From: Markus Koschany Date: Mon, 24 Feb 2020 12:33:58 +0100 Subject: CVE-2018-1000825 Bug-Debian: https://bugs.debian.org/917023 Origin: https://github.com/FreeCol/freecol/commit/8963506897e3270a75b062f28486934bcb79b1e3 --- src/net/sf/freecol/common/io/FreeColXMLReader.java | 19 +++++++++++++++++-- src/net/sf/freecol/common/model/FreeColObject.java | 3 +++ src/net/sf/freecol/common/networking/Connection.java | 3 +++ src/net/sf/freecol/common/networking/DOMMessage.java | 3 +++ src/net/sf/freecol/tools/GenerateDocumentation.java | 3 +++ 5 files changed, 29 insertions(+), 2 deletions(-) diff --git a/src/net/sf/freecol/common/io/FreeColXMLReader.java b/src/net/sf/freecol/common/io/FreeColXMLReader.java index dd78a40..abbaba6 100644 --- a/src/net/sf/freecol/common/io/FreeColXMLReader.java +++ b/src/net/sf/freecol/common/io/FreeColXMLReader.java @@ -88,7 +88,7 @@ public class FreeColXMLReader extends StreamReaderDelegate super(); try { - XMLInputFactory xif = XMLInputFactory.newInstance(); + XMLInputFactory xif = newXMLInputFactory(); setParent(xif.createXMLStreamReader(inputStream, "UTF-8")); } catch (XMLStreamException e) { throw new IOException(e); @@ -109,7 +109,7 @@ public class FreeColXMLReader extends StreamReaderDelegate super(); try { - XMLInputFactory xif = XMLInputFactory.newInstance(); + XMLInputFactory xif = newXMLInputFactory(); setParent(xif.createXMLStreamReader(reader)); } catch (XMLStreamException e) { throw new IOException(e); @@ -118,6 +118,21 @@ public class FreeColXMLReader extends StreamReaderDelegate this.readScope = ReadScope.NORMAL; } + /** + * Create a new XMLInputFactory. + * + * Respond to CVE 2018-1000825. + * + * @return A new XMLInputFactory. + */ + private static XMLInputFactory newXMLInputFactory() { + XMLInputFactory xif = XMLInputFactory.newInstance(); + // This disables DTDs entirely for that factory + xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); + // disable external entities + xif.setProperty("javax.xml.stream.isSupportingExternalEntities", false); + return xif; + } /** * Should reads from this stream intern their objects into the diff --git a/src/net/sf/freecol/common/model/FreeColObject.java b/src/net/sf/freecol/common/model/FreeColObject.java index 01c9887..d8f3754 100644 --- a/src/net/sf/freecol/common/model/FreeColObject.java +++ b/src/net/sf/freecol/common/model/FreeColObject.java @@ -49,6 +49,7 @@ import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; +import javax.xml.XMLConstants; import net.sf.freecol.common.ObjectWithId; import net.sf.freecol.common.io.FreeColXMLReader; @@ -895,6 +896,8 @@ public abstract class FreeColObject public void readFromXMLElement(Element element) { try { TransformerFactory factory = TransformerFactory.newInstance(); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer xmlTransformer = factory.newTransformer(); StringWriter stringWriter = new StringWriter(); xmlTransformer.transform(new DOMSource(element), diff --git a/src/net/sf/freecol/common/networking/Connection.java b/src/net/sf/freecol/common/networking/Connection.java index f88d2ed..48954bd 100644 --- a/src/net/sf/freecol/common/networking/Connection.java +++ b/src/net/sf/freecol/common/networking/Connection.java @@ -40,6 +40,7 @@ import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; +import javax.xml.XMLConstants; import net.sf.freecol.common.FreeColException; import net.sf.freecol.common.debug.FreeColDebugger; @@ -101,6 +102,8 @@ public class Connection implements Closeable { Transformer myTransformer = null; try { TransformerFactory factory = TransformerFactory.newInstance(); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); myTransformer = factory.newTransformer(); myTransformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes"); diff --git a/src/net/sf/freecol/common/networking/DOMMessage.java b/src/net/sf/freecol/common/networking/DOMMessage.java index 7181a7d..8fe7295 100644 --- a/src/net/sf/freecol/common/networking/DOMMessage.java +++ b/src/net/sf/freecol/common/networking/DOMMessage.java @@ -37,6 +37,7 @@ import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; +import javax.xml.XMLConstants; import net.sf.freecol.common.io.FreeColXMLWriter; import net.sf.freecol.common.debug.FreeColDebugger; @@ -448,6 +449,8 @@ public class DOMMessage { public static String elementToString(Element element) { try { TransformerFactory factory = TransformerFactory.newInstance(); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Transformer xt = factory.newTransformer(); StringWriter sw = new StringWriter(); xt.transform(new DOMSource(element), new StreamResult(sw)); diff --git a/src/net/sf/freecol/tools/GenerateDocumentation.java b/src/net/sf/freecol/tools/GenerateDocumentation.java index aac0f55..a52cf5b 100644 --- a/src/net/sf/freecol/tools/GenerateDocumentation.java +++ b/src/net/sf/freecol/tools/GenerateDocumentation.java @@ -35,6 +35,7 @@ import javax.xml.transform.Source; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; +import javax.xml.XMLConstants; import net.sf.freecol.common.i18n.Messages; import net.sf.freecol.common.model.StringTemplate; @@ -192,6 +193,8 @@ public class GenerateDocumentation { Messages.loadMessageBundle(Messages.getLocale(languageCode)); try { TransformerFactory factory = TransformerFactory.newInstance(); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); Source xsl = new StreamSource(new File("doc", XSL)); Transformer stylesheet; try {