Registration is now invite-only. Any user can make an invite, you need to create it here and give resulting link to someone to register.
avatar
ilfat has added af5b38c2bd
Fix CVE-2019-13990
raw diff | patch
view file @ af5b38c2bd
... ... --- /dev/null
... ... +++ b/CVE-2019-13990.patch
... ... @@ -0,0 +1,92 @@
1 
commit a961d9a9af5f457a12838aa9e28db385b051603d
2 
Author: Jonathan Gallimore <jon@jrg.me.uk>
3 
Date:   Tue Aug 6 10:36:16 2019 +0100
4
5 
    Issue #467 provide XML parser with a strong configuration to prevent XXE attacks
6
7 
diff --git a/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java b/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
8 
index 0a074ebb..506651a8 100644
9 
--- a/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
10 
+++ b/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java
11 
@@ -173,7 +173,14 @@ public class XMLSchedulingDataProcessor implements ErrorHandler {
12 
         docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaLanguage", "http://www.w3.org/2001/XMLSchema");
13
14 
         docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource", resolveSchemaSource());
15 
-
16 
+
17 
+        docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
18 
+        docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
19 
+        docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
20 
+        docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
21 
+        docBuilderFactory.setXIncludeAware(false);
22 
+        docBuilderFactory.setExpandEntityReferences(false);
23 
+
24 
         docBuilder = docBuilderFactory.newDocumentBuilder();
25
26 
         docBuilder.setErrorHandler(this);
27 
diff --git a/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java b/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
28 
index 4aeb6464..ae8fc298 100755
29 
--- a/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
30 
+++ b/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java
31 
@@ -30,6 +30,7 @@ import org.quartz.simpl.CascadingClassLoadHelper;
32 
 import org.quartz.simpl.SimpleThreadPool;
33 
 import org.quartz.spi.ClassLoadHelper;
34 
 import org.quartz.utils.DBConnectionManager;
35 
+import org.xml.sax.SAXParseException;
36
37 
 /**
38 
  * Unit test for XMLSchedulingDataProcessor.
39 
@@ -204,6 +205,31 @@ public class XMLSchedulingDataProcessorTest extends TestCase {
40 
    		}
41 
    	}
42
43 
+    public void testXmlParserConfiguration() throws Exception {
44 
+		Scheduler scheduler = null;
45 
+		try {
46 
+			StdSchedulerFactory factory = new StdSchedulerFactory("org/quartz/xml/quartz-test.properties");
47 
+			scheduler = factory.getScheduler();
48 
+			ClassLoadHelper clhelper = new CascadingClassLoadHelper();
49 
+			clhelper.initialize();
50 
+			XMLSchedulingDataProcessor processor = new XMLSchedulingDataProcessor(clhelper);
51 
+			processor.processFileAndScheduleJobs("org/quartz/xml/bad-job-config.xml", scheduler);
52 
+
53 
+
54 
+			final JobKey jobKey = scheduler.getJobKeys(GroupMatcher.jobGroupEquals("native")).iterator().next();
55 
+			final JobDetail jobDetail = scheduler.getJobDetail(jobKey);
56 
+			final String description = jobDetail.getDescription();
57 
+
58 
+
59 
+			fail("Expected parser configuration to block DOCTYPE. The following was injected into the job description field: " + description);
60 
+		} catch (SAXParseException e) {
61 
+			assertTrue(e.getMessage().contains("DOCTYPE is disallowed"));
62 
+		} finally {
63 
+			if (scheduler != null)
64 
+				scheduler.shutdown();
65 
+		}
66 
+	}
67 
+
68 
 	private Date dateOfGMT_UTC(int hour, int minute, int second, int dayOfMonth, int month, int year) {
69 
 		final GregorianCalendar calendar = new GregorianCalendar(TimeZone.getTimeZone("GMT"));
70 
 		calendar.set(year, month, dayOfMonth, hour, minute, second);
71 
diff --git a/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml b/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml
72 
new file mode 100755
73 
index 00000000..9aeb5673
74 
--- /dev/null
75 
+++ b/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml
76 
@@ -0,0 +1,15 @@
77 
+<?xml version="1.0" encoding="UTF-8"?>
78 
+<!DOCTYPE foo [<!ELEMENT foo ANY >
79 
+		<!ENTITY xxe SYSTEM "/" >]>
80 
+<job-scheduling-data xmlns="http://www.quartz-scheduler.org/xml/JobSchedulingData" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.quartz-scheduler.org/xml/JobSchedulingData http://www.quartz-scheduler.org/xml/job_scheduling_data_2_0.xsd" version="2.0">
81 
+	<schedule>
82 
+		<job>
83 
+			<name>xxe</name>
84 
+			<group>native</group>
85 
+			<description>&xxe;</description>
86 
+			<job-class>org.quartz.xml.XMLSchedulingDataProcessorTest$MyJob</job-class>
87 
+			<durability>true</durability>
88 
+			<recover>false</recover>
89 
+		</job>
90 
+	</schedule>
91 
+</job-scheduling-data>
92 
\ No newline at end of file
view file @ af5b38c2bd
... ... --- a/quartz.spec
... ... +++ b/quartz.spec
... ... @@ -1,13 +1,14 @@
1 1 
Summary:        Enterprise Job Scheduler for Java
2 2 
Name:           quartz
3 3 
Version:        2.2.1
4 
Release:        10
4 
Release:        11
5 5 
Epoch:          0
6 6 
License:        ASL 2.0
7 7 
URL:            http://www.quartz-scheduler.org/
8 8 
# svn export http://svn.terracotta.org/svn/quartz/tags/quartz-2.2.1
9 9 
# tar caf quartz-2.2.1.tar.xz quartz-2.2.1
10 10 
Source0:        %{name}-%{version}.tar.xz
11 
Patch0:		CVE-2019-13990.patch
11 12
12 13 
BuildRequires:  maven-local
13 14 
BuildRequires:  maven-antrun-plugin
... ... @@ -56,7 +57,7 @@ Summary: API docs for %{name}
57 57 
This package contains the API Documentation for %{name}.
58 58
59 59 
%prep
60 
%setup -q
60 
%autosetup -p1
61 61 
# Unwated modules
62 62 
%pom_disable_module quartz-jboss
63 63 
%pom_disable_module quartz-oracle

Comments