diff --git a/.gitignore b/.gitignore index 0d3bdf2..3227c63 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ /pgjdbc-REL42.2.3.tar.gz /pgjdbc-parent-poms-REL1.1.5.tar.gz +/postgresql-42.2.14-src.tar.gz diff --git a/disable-ConnectTimeoutTest.patch b/disable-ConnectTimeoutTest.patch deleted file mode 100644 index 420d6ab..0000000 --- a/disable-ConnectTimeoutTest.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java -index 188183a..c0e4cca 100644 ---- a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java -+++ b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java -@@ -104,7 +104,7 @@ import org.junit.runners.Suite; - LoginTimeoutTest.class, - TestACL.class, - -- ConnectTimeoutTest.class, -+ // ConnectTimeoutTest.class, - - PGPropertyTest.class, - diff --git a/fix-XXE-vulnerability.patch b/fix-XXE-vulnerability.patch deleted file mode 100644 index d9c1656..0000000 --- a/fix-XXE-vulnerability.patch +++ /dev/null @@ -1,752 +0,0 @@ -From 3b2a73ad85da069637a73beca432950204535979 Mon Sep 17 00:00:00 2001 -From: Ondrej Dubaj -Date: Wed, 22 Jul 2020 11:39:42 +0200 -Subject: [PATCH] Fix for XXE vulnerability - -by defaulting to disabling external access and doc types. The -legacy insecure behavior can be restored via the new connection property xmlFactoryFactory -with a value of LEGACY_INSECURE. Alternatively, a custom class name can be specified that -implements org.postgresql.xml.PGXmlFactoryFactory and takes a no argument constructor. - -* refactor: Clean up whitespace in existing PgSQLXMLTest -* fix: Fix XXE vulnerability in PgSQLXML by disabling external access and doctypes -* fix: Add missing getter and setter for XML_FACTORY_FACTORY to BasicDataSource ---- - .../main/java/org/postgresql/PGProperty.java | 11 ++ - .../org/postgresql/core/BaseConnection.java | 9 ++ - .../postgresql/ds/common/BaseDataSource.java | 8 + - .../org/postgresql/jdbc/PgConnection.java | 41 +++++ - .../java/org/postgresql/jdbc/PgSQLXML.java | 44 +++--- - .../xml/DefaultPGXmlFactoryFactory.java | 141 ++++++++++++++++++ - .../xml/EmptyStringEntityResolver.java | 23 +++ - .../LegacyInsecurePGXmlFactoryFactory.java | 57 +++++++ - .../org/postgresql/xml/NullErrorHandler.java | 25 ++++ - .../postgresql/xml/PGXmlFactoryFactory.java | 30 ++++ - .../org/postgresql/jdbc/PgSQLXMLTest.java | 124 +++++++++++++++ - .../postgresql/test/jdbc2/Jdbc2TestSuite.java | 2 + - 12 files changed, 489 insertions(+), 26 deletions(-) - create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/DefaultPGXmlFactoryFactory.java - create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/EmptyStringEntityResolver.java - create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/LegacyInsecurePGXmlFactoryFactory.java - create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/NullErrorHandler.java - create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/PGXmlFactoryFactory.java - create mode 100644 pgjdbc/src/test/java/org/postgresql/jdbc/PgSQLXMLTest.java - -diff --git a/pgjdbc/src/main/java/org/postgresql/PGProperty.java b/pgjdbc/src/main/java/org/postgresql/PGProperty.java -index e56e05e..7c2eed8 100644 ---- a/pgjdbc/src/main/java/org/postgresql/PGProperty.java -+++ b/pgjdbc/src/main/java/org/postgresql/PGProperty.java -@@ -331,6 +331,17 @@ public enum PGProperty { - */ - USE_SPNEGO("useSpnego", "false", "Use SPNEGO in SSPI authentication requests"), - -+ /** -+ * Factory class to instantiate factories for XML processing. -+ * The default factory disables external entity processing. -+ * Legacy behavior with external entity processing can be enabled by specifying a value of LEGACY_INSECURE. -+ * Or specify a custom class that implements {@code org.postgresql.xml.PGXmlFactoryFactory}. -+ */ -+ XML_FACTORY_FACTORY( -+ "xmlFactoryFactory", -+ "", -+ "Factory class to instantiate factories for XML processing"), -+ - /** - * Force one of - *