diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..0d3bdf2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +/pgjdbc-REL42.2.3.tar.gz +/pgjdbc-parent-poms-REL1.1.5.tar.gz diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/disable-ConnectTimeoutTest.patch b/disable-ConnectTimeoutTest.patch new file mode 100644 index 0000000..420d6ab --- /dev/null +++ b/disable-ConnectTimeoutTest.patch @@ -0,0 +1,13 @@ +diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java +index 188183a..c0e4cca 100644 +--- a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java ++++ b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java +@@ -104,7 +104,7 @@ import org.junit.runners.Suite; + LoginTimeoutTest.class, + TestACL.class, + +- ConnectTimeoutTest.class, ++ // ConnectTimeoutTest.class, + + PGPropertyTest.class, + diff --git a/fix-XXE-vulnerability.patch b/fix-XXE-vulnerability.patch new file mode 100644 index 0000000..d9c1656 --- /dev/null +++ b/fix-XXE-vulnerability.patch @@ -0,0 +1,752 @@ +From 3b2a73ad85da069637a73beca432950204535979 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Wed, 22 Jul 2020 11:39:42 +0200 +Subject: [PATCH] Fix for XXE vulnerability + +by defaulting to disabling external access and doc types. The +legacy insecure behavior can be restored via the new connection property xmlFactoryFactory +with a value of LEGACY_INSECURE. Alternatively, a custom class name can be specified that +implements org.postgresql.xml.PGXmlFactoryFactory and takes a no argument constructor. + +* refactor: Clean up whitespace in existing PgSQLXMLTest +* fix: Fix XXE vulnerability in PgSQLXML by disabling external access and doctypes +* fix: Add missing getter and setter for XML_FACTORY_FACTORY to BasicDataSource +--- + .../main/java/org/postgresql/PGProperty.java | 11 ++ + .../org/postgresql/core/BaseConnection.java | 9 ++ + .../postgresql/ds/common/BaseDataSource.java | 8 + + .../org/postgresql/jdbc/PgConnection.java | 41 +++++ + .../java/org/postgresql/jdbc/PgSQLXML.java | 44 +++--- + .../xml/DefaultPGXmlFactoryFactory.java | 141 ++++++++++++++++++ + .../xml/EmptyStringEntityResolver.java | 23 +++ + .../LegacyInsecurePGXmlFactoryFactory.java | 57 +++++++ + .../org/postgresql/xml/NullErrorHandler.java | 25 ++++ + .../postgresql/xml/PGXmlFactoryFactory.java | 30 ++++ + .../org/postgresql/jdbc/PgSQLXMLTest.java | 124 +++++++++++++++ + .../postgresql/test/jdbc2/Jdbc2TestSuite.java | 2 + + 12 files changed, 489 insertions(+), 26 deletions(-) + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/DefaultPGXmlFactoryFactory.java + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/EmptyStringEntityResolver.java + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/LegacyInsecurePGXmlFactoryFactory.java + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/NullErrorHandler.java + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/PGXmlFactoryFactory.java + create mode 100644 pgjdbc/src/test/java/org/postgresql/jdbc/PgSQLXMLTest.java + +diff --git a/pgjdbc/src/main/java/org/postgresql/PGProperty.java b/pgjdbc/src/main/java/org/postgresql/PGProperty.java +index e56e05e..7c2eed8 100644 +--- a/pgjdbc/src/main/java/org/postgresql/PGProperty.java ++++ b/pgjdbc/src/main/java/org/postgresql/PGProperty.java +@@ -331,6 +331,17 @@ public enum PGProperty { + */ + USE_SPNEGO("useSpnego", "false", "Use SPNEGO in SSPI authentication requests"), + ++ /** ++ * Factory class to instantiate factories for XML processing. ++ * The default factory disables external entity processing. ++ * Legacy behavior with external entity processing can be enabled by specifying a value of LEGACY_INSECURE. ++ * Or specify a custom class that implements {@code org.postgresql.xml.PGXmlFactoryFactory}. ++ */ ++ XML_FACTORY_FACTORY( ++ "xmlFactoryFactory", ++ "", ++ "Factory class to instantiate factories for XML processing"), ++ + /** + * Force one of + *