Skip to content

Commit

Permalink
Backport fix for #2589 as well as #1279, preparing for 2.6.7.4 micro-…
Browse files Browse the repository at this point in the history 
…patch
  • Loading branch information
@cowtowncoder
cowtowncoder committed Oct 25, 2020
1 parent 74aba40 commit b59b611
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 1 deletion.
5 changes: 4 additions & 1 deletion release-notes/VERSION
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,15 @@ Project: jackson-databind
=== Releases ===
------------------------------------------------------------------------

2.6.7.4 (not yet released)
2.6.7.4 (25-Oct-2020)

Backported all CVE fixes up to 2.9.10.6

#1279: Ensure DOM parsing defaults to not expanding external entities
#2469: Block one more gadget type (xalan2)
#2526: Block two more gadget types (ehcache/JNDI - CVE-2019-20330)
#2589: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent external
entity expansion in all cases [CVE-2020-25649]
#2620: Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840)
#2631: Block one more gadget type (shaded-hikari-config, CVE-2020-9546)
#2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548)
Expand Down
21 changes: 21 additions & 0 deletions src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@

import java.io.StringReader;

import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;

import org.w3c.dom.Document;
import org.w3c.dom.Node;
Expand All @@ -25,6 +27,25 @@ public abstract class DOMDeserializer<T> extends FromStringDeserializer<T>
_parserFactory = DocumentBuilderFactory.newInstance();
// yup, only cave men do XML without recognizing namespaces...
_parserFactory.setNamespaceAware(true);
// [databind#1279]: make sure external entities NOT expanded by default
_parserFactory.setExpandEntityReferences(false);
// ... and in general, aim for "safety"
try {
_parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
} catch(ParserConfigurationException pce) {
// not much point to do anything; could log but...
} catch (Error e) {
// 14-Jul-2016, tatu: Not sure how or why, but during code coverage runs
// (via Cobertura) we get `java.lang.AbstractMethodError` so... ignore that too
}

// [databind#2589] add two more settings just in case
try {
_parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
} catch (Throwable t) { } // as per previous one, nothing much to do
try {
_parserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
} catch (Throwable t) { } // as per previous one, nothing much to do
}

protected DOMDeserializer(Class<T> cls) { super(cls); }
Expand Down

0 comments on commit b59b611

Please sign in to comment.