From 93b3e5dc3aedc30e0055a10514a202ef59de3324 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Jul 2020 08:21:35 -0400 Subject: [PATCH] import postgresql-jdbc-42.2.3-3.el8_2 --- SOURCES/fix-XXE-vulnerability.patch | 752 ++++++++++++++++++++++++++++ SPECS/postgresql-jdbc.spec | 11 +- 2 files changed, 762 insertions(+), 1 deletion(-) create mode 100644 SOURCES/fix-XXE-vulnerability.patch diff --git a/SOURCES/fix-XXE-vulnerability.patch b/SOURCES/fix-XXE-vulnerability.patch new file mode 100644 index 0000000..d9c1656 --- /dev/null +++ b/SOURCES/fix-XXE-vulnerability.patch @@ -0,0 +1,752 @@ +From 3b2a73ad85da069637a73beca432950204535979 Mon Sep 17 00:00:00 2001 +From: Ondrej Dubaj +Date: Wed, 22 Jul 2020 11:39:42 +0200 +Subject: [PATCH] Fix for XXE vulnerability + +by defaulting to disabling external access and doc types. The +legacy insecure behavior can be restored via the new connection property xmlFactoryFactory +with a value of LEGACY_INSECURE. Alternatively, a custom class name can be specified that +implements org.postgresql.xml.PGXmlFactoryFactory and takes a no argument constructor. + +* refactor: Clean up whitespace in existing PgSQLXMLTest +* fix: Fix XXE vulnerability in PgSQLXML by disabling external access and doctypes +* fix: Add missing getter and setter for XML_FACTORY_FACTORY to BasicDataSource +--- + .../main/java/org/postgresql/PGProperty.java | 11 ++ + .../org/postgresql/core/BaseConnection.java | 9 ++ + .../postgresql/ds/common/BaseDataSource.java | 8 + + .../org/postgresql/jdbc/PgConnection.java | 41 +++++ + .../java/org/postgresql/jdbc/PgSQLXML.java | 44 +++--- + .../xml/DefaultPGXmlFactoryFactory.java | 141 ++++++++++++++++++ + .../xml/EmptyStringEntityResolver.java | 23 +++ + .../LegacyInsecurePGXmlFactoryFactory.java | 57 +++++++ + .../org/postgresql/xml/NullErrorHandler.java | 25 ++++ + .../postgresql/xml/PGXmlFactoryFactory.java | 30 ++++ + .../org/postgresql/jdbc/PgSQLXMLTest.java | 124 +++++++++++++++ + .../postgresql/test/jdbc2/Jdbc2TestSuite.java | 2 + + 12 files changed, 489 insertions(+), 26 deletions(-) + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/DefaultPGXmlFactoryFactory.java + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/EmptyStringEntityResolver.java + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/LegacyInsecurePGXmlFactoryFactory.java + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/NullErrorHandler.java + create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/PGXmlFactoryFactory.java + create mode 100644 pgjdbc/src/test/java/org/postgresql/jdbc/PgSQLXMLTest.java + +diff --git a/pgjdbc/src/main/java/org/postgresql/PGProperty.java b/pgjdbc/src/main/java/org/postgresql/PGProperty.java +index e56e05e..7c2eed8 100644 +--- a/pgjdbc/src/main/java/org/postgresql/PGProperty.java ++++ b/pgjdbc/src/main/java/org/postgresql/PGProperty.java +@@ -331,6 +331,17 @@ public enum PGProperty { + */ + USE_SPNEGO("useSpnego", "false", "Use SPNEGO in SSPI authentication requests"), + ++ /** ++ * Factory class to instantiate factories for XML processing. ++ * The default factory disables external entity processing. ++ * Legacy behavior with external entity processing can be enabled by specifying a value of LEGACY_INSECURE. ++ * Or specify a custom class that implements {@code org.postgresql.xml.PGXmlFactoryFactory}. ++ */ ++ XML_FACTORY_FACTORY( ++ "xmlFactoryFactory", ++ "", ++ "Factory class to instantiate factories for XML processing"), ++ + /** + * Force one of + *