1.0 Bundle-ManifestVersion: 2 Bundle-Name: %pluginName Bundle-SymbolicName: org.eclipse.equinox.p2.repository;singleton:=true -Bundle-Version: 2.3.300.qualifier +Bundle-Version: 2.3.301.qualifier Bundle-Activator: org.eclipse.equinox.internal.p2.repository.Activator Bundle-Vendor: %providerName Bundle-Localization: plugin diff --git a/bundles/org.eclipse.equinox.p2.repository/pom.xml b/bundles/org.eclipse.equinox.p2.repository/pom.xml index ad34fe52f..28a60bf8d 100644 --- a/bundles/org.eclipse.equinox.p2.repository/pom.xml +++ b/bundles/org.eclipse.equinox.p2.repository/pom.xml @@ -9,6 +9,6 @@ </parent> <groupId>org.eclipse.equinox</groupId> <artifactId>org.eclipse.equinox.p2.repository</artifactId> - <version>2.3.300-SNAPSHOT</version> + <version>2.3.301-SNAPSHOT</version> <packaging>eclipse-plugin</packaging> </project> diff --git a/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/persistence/XMLParser.java b/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/persistence/XMLParser.java index abc7032fa..b0c84f837 100644 --- a/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/persistence/XMLParser.java +++ b/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/persistence/XMLParser.java @@ -15,8 +15,7 @@ import java.util.*; import javax.xml.parsers.*; import org.eclipse.core.runtime.*; import org.eclipse.equinox.internal.p2.core.Activator; -import org.eclipse.equinox.internal.p2.core.helpers.OrderedProperties; -import org.eclipse.equinox.internal.p2.core.helpers.Tracing; +import org.eclipse.equinox.internal.p2.core.helpers.*; import org.eclipse.equinox.p2.metadata.Version; import org.eclipse.equinox.p2.metadata.VersionRange; import org.eclipse.osgi.util.NLS; @@ -72,7 +71,16 @@ public abstract class XMLParser extends DefaultHandler implements XMLConstants { xmlTracker = new ServiceTracker<SAXParserFactory, SAXParserFactory>(context, SAXParserFactory.class, null); xmlTracker.open(); } - return xmlTracker.getService(); + // FEATURE_SECURE_PROCESSING is documented as must be supported by all implementations + SAXParserFactory factory = xmlTracker.getService(); + try { + factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$ + } catch (SAXException e) { + LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$ + } + return factory; } protected synchronized static void releaseXMLParsing() { diff --git a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/META-INF/MANIFEST.MF index b3688d8b1..dea79245c 100644 --- a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/META-INF/MANIFEST.MF +++ b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/META-INF/MANIFEST.MF @@ -2,7 +2,7 @@ Manifest-Version: 1.0 Bundle-ManifestVersion: 2 Bundle-Name: %pluginName Bundle-SymbolicName: org.eclipse.equinox.p2.touchpoint.eclipse;singleton:=true -Bundle-Version: 2.1.500.qualifier +Bundle-Version: 2.1.501.qualifier Bundle-Activator: org.eclipse.equinox.internal.p2.touchpoint.eclipse.Activator Bundle-Vendor: %providerName Bundle-Localization: plugin diff --git a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/pom.xml b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/pom.xml index 8a5ef79c7..3c8ae9f15 100644 --- a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/pom.xml +++ b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/pom.xml @@ -9,6 +9,6 @@ </parent> <groupId>org.eclipse.equinox</groupId> <artifactId>org.eclipse.equinox.p2.touchpoint.eclipse</artifactId> - <version>2.1.500-SNAPSHOT</version> + <version>2.1.501-SNAPSHOT</version> <packaging>eclipse-plugin</packaging> </project> diff --git a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/src/org/eclipse/equinox/internal/p2/update/ConfigurationParser.java b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/src/org/eclipse/equinox/internal/p2/update/ConfigurationParser.java index da32cc115..d5297eb8f 100644 --- a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/src/org/eclipse/equinox/internal/p2/update/ConfigurationParser.java +++ b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/src/org/eclipse/equinox/internal/p2/update/ConfigurationParser.java @@ -16,6 +16,7 @@ import java.util.ArrayList; import java.util.StringTokenizer; import javax.xml.parsers.*; import org.eclipse.core.runtime.URIUtil; +import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil; import org.eclipse.equinox.p2.core.ProvisionException; import org.eclipse.osgi.util.NLS; import org.w3c.dom.*; @@ -177,7 +178,7 @@ public class ConfigurationParser implements ConfigurationConstants { */ private Document load(InputStream input) throws ParserConfigurationException, IOException, SAXException { // load the feature xml - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = SecureXMLUtil.newSecureDocumentBuilderFactory(); DocumentBuilder builder = factory.newDocumentBuilder(); input = new BufferedInputStream(input); try { diff --git a/bundles/org.eclipse.equinox.p2.ui/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.ui/META-INF/MANIFEST.MF index 7e7a0604a..4511fcd58 100644 --- a/bundles/org.eclipse.equinox.p2.ui/META-INF/MANIFEST.MF +++ b/bundles/org.eclipse.equinox.p2.ui/META-INF/MANIFEST.MF @@ -2,7 +2,7 @@ Manifest-Version: 1.0 Bundle-ManifestVersion: 2 Bundle-Name: %bundleName Bundle-SymbolicName: org.eclipse.equinox.p2.ui;singleton:=true -Bundle-Version: 2.5.0.qualifier +Bundle-Version: 2.5.1.qualifier Bundle-Activator: org.eclipse.equinox.internal.p2.ui.ProvUIActivator Bundle-Vendor: %providerName Bundle-Localization: plugin diff --git a/bundles/org.eclipse.equinox.p2.ui/pom.xml b/bundles/org.eclipse.equinox.p2.ui/pom.xml index d80f7033f..1ca11291d 100644 --- a/bundles/org.eclipse.equinox.p2.ui/pom.xml +++ b/bundles/org.eclipse.equinox.p2.ui/pom.xml @@ -19,6 +19,6 @@ </parent> <groupId>org.eclipse.equinox</groupId> <artifactId>org.eclipse.equinox.p2.ui</artifactId> - <version>2.5.0-SNAPSHOT</version> + <version>2.5.1-SNAPSHOT</version> <packaging>eclipse-plugin</packaging> </project> diff --git a/bundles/org.eclipse.equinox.p2.ui/src/org/eclipse/equinox/internal/p2/ui/UpdateManagerCompatibility.java b/bundles/org.eclipse.equinox.p2.ui/src/org/eclipse/equinox/internal/p2/ui/UpdateManagerCompatibility.java index b0173c2cc..192667109 100644 --- a/bundles/org.eclipse.equinox.p2.ui/src/org/eclipse/equinox/internal/p2/ui/UpdateManagerCompatibility.java +++ b/bundles/org.eclipse.equinox.p2.ui/src/org/eclipse/equinox/internal/p2/ui/UpdateManagerCompatibility.java @@ -17,6 +17,7 @@ import java.util.Iterator; import java.util.Vector; import javax.xml.parsers.*; import org.eclipse.core.runtime.*; +import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil; import org.eclipse.equinox.internal.p2.ui.model.MetadataRepositoryElement; import org.eclipse.equinox.p2.engine.IProvisioningPlan; import org.eclipse.equinox.p2.metadata.IInstallableUnit; @@ -41,7 +42,6 @@ public class UpdateManagerCompatibility { // This value was copied from MetadataGeneratorHelper. Must be the same. private static final String ECLIPSE_INSTALL_HANDLER_PROP = "org.eclipse.update.installHandler"; //$NON-NLS-1$ - private static final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); private static void parse(String fileName, Vector<MetadataRepositoryElement> bookmarks) { File file = new File(fileName); @@ -49,6 +49,7 @@ public class UpdateManagerCompatibility { return; try { + DocumentBuilderFactory documentBuilderFactory = SecureXMLUtil.newSecureDocumentBuilderFactory(); documentBuilderFactory.setNamespaceAware(true); DocumentBuilder parser = documentBuilderFactory.newDocumentBuilder(); Document doc = parser.parse(file); diff --git a/bundles/org.eclipse.equinox.p2.updatesite/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.updatesite/META-INF/MANIFEST.MF index 69b7047c1..51a21af1c 100644 --- a/bundles/org.eclipse.equinox.p2.updatesite/META-INF/MANIFEST.MF +++ b/bundles/org.eclipse.equinox.p2.updatesite/META-INF/MANIFEST.MF @@ -2,7 +2,7 @@ Manifest-Version: 1.0 Bundle-ManifestVersion: 2 Bundle-Name: %pluginName Bundle-SymbolicName: org.eclipse.equinox.p2.updatesite;singleton:=true -Bundle-Version: 1.0.600.qualifier +Bundle-Version: 1.0.601.qualifier Bundle-Activator: org.eclipse.equinox.internal.p2.updatesite.Activator Bundle-Vendor: %providerName Bundle-Localization: plugin diff --git a/bundles/org.eclipse.equinox.p2.updatesite/pom.xml b/bundles/org.eclipse.equinox.p2.updatesite/pom.xml index ea87f73b6..8cd3b6ae7 100644 --- a/bundles/org.eclipse.equinox.p2.updatesite/pom.xml +++ b/bundles/org.eclipse.equinox.p2.updatesite/pom.xml @@ -9,6 +9,6 @@ </parent> <groupId>org.eclipse.equinox</groupId> <artifactId>org.eclipse.equinox.p2.updatesite</artifactId> - <version>1.0.600-SNAPSHOT</version> + <version>1.0.601-SNAPSHOT</version> <packaging>eclipse-plugin</packaging> </project> diff --git a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/CategoryParser.java b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/CategoryParser.java index 6871ab164..61501dc6a 100644 --- a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/CategoryParser.java +++ b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/CategoryParser.java @@ -18,8 +18,7 @@ import java.net.URISyntaxException; import java.util.*; import javax.xml.parsers.*; import org.eclipse.core.runtime.*; -import org.eclipse.equinox.internal.p2.core.helpers.LogHelper; -import org.eclipse.equinox.internal.p2.core.helpers.Tracing; +import org.eclipse.equinox.internal.p2.core.helpers.*; import org.eclipse.equinox.p2.publisher.eclipse.URLEntry; import org.eclipse.equinox.p2.repository.IRepository; import org.eclipse.equinox.p2.repository.spi.RepositoryReference; @@ -32,7 +31,7 @@ import org.xml.sax.helpers.DefaultHandler; * This class was initially copied from org.eclipse.update.core.model.DefaultSiteParser. */ public class CategoryParser extends DefaultHandler { - private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance(); + private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory(); private static final String PLUGIN_ID = Activator.ID; private static final String ARCHIVE = "archive"; //$NON-NLS-1$ diff --git a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DefaultSiteParser.java b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DefaultSiteParser.java index be4972703..47c2de70a 100644 --- a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DefaultSiteParser.java +++ b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DefaultSiteParser.java @@ -16,8 +16,7 @@ import java.net.URI; import java.util.*; import javax.xml.parsers.*; import org.eclipse.core.runtime.*; -import org.eclipse.equinox.internal.p2.core.helpers.LogHelper; -import org.eclipse.equinox.internal.p2.core.helpers.Tracing; +import org.eclipse.equinox.internal.p2.core.helpers.*; import org.eclipse.equinox.p2.publisher.eclipse.URLEntry; import org.eclipse.osgi.util.NLS; import org.w3c.dom.*; @@ -42,7 +41,7 @@ public class DefaultSiteParser extends DefaultHandler { private static final String BUNDLE = "bundle"; //$NON-NLS-1$ private static final String FEATURES = "features/"; //$NON-NLS-1$ private static final String PLUGINS = "plugins/"; //$NON-NLS-1$ - private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance(); + private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory(); private static final String PLUGIN_ID = Activator.ID; private static final String SITE = "site"; //$NON-NLS-1$ @@ -85,7 +84,7 @@ public class DefaultSiteParser extends DefaultHandler { private static URLEntry[] getAssociateSites(String associateSitesURL) { try { - DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory domFactory = SecureXMLUtil.newSecureDocumentBuilderFactory(); DocumentBuilder builder = domFactory.newDocumentBuilder(); Document document = builder.parse(associateSitesURL); if (document == null) diff --git a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DigestParser.java b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DigestParser.java index 86fabf2ce..b062065ac 100644 --- a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DigestParser.java +++ b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DigestParser.java @@ -20,6 +20,7 @@ import javax.xml.parsers.*; import org.eclipse.core.runtime.IStatus; import org.eclipse.core.runtime.Status; import org.eclipse.equinox.internal.p2.core.helpers.LogHelper; +import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil; import org.eclipse.equinox.internal.p2.publisher.eclipse.FeatureManifestParser; import org.eclipse.equinox.p2.publisher.eclipse.Feature; import org.eclipse.osgi.util.NLS; @@ -34,7 +35,7 @@ import org.xml.sax.helpers.DefaultHandler; */ public class DigestParser extends DefaultHandler { - private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance(); + private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory(); private SAXParser parser; private final List<Feature> features = new ArrayList<Feature>(); private final FeatureManifestParser featureHandler = new FeatureManifestParser(false); |