Auto sync2gitlab import of postgresql-jdbc-42.2.14-1.el8.src.rpm
This commit is contained in:
parent
057d6028fb
commit
a5444101db
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,2 +1,3 @@
|
|||||||
/pgjdbc-REL42.2.3.tar.gz
|
/pgjdbc-REL42.2.3.tar.gz
|
||||||
/pgjdbc-parent-poms-REL1.1.5.tar.gz
|
/pgjdbc-parent-poms-REL1.1.5.tar.gz
|
||||||
|
/postgresql-42.2.14-src.tar.gz
|
||||||
|
@ -1,13 +0,0 @@
|
|||||||
diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java
|
|
||||||
index 188183a..c0e4cca 100644
|
|
||||||
--- a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java
|
|
||||||
+++ b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java
|
|
||||||
@@ -104,7 +104,7 @@ import org.junit.runners.Suite;
|
|
||||||
LoginTimeoutTest.class,
|
|
||||||
TestACL.class,
|
|
||||||
|
|
||||||
- ConnectTimeoutTest.class,
|
|
||||||
+ // ConnectTimeoutTest.class,
|
|
||||||
|
|
||||||
PGPropertyTest.class,
|
|
||||||
|
|
@ -1,752 +0,0 @@
|
|||||||
From 3b2a73ad85da069637a73beca432950204535979 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Ondrej Dubaj <odubaj@redhat.com>
|
|
||||||
Date: Wed, 22 Jul 2020 11:39:42 +0200
|
|
||||||
Subject: [PATCH] Fix for XXE vulnerability
|
|
||||||
|
|
||||||
by defaulting to disabling external access and doc types. The
|
|
||||||
legacy insecure behavior can be restored via the new connection property xmlFactoryFactory
|
|
||||||
with a value of LEGACY_INSECURE. Alternatively, a custom class name can be specified that
|
|
||||||
implements org.postgresql.xml.PGXmlFactoryFactory and takes a no argument constructor.
|
|
||||||
|
|
||||||
* refactor: Clean up whitespace in existing PgSQLXMLTest
|
|
||||||
* fix: Fix XXE vulnerability in PgSQLXML by disabling external access and doctypes
|
|
||||||
* fix: Add missing getter and setter for XML_FACTORY_FACTORY to BasicDataSource
|
|
||||||
---
|
|
||||||
.../main/java/org/postgresql/PGProperty.java | 11 ++
|
|
||||||
.../org/postgresql/core/BaseConnection.java | 9 ++
|
|
||||||
.../postgresql/ds/common/BaseDataSource.java | 8 +
|
|
||||||
.../org/postgresql/jdbc/PgConnection.java | 41 +++++
|
|
||||||
.../java/org/postgresql/jdbc/PgSQLXML.java | 44 +++---
|
|
||||||
.../xml/DefaultPGXmlFactoryFactory.java | 141 ++++++++++++++++++
|
|
||||||
.../xml/EmptyStringEntityResolver.java | 23 +++
|
|
||||||
.../LegacyInsecurePGXmlFactoryFactory.java | 57 +++++++
|
|
||||||
.../org/postgresql/xml/NullErrorHandler.java | 25 ++++
|
|
||||||
.../postgresql/xml/PGXmlFactoryFactory.java | 30 ++++
|
|
||||||
.../org/postgresql/jdbc/PgSQLXMLTest.java | 124 +++++++++++++++
|
|
||||||
.../postgresql/test/jdbc2/Jdbc2TestSuite.java | 2 +
|
|
||||||
12 files changed, 489 insertions(+), 26 deletions(-)
|
|
||||||
create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/DefaultPGXmlFactoryFactory.java
|
|
||||||
create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/EmptyStringEntityResolver.java
|
|
||||||
create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/LegacyInsecurePGXmlFactoryFactory.java
|
|
||||||
create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/NullErrorHandler.java
|
|
||||||
create mode 100644 pgjdbc/src/main/java/org/postgresql/xml/PGXmlFactoryFactory.java
|
|
||||||
create mode 100644 pgjdbc/src/test/java/org/postgresql/jdbc/PgSQLXMLTest.java
|
|
||||||
|
|
||||||
diff --git a/pgjdbc/src/main/java/org/postgresql/PGProperty.java b/pgjdbc/src/main/java/org/postgresql/PGProperty.java
|
|
||||||
index e56e05e..7c2eed8 100644
|
|
||||||
--- a/pgjdbc/src/main/java/org/postgresql/PGProperty.java
|
|
||||||
+++ b/pgjdbc/src/main/java/org/postgresql/PGProperty.java
|
|
||||||
@@ -331,6 +331,17 @@ public enum PGProperty {
|
|
||||||
*/
|
|
||||||
USE_SPNEGO("useSpnego", "false", "Use SPNEGO in SSPI authentication requests"),
|
|
||||||
|
|
||||||
+ /**
|
|
||||||
+ * Factory class to instantiate factories for XML processing.
|
|
||||||
+ * The default factory disables external entity processing.
|
|
||||||
+ * Legacy behavior with external entity processing can be enabled by specifying a value of LEGACY_INSECURE.
|
|
||||||
+ * Or specify a custom class that implements {@code org.postgresql.xml.PGXmlFactoryFactory}.
|
|
||||||
+ */
|
|
||||||
+ XML_FACTORY_FACTORY(
|
|
||||||
+ "xmlFactoryFactory",
|
|
||||||
+ "",
|
|
||||||
+ "Factory class to instantiate factories for XML processing"),
|
|
||||||
+
|
|
||||||
/**
|
|
||||||
* Force one of
|
|
||||||
* <ul>
|
|
||||||
diff --git a/pgjdbc/src/main/java/org/postgresql/core/BaseConnection.java b/pgjdbc/src/main/java/org/postgresql/core/BaseConnection.java
|
|
||||||
index 1d316a0..5f85964 100644
|
|
||||||
--- a/pgjdbc/src/main/java/org/postgresql/core/BaseConnection.java
|
|
||||||
+++ b/pgjdbc/src/main/java/org/postgresql/core/BaseConnection.java
|
|
||||||
@@ -9,6 +9,7 @@ import org.postgresql.PGConnection;
|
|
||||||
import org.postgresql.jdbc.FieldMetadata;
|
|
||||||
import org.postgresql.jdbc.TimestampUtils;
|
|
||||||
import org.postgresql.util.LruCache;
|
|
||||||
+import org.postgresql.xml.PGXmlFactoryFactory;
|
|
||||||
|
|
||||||
import java.sql.Connection;
|
|
||||||
import java.sql.ResultSet;
|
|
||||||
@@ -202,4 +203,12 @@ public interface BaseConnection extends PGConnection, Connection {
|
|
||||||
* @param flushCacheOnDeallocate true if statement cache should be reset when "deallocate/discard" message observed
|
|
||||||
*/
|
|
||||||
void setFlushCacheOnDeallocate(boolean flushCacheOnDeallocate);
|
|
||||||
+
|
|
||||||
+ /**
|
|
||||||
+ * Retrieve the factory to instantiate XML processing factories.
|
|
||||||
+ *
|
|
||||||
+ * @return The factory to use to instantiate XML processing factories
|
|
||||||
+ * @throws SQLException if the class cannot be found or instantiated.
|
|
||||||
+ */
|
|
||||||
+ PGXmlFactoryFactory getXmlFactoryFactory() throws SQLException;
|
|
||||||
}
|
|
||||||
diff --git a/pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java b/pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java
|
|
||||||
index 268d936..2fb4e06 100644
|
|
||||||
--- a/pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java
|
|
||||||
+++ b/pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java
|
|
||||||
@@ -1313,4 +1313,12 @@ public abstract class BaseDataSource implements CommonDataSource, Referenceable
|
|
||||||
return Logger.getLogger("org.postgresql");
|
|
||||||
}
|
|
||||||
//#endif
|
|
||||||
+
|
|
||||||
+ public String getXmlFactoryFactory() {
|
|
||||||
+ return PGProperty.XML_FACTORY_FACTORY.get(properties);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public void setXmlFactoryFactory(String xmlFactoryFactory) {
|
|
||||||
+ PGProperty.XML_FACTORY_FACTORY.set(properties, xmlFactoryFactory);
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
diff --git a/pgjdbc/src/main/java/org/postgresql/jdbc/PgConnection.java b/pgjdbc/src/main/java/org/postgresql/jdbc/PgConnection.java
|
|
||||||
index 7140ab4..c9c4ada 100644
|
|
||||||
--- a/pgjdbc/src/main/java/org/postgresql/jdbc/PgConnection.java
|
|
||||||
+++ b/pgjdbc/src/main/java/org/postgresql/jdbc/PgConnection.java
|
|
||||||
@@ -37,6 +37,9 @@ import org.postgresql.util.PGBinaryObject;
|
|
||||||
import org.postgresql.util.PGobject;
|
|
||||||
import org.postgresql.util.PSQLException;
|
|
||||||
import org.postgresql.util.PSQLState;
|
|
||||||
+import org.postgresql.xml.DefaultPGXmlFactoryFactory;
|
|
||||||
+import org.postgresql.xml.LegacyInsecurePGXmlFactoryFactory;
|
|
||||||
+import org.postgresql.xml.PGXmlFactoryFactory;
|
|
||||||
|
|
||||||
import java.io.IOException;
|
|
||||||
import java.sql.Array;
|
|
||||||
@@ -142,6 +145,9 @@ public class PgConnection implements BaseConnection {
|
|
||||||
|
|
||||||
private final LruCache<FieldMetadata.Key, FieldMetadata> fieldMetadataCache;
|
|
||||||
|
|
||||||
+ private final String xmlFactoryFactoryClass;
|
|
||||||
+ private PGXmlFactoryFactory xmlFactoryFactory;
|
|
||||||
+
|
|
||||||
final CachedQuery borrowQuery(String sql) throws SQLException {
|
|
||||||
return queryExecutor.borrowQuery(sql);
|
|
||||||
}
|
|
||||||
@@ -290,6 +296,8 @@ public class PgConnection implements BaseConnection {
|
|
||||||
false);
|
|
||||||
|
|
||||||
replicationConnection = PGProperty.REPLICATION.get(info) != null;
|
|
||||||
+
|
|
||||||
+ xmlFactoryFactoryClass = PGProperty.XML_FACTORY_FACTORY.get(info);
|
|
||||||
}
|
|
||||||
|
|
||||||
private static Set<Integer> getBinaryOids(Properties info) throws PSQLException {
|
|
||||||
@@ -1729,4 +1737,37 @@ public class PgConnection implements BaseConnection {
|
|
||||||
}
|
|
||||||
return ps;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public PGXmlFactoryFactory getXmlFactoryFactory() throws SQLException {
|
|
||||||
+ if (xmlFactoryFactory == null) {
|
|
||||||
+ if (xmlFactoryFactoryClass == null || xmlFactoryFactoryClass.equals("")) {
|
|
||||||
+ xmlFactoryFactory = DefaultPGXmlFactoryFactory.INSTANCE;
|
|
||||||
+ } else if (xmlFactoryFactoryClass.equals("LEGACY_INSECURE")) {
|
|
||||||
+ xmlFactoryFactory = LegacyInsecurePGXmlFactoryFactory.INSTANCE;
|
|
||||||
+ } else {
|
|
||||||
+ Class<?> clazz;
|
|
||||||
+ try {
|
|
||||||
+ clazz = Class.forName(xmlFactoryFactoryClass);
|
|
||||||
+ } catch (ClassNotFoundException ex) {
|
|
||||||
+ throw new PSQLException(
|
|
||||||
+ GT.tr("Could not instantiate xmlFactoryFactory: {0}", xmlFactoryFactoryClass),
|
|
||||||
+ PSQLState.INVALID_PARAMETER_VALUE, ex);
|
|
||||||
+ }
|
|
||||||
+ if (!clazz.isAssignableFrom(PGXmlFactoryFactory.class)) {
|
|
||||||
+ throw new PSQLException(
|
|
||||||
+ GT.tr("Connection property xmlFactoryFactory must implement PGXmlFactoryFactory: {0}", xmlFactoryFactoryClass),
|
|
||||||
+ PSQLState.INVALID_PARAMETER_VALUE);
|
|
||||||
+ }
|
|
||||||
+ try {
|
|
||||||
+ xmlFactoryFactory = (PGXmlFactoryFactory) clazz.newInstance();
|
|
||||||
+ } catch (Exception ex) {
|
|
||||||
+ throw new PSQLException(
|
|
||||||
+ GT.tr("Could not instantiate xmlFactoryFactory: {0}", xmlFactoryFactoryClass),
|
|
||||||
+ PSQLState.INVALID_PARAMETER_VALUE, ex);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ return xmlFactoryFactory;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
diff --git a/pgjdbc/src/main/java/org/postgresql/jdbc/PgSQLXML.java b/pgjdbc/src/main/java/org/postgresql/jdbc/PgSQLXML.java
|
|
||||||
index 9fb0eed..dd7d5ac 100644
|
|
||||||
--- a/pgjdbc/src/main/java/org/postgresql/jdbc/PgSQLXML.java
|
|
||||||
+++ b/pgjdbc/src/main/java/org/postgresql/jdbc/PgSQLXML.java
|
|
||||||
@@ -9,10 +9,11 @@ import org.postgresql.core.BaseConnection;
|
|
||||||
import org.postgresql.util.GT;
|
|
||||||
import org.postgresql.util.PSQLException;
|
|
||||||
import org.postgresql.util.PSQLState;
|
|
||||||
+import org.postgresql.xml.DefaultPGXmlFactoryFactory;
|
|
||||||
+import org.postgresql.xml.PGXmlFactoryFactory;
|
|
||||||
|
|
||||||
-import org.xml.sax.ErrorHandler;
|
|
||||||
import org.xml.sax.InputSource;
|
|
||||||
-import org.xml.sax.SAXParseException;
|
|
||||||
+import org.xml.sax.XMLReader;
|
|
||||||
|
|
||||||
import java.io.ByteArrayInputStream;
|
|
||||||
import java.io.ByteArrayOutputStream;
|
|
||||||
@@ -27,7 +28,6 @@ import java.sql.SQLException;
|
|
||||||
import java.sql.SQLXML;
|
|
||||||
|
|
||||||
import javax.xml.parsers.DocumentBuilder;
|
|
||||||
-import javax.xml.parsers.DocumentBuilderFactory;
|
|
||||||
import javax.xml.stream.XMLInputFactory;
|
|
||||||
import javax.xml.stream.XMLOutputFactory;
|
|
||||||
import javax.xml.stream.XMLStreamException;
|
|
||||||
@@ -77,6 +77,13 @@ public class PgSQLXML implements SQLXML {
|
|
||||||
_freed = false;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ private PGXmlFactoryFactory getXmlFactoryFactory() throws SQLException {
|
|
||||||
+ if (_conn != null) {
|
|
||||||
+ return _conn.getXmlFactoryFactory();
|
|
||||||
+ }
|
|
||||||
+ return DefaultPGXmlFactoryFactory.INSTANCE;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
public synchronized void free() {
|
|
||||||
_freed = true;
|
|
||||||
_data = null;
|
|
||||||
@@ -128,18 +135,17 @@ public class PgSQLXML implements SQLXML {
|
|
||||||
|
|
||||||
try {
|
|
||||||
if (sourceClass == null || DOMSource.class.equals(sourceClass)) {
|
|
||||||
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
|
||||||
- DocumentBuilder builder = factory.newDocumentBuilder();
|
|
||||||
- builder.setErrorHandler(new NonPrintingErrorHandler());
|
|
||||||
+ DocumentBuilder builder = getXmlFactoryFactory().newDocumentBuilder();
|
|
||||||
InputSource input = new InputSource(new StringReader(_data));
|
|
||||||
return (T) new DOMSource(builder.parse(input));
|
|
||||||
} else if (SAXSource.class.equals(sourceClass)) {
|
|
||||||
+ XMLReader reader = getXmlFactoryFactory().createXMLReader();
|
|
||||||
InputSource is = new InputSource(new StringReader(_data));
|
|
||||||
- return (T) new SAXSource(is);
|
|
||||||
+ return (T) new SAXSource(reader, is);
|
|
||||||
} else if (StreamSource.class.equals(sourceClass)) {
|
|
||||||
return (T) new StreamSource(new StringReader(_data));
|
|
||||||
} else if (StAXSource.class.equals(sourceClass)) {
|
|
||||||
- XMLInputFactory xif = XMLInputFactory.newInstance();
|
|
||||||
+ XMLInputFactory xif = getXmlFactoryFactory().newXMLInputFactory();
|
|
||||||
XMLStreamReader xsr = xif.createXMLStreamReader(new StringReader(_data));
|
|
||||||
return (T) new StAXSource(xsr);
|
|
||||||
}
|
|
||||||
@@ -168,6 +174,7 @@ public class PgSQLXML implements SQLXML {
|
|
||||||
public synchronized Writer setCharacterStream() throws SQLException {
|
|
||||||
checkFreed();
|
|
||||||
initialize();
|
|
||||||
+ _active = true;
|
|
||||||
_stringWriter = new StringWriter();
|
|
||||||
return _stringWriter;
|
|
||||||
}
|
|
||||||
@@ -182,8 +189,7 @@ public class PgSQLXML implements SQLXML {
|
|
||||||
return (T) _domResult;
|
|
||||||
} else if (SAXResult.class.equals(resultClass)) {
|
|
||||||
try {
|
|
||||||
- SAXTransformerFactory transformerFactory =
|
|
||||||
- (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
|
||||||
+ SAXTransformerFactory transformerFactory = getXmlFactoryFactory().newSAXTransformerFactory();
|
|
||||||
TransformerHandler transformerHandler = transformerFactory.newTransformerHandler();
|
|
||||||
_stringWriter = new StringWriter();
|
|
||||||
transformerHandler.setResult(new StreamResult(_stringWriter));
|
|
||||||
@@ -200,7 +206,7 @@ public class PgSQLXML implements SQLXML {
|
|
||||||
} else if (StAXResult.class.equals(resultClass)) {
|
|
||||||
_stringWriter = new StringWriter();
|
|
||||||
try {
|
|
||||||
- XMLOutputFactory xof = XMLOutputFactory.newInstance();
|
|
||||||
+ XMLOutputFactory xof = getXmlFactoryFactory().newXMLOutputFactory();
|
|
||||||
XMLStreamWriter xsw = xof.createXMLStreamWriter(_stringWriter);
|
|
||||||
_active = true;
|
|
||||||
return (T) new StAXResult(xsw);
|
|
||||||
@@ -262,7 +268,7 @@ public class PgSQLXML implements SQLXML {
|
|
||||||
// and use the identify transform to get it into a
|
|
||||||
// friendlier result format.
|
|
||||||
try {
|
|
||||||
- TransformerFactory factory = TransformerFactory.newInstance();
|
|
||||||
+ TransformerFactory factory = getXmlFactoryFactory().newTransformerFactory();
|
|
||||||
Transformer transformer = factory.newTransformer();
|
|
||||||
DOMSource domSource = new DOMSource(_domResult.getNode());
|
|
||||||
StringWriter stringWriter = new StringWriter();
|
|
||||||
@@ -289,19 +295,5 @@ public class PgSQLXML implements SQLXML {
|
|
||||||
}
|
|
||||||
_initialized = true;
|
|
||||||
}
|
|
||||||
-
|
|
||||||
- // Don't clutter System.err with errors the user can't silence.
|
|
||||||
- // If something bad really happens an exception will be thrown.
|
|
||||||
- static class NonPrintingErrorHandler implements ErrorHandler {
|
|
||||||
- public void error(SAXParseException e) {
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- public void fatalError(SAXParseException e) {
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- public void warning(SAXParseException e) {
|
|
||||||
- }
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/pgjdbc/src/main/java/org/postgresql/xml/DefaultPGXmlFactoryFactory.java b/pgjdbc/src/main/java/org/postgresql/xml/DefaultPGXmlFactoryFactory.java
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..b6a381d
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/pgjdbc/src/main/java/org/postgresql/xml/DefaultPGXmlFactoryFactory.java
|
|
||||||
@@ -0,0 +1,141 @@
|
|
||||||
+
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2020, PostgreSQL Global Development Group
|
|
||||||
+ * See the LICENSE file in the project root for more information.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+package org.postgresql.xml;
|
|
||||||
+
|
|
||||||
+import org.xml.sax.SAXException;
|
|
||||||
+import org.xml.sax.XMLReader;
|
|
||||||
+import org.xml.sax.helpers.XMLReaderFactory;
|
|
||||||
+
|
|
||||||
+import javax.xml.XMLConstants;
|
|
||||||
+import javax.xml.parsers.DocumentBuilder;
|
|
||||||
+import javax.xml.parsers.DocumentBuilderFactory;
|
|
||||||
+import javax.xml.parsers.ParserConfigurationException;
|
|
||||||
+import javax.xml.stream.XMLInputFactory;
|
|
||||||
+import javax.xml.stream.XMLOutputFactory;
|
|
||||||
+import javax.xml.transform.TransformerFactory;
|
|
||||||
+import javax.xml.transform.sax.SAXTransformerFactory;
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+ * Default implementation of PGXmlFactoryFactory that configures each factory per OWASP recommendations.
|
|
||||||
+ *
|
|
||||||
+ * @see <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html">https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html</a>
|
|
||||||
+ */
|
|
||||||
+public class DefaultPGXmlFactoryFactory implements PGXmlFactoryFactory {
|
|
||||||
+ public static final DefaultPGXmlFactoryFactory INSTANCE = new DefaultPGXmlFactoryFactory();
|
|
||||||
+
|
|
||||||
+ private DefaultPGXmlFactoryFactory() {
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ private DocumentBuilderFactory getDocumentBuilderFactory() {
|
|
||||||
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
|
||||||
+ setFactoryProperties(factory);
|
|
||||||
+ factory.setXIncludeAware(false);
|
|
||||||
+ factory.setExpandEntityReferences(false);
|
|
||||||
+ return factory;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
|
|
||||||
+ DocumentBuilder builder = getDocumentBuilderFactory().newDocumentBuilder();
|
|
||||||
+ builder.setEntityResolver(EmptyStringEntityResolver.INSTANCE);
|
|
||||||
+ builder.setErrorHandler(NullErrorHandler.INSTANCE);
|
|
||||||
+ return builder;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public TransformerFactory newTransformerFactory() {
|
|
||||||
+ TransformerFactory factory = TransformerFactory.newInstance();
|
|
||||||
+ setFactoryProperties(factory);
|
|
||||||
+ return factory;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public SAXTransformerFactory newSAXTransformerFactory() {
|
|
||||||
+ SAXTransformerFactory factory = (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
|
||||||
+ setFactoryProperties(factory);
|
|
||||||
+ return factory;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public XMLInputFactory newXMLInputFactory() {
|
|
||||||
+ XMLInputFactory factory = XMLInputFactory.newInstance();
|
|
||||||
+ setPropertyQuietly(factory, XMLInputFactory.SUPPORT_DTD, false);
|
|
||||||
+ setPropertyQuietly(factory, XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
|
|
||||||
+ return factory;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public XMLOutputFactory newXMLOutputFactory() {
|
|
||||||
+ XMLOutputFactory factory = XMLOutputFactory.newInstance();
|
|
||||||
+ return factory;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public XMLReader createXMLReader() throws SAXException {
|
|
||||||
+ XMLReader factory = XMLReaderFactory.createXMLReader();
|
|
||||||
+ setFeatureQuietly(factory, "http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
||||||
+ setFeatureQuietly(factory, "http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
|
||||||
+ setFeatureQuietly(factory, "http://xml.org/sax/features/external-general-entities", false);
|
|
||||||
+ setFeatureQuietly(factory, "http://xml.org/sax/features/external-parameter-entities", false);
|
|
||||||
+ factory.setErrorHandler(NullErrorHandler.INSTANCE);
|
|
||||||
+ return factory;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ private static void setFeatureQuietly(Object factory, String name, boolean value) {
|
|
||||||
+ try {
|
|
||||||
+ if (factory instanceof DocumentBuilderFactory) {
|
|
||||||
+ ((DocumentBuilderFactory) factory).setFeature(name, value);
|
|
||||||
+ } else if (factory instanceof TransformerFactory) {
|
|
||||||
+ ((TransformerFactory) factory).setFeature(name, value);
|
|
||||||
+ } else if (factory instanceof XMLReader) {
|
|
||||||
+ ((XMLReader) factory).setFeature(name, value);
|
|
||||||
+ } else {
|
|
||||||
+ throw new Error("Invalid factory class: " + factory.getClass());
|
|
||||||
+ }
|
|
||||||
+ return;
|
|
||||||
+ } catch (Exception ignore) {
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ private static void setAttributeQuietly(Object factory, String name, Object value) {
|
|
||||||
+ try {
|
|
||||||
+ if (factory instanceof DocumentBuilderFactory) {
|
|
||||||
+ ((DocumentBuilderFactory) factory).setAttribute(name, value);
|
|
||||||
+ } else if (factory instanceof TransformerFactory) {
|
|
||||||
+ ((TransformerFactory) factory).setAttribute(name, value);
|
|
||||||
+ } else {
|
|
||||||
+ throw new Error("Invalid factory class: " + factory.getClass());
|
|
||||||
+ }
|
|
||||||
+ } catch (Exception ignore) {
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ private static void setFactoryProperties(Object factory) {
|
|
||||||
+ setFeatureQuietly(factory, XMLConstants.FEATURE_SECURE_PROCESSING, true);
|
|
||||||
+ setFeatureQuietly(factory, "http://apache.org/xml/features/disallow-doctype-decl", true);
|
|
||||||
+ setFeatureQuietly(factory, "http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
|
||||||
+ setFeatureQuietly(factory, "http://xml.org/sax/features/external-general-entities", false);
|
|
||||||
+ setFeatureQuietly(factory, "http://xml.org/sax/features/external-parameter-entities", false);
|
|
||||||
+ // Values from XMLConstants inlined for JDK 1.6 compatibility
|
|
||||||
+ setAttributeQuietly(factory, "http://javax.xml.XMLConstants/property/accessExternalDTD", "");
|
|
||||||
+ setAttributeQuietly(factory, "http://javax.xml.XMLConstants/property/accessExternalSchema", "");
|
|
||||||
+ setAttributeQuietly(factory, "http://javax.xml.XMLConstants/property/accessExternalStylesheet", "");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ private static void setPropertyQuietly(Object factory, String name, Object value) {
|
|
||||||
+ try {
|
|
||||||
+ if (factory instanceof XMLReader) {
|
|
||||||
+ ((XMLReader) factory).setProperty(name, value);
|
|
||||||
+ } else if (factory instanceof XMLInputFactory) {
|
|
||||||
+ ((XMLInputFactory) factory).setProperty(name, value);
|
|
||||||
+ } else {
|
|
||||||
+ throw new Error("Invalid factory class: " + factory.getClass());
|
|
||||||
+ }
|
|
||||||
+ } catch (Exception ignore) {
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
\ No newline at end of file
|
|
||||||
diff --git a/pgjdbc/src/main/java/org/postgresql/xml/EmptyStringEntityResolver.java b/pgjdbc/src/main/java/org/postgresql/xml/EmptyStringEntityResolver.java
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..39227e0
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/pgjdbc/src/main/java/org/postgresql/xml/EmptyStringEntityResolver.java
|
|
||||||
@@ -0,0 +1,23 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2020, PostgreSQL Global Development Group
|
|
||||||
+ * See the LICENSE file in the project root for more information.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+package org.postgresql.xml;
|
|
||||||
+
|
|
||||||
+import org.xml.sax.EntityResolver;
|
|
||||||
+import org.xml.sax.InputSource;
|
|
||||||
+import org.xml.sax.SAXException;
|
|
||||||
+
|
|
||||||
+import java.io.IOException;
|
|
||||||
+import java.io.StringReader;
|
|
||||||
+
|
|
||||||
+public class EmptyStringEntityResolver implements EntityResolver {
|
|
||||||
+ public static final EmptyStringEntityResolver INSTANCE = new EmptyStringEntityResolver();
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public InputSource resolveEntity(String publicId, String systemId)
|
|
||||||
+ throws SAXException, IOException {
|
|
||||||
+ return new InputSource(new StringReader(""));
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
\ No newline at end of file
|
|
||||||
diff --git a/pgjdbc/src/main/java/org/postgresql/xml/LegacyInsecurePGXmlFactoryFactory.java b/pgjdbc/src/main/java/org/postgresql/xml/LegacyInsecurePGXmlFactoryFactory.java
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..ed7a66b
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/pgjdbc/src/main/java/org/postgresql/xml/LegacyInsecurePGXmlFactoryFactory.java
|
|
||||||
@@ -0,0 +1,57 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2020, PostgreSQL Global Development Group
|
|
||||||
+ * See the LICENSE file in the project root for more information.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+package org.postgresql.xml;
|
|
||||||
+
|
|
||||||
+import org.xml.sax.SAXException;
|
|
||||||
+import org.xml.sax.XMLReader;
|
|
||||||
+import org.xml.sax.helpers.XMLReaderFactory;
|
|
||||||
+
|
|
||||||
+import javax.xml.parsers.DocumentBuilder;
|
|
||||||
+import javax.xml.parsers.DocumentBuilderFactory;
|
|
||||||
+import javax.xml.parsers.ParserConfigurationException;
|
|
||||||
+import javax.xml.stream.XMLInputFactory;
|
|
||||||
+import javax.xml.stream.XMLOutputFactory;
|
|
||||||
+import javax.xml.transform.TransformerFactory;
|
|
||||||
+import javax.xml.transform.sax.SAXTransformerFactory;
|
|
||||||
+
|
|
||||||
+public class LegacyInsecurePGXmlFactoryFactory implements PGXmlFactoryFactory {
|
|
||||||
+ public static final LegacyInsecurePGXmlFactoryFactory INSTANCE = new LegacyInsecurePGXmlFactoryFactory();
|
|
||||||
+
|
|
||||||
+ private LegacyInsecurePGXmlFactoryFactory() {
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException {
|
|
||||||
+ DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
|
|
||||||
+ builder.setErrorHandler(NullErrorHandler.INSTANCE);
|
|
||||||
+ return builder;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public TransformerFactory newTransformerFactory() {
|
|
||||||
+ return TransformerFactory.newInstance();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public SAXTransformerFactory newSAXTransformerFactory() {
|
|
||||||
+ return (SAXTransformerFactory) SAXTransformerFactory.newInstance();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public XMLInputFactory newXMLInputFactory() {
|
|
||||||
+ return XMLInputFactory.newInstance();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public XMLOutputFactory newXMLOutputFactory() {
|
|
||||||
+ return XMLOutputFactory.newInstance();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ public XMLReader createXMLReader() throws SAXException {
|
|
||||||
+ return XMLReaderFactory.createXMLReader();
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
\ No newline at end of file
|
|
||||||
diff --git a/pgjdbc/src/main/java/org/postgresql/xml/NullErrorHandler.java b/pgjdbc/src/main/java/org/postgresql/xml/NullErrorHandler.java
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..ad486c7
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/pgjdbc/src/main/java/org/postgresql/xml/NullErrorHandler.java
|
|
||||||
@@ -0,0 +1,25 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2020, PostgreSQL Global Development Group
|
|
||||||
+ * See the LICENSE file in the project root for more information.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+package org.postgresql.xml;
|
|
||||||
+
|
|
||||||
+import org.xml.sax.ErrorHandler;
|
|
||||||
+import org.xml.sax.SAXParseException;
|
|
||||||
+
|
|
||||||
+/**
|
|
||||||
+ * Error handler that silently suppresses all errors.
|
|
||||||
+ */
|
|
||||||
+public class NullErrorHandler implements ErrorHandler {
|
|
||||||
+ public static final NullErrorHandler INSTANCE = new NullErrorHandler();
|
|
||||||
+
|
|
||||||
+ public void error(SAXParseException e) {
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public void fatalError(SAXParseException e) {
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ public void warning(SAXParseException e) {
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
\ No newline at end of file
|
|
||||||
diff --git a/pgjdbc/src/main/java/org/postgresql/xml/PGXmlFactoryFactory.java b/pgjdbc/src/main/java/org/postgresql/xml/PGXmlFactoryFactory.java
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..4bb98e4
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/pgjdbc/src/main/java/org/postgresql/xml/PGXmlFactoryFactory.java
|
|
||||||
@@ -0,0 +1,30 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2020, PostgreSQL Global Development Group
|
|
||||||
+ * See the LICENSE file in the project root for more information.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+package org.postgresql.xml;
|
|
||||||
+
|
|
||||||
+import org.xml.sax.SAXException;
|
|
||||||
+import org.xml.sax.XMLReader;
|
|
||||||
+
|
|
||||||
+import javax.xml.parsers.DocumentBuilder;
|
|
||||||
+import javax.xml.parsers.ParserConfigurationException;
|
|
||||||
+import javax.xml.stream.XMLInputFactory;
|
|
||||||
+import javax.xml.stream.XMLOutputFactory;
|
|
||||||
+import javax.xml.transform.TransformerFactory;
|
|
||||||
+import javax.xml.transform.sax.SAXTransformerFactory;
|
|
||||||
+
|
|
||||||
+public interface PGXmlFactoryFactory {
|
|
||||||
+ DocumentBuilder newDocumentBuilder() throws ParserConfigurationException;
|
|
||||||
+
|
|
||||||
+ TransformerFactory newTransformerFactory();
|
|
||||||
+
|
|
||||||
+ SAXTransformerFactory newSAXTransformerFactory();
|
|
||||||
+
|
|
||||||
+ XMLInputFactory newXMLInputFactory();
|
|
||||||
+
|
|
||||||
+ XMLOutputFactory newXMLOutputFactory();
|
|
||||||
+
|
|
||||||
+ XMLReader createXMLReader() throws SAXException;
|
|
||||||
+}
|
|
||||||
\ No newline at end of file
|
|
||||||
diff --git a/pgjdbc/src/test/java/org/postgresql/jdbc/PgSQLXMLTest.java b/pgjdbc/src/test/java/org/postgresql/jdbc/PgSQLXMLTest.java
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..49e389c
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/pgjdbc/src/test/java/org/postgresql/jdbc/PgSQLXMLTest.java
|
|
||||||
@@ -0,0 +1,124 @@
|
|
||||||
+/*
|
|
||||||
+ * Copyright (c) 2019, PostgreSQL Global Development Group
|
|
||||||
+ * See the LICENSE file in the project root for more information.
|
|
||||||
+ */
|
|
||||||
+
|
|
||||||
+package org.postgresql.jdbc;
|
|
||||||
+
|
|
||||||
+import static org.junit.Assert.assertEquals;
|
|
||||||
+import static org.junit.Assert.assertNotNull;
|
|
||||||
+import static org.junit.Assert.assertTrue;
|
|
||||||
+import static org.junit.Assert.fail;
|
|
||||||
+
|
|
||||||
+import org.postgresql.PGProperty;
|
|
||||||
+import org.postgresql.core.BaseConnection;
|
|
||||||
+import org.postgresql.test.TestUtil;
|
|
||||||
+import org.postgresql.test.jdbc2.BaseTest4;
|
|
||||||
+
|
|
||||||
+import org.junit.Before;
|
|
||||||
+import org.junit.Test;
|
|
||||||
+
|
|
||||||
+import java.io.StringWriter;
|
|
||||||
+import java.io.Writer;
|
|
||||||
+import java.sql.Connection;
|
|
||||||
+import java.sql.PreparedStatement;
|
|
||||||
+import java.sql.ResultSet;
|
|
||||||
+import java.sql.SQLException;
|
|
||||||
+import java.sql.SQLXML;
|
|
||||||
+import java.sql.Statement;
|
|
||||||
+import java.util.Properties;
|
|
||||||
+
|
|
||||||
+import javax.xml.stream.XMLStreamException;
|
|
||||||
+import javax.xml.stream.XMLStreamReader;
|
|
||||||
+import javax.xml.transform.Source;
|
|
||||||
+import javax.xml.transform.Transformer;
|
|
||||||
+import javax.xml.transform.TransformerException;
|
|
||||||
+import javax.xml.transform.TransformerFactory;
|
|
||||||
+import javax.xml.transform.dom.DOMSource;
|
|
||||||
+import javax.xml.transform.sax.SAXSource;
|
|
||||||
+import javax.xml.transform.stax.StAXSource;
|
|
||||||
+import javax.xml.transform.stream.StreamResult;
|
|
||||||
+
|
|
||||||
+public class PgSQLXMLTest extends BaseTest4 {
|
|
||||||
+
|
|
||||||
+ @Override
|
|
||||||
+ @Before
|
|
||||||
+ public void setUp() throws Exception {
|
|
||||||
+ super.setUp();
|
|
||||||
+ TestUtil.createTempTable(con, "xmltab", "x xml");
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Test
|
|
||||||
+ public void setCharacterStream() throws Exception {
|
|
||||||
+ String exmplar = "<x>value</x>";
|
|
||||||
+ SQLXML pgSQLXML = con.createSQLXML();
|
|
||||||
+ Writer writer = pgSQLXML.setCharacterStream();
|
|
||||||
+ writer.write(exmplar);
|
|
||||||
+ PreparedStatement preparedStatement = con.prepareStatement("insert into xmltab values (?)");
|
|
||||||
+ preparedStatement.setSQLXML(1, pgSQLXML);
|
|
||||||
+ preparedStatement.execute();
|
|
||||||
+
|
|
||||||
+ Statement statement = con.createStatement();
|
|
||||||
+ ResultSet rs = statement.executeQuery("select * from xmltab");
|
|
||||||
+ assertTrue(rs.next());
|
|
||||||
+ SQLXML result = rs.getSQLXML(1);
|
|
||||||
+ assertNotNull(result);
|
|
||||||
+ assertEquals(exmplar, result.getString());
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ private static final String LICENSE_URL =
|
|
||||||
+ PgSQLXMLTest.class.getClassLoader().getResource("META-INF/LICENSE").toString();
|
|
||||||
+ private static final String XXE_EXAMPLE =
|
|
||||||
+ "<!DOCTYPE foo [<!ELEMENT foo ANY >\n"
|
|
||||||
+ + "<!ENTITY xxe SYSTEM \"" + LICENSE_URL + "\">]>"
|
|
||||||
+ + "<foo>&xxe;</foo>";
|
|
||||||
+
|
|
||||||
+ @Test
|
|
||||||
+ public void testLegacyXxe() throws Exception {
|
|
||||||
+ Properties props = new Properties();
|
|
||||||
+ props.setProperty(PGProperty.XML_FACTORY_FACTORY.getName(), "LEGACY_INSECURE");
|
|
||||||
+ try (Connection conn = TestUtil.openDB(props)) {
|
|
||||||
+ BaseConnection baseConn = conn.unwrap(BaseConnection.class);
|
|
||||||
+ PgSQLXML xml = new PgSQLXML(baseConn, XXE_EXAMPLE);
|
|
||||||
+ xml.getSource(null);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ private static String sourceToString(Source source) throws TransformerException {
|
|
||||||
+ StringWriter sw = new StringWriter();
|
|
||||||
+ Transformer transformer = TransformerFactory.newInstance().newTransformer();
|
|
||||||
+ transformer.transform(source, new StreamResult(sw));
|
|
||||||
+ return sw.toString();
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Test(expected = SQLException.class)
|
|
||||||
+ public void testGetSourceXxeNull() throws Exception {
|
|
||||||
+ PgSQLXML xml = new PgSQLXML(null, XXE_EXAMPLE);
|
|
||||||
+ xml.getSource(null);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Test(expected = SQLException.class)
|
|
||||||
+ public void testGetSourceXxeDOMSource() throws Exception {
|
|
||||||
+ PgSQLXML xml = new PgSQLXML(null, XXE_EXAMPLE);
|
|
||||||
+ xml.getSource(DOMSource.class);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Test(expected = TransformerException.class)
|
|
||||||
+ public void testGetSourceXxeSAXSource() throws Exception {
|
|
||||||
+ PgSQLXML xml = new PgSQLXML(null, XXE_EXAMPLE);
|
|
||||||
+ SAXSource source = xml.getSource(SAXSource.class);
|
|
||||||
+ sourceToString(source);
|
|
||||||
+
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ @Test(expected = XMLStreamException.class)
|
|
||||||
+ public void testGetSourceXxeStAXSource() throws Exception {
|
|
||||||
+ PgSQLXML xml = new PgSQLXML(null, XXE_EXAMPLE);
|
|
||||||
+ StAXSource source = xml.getSource(StAXSource.class);
|
|
||||||
+ XMLStreamReader reader = source.getXMLStreamReader();
|
|
||||||
+ // STAX will not throw XXE error until we actually read the element
|
|
||||||
+ while (reader.hasNext()) {
|
|
||||||
+ reader.next();
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+}
|
|
||||||
diff --git a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java
|
|
||||||
index 6314d21..814288c 100644
|
|
||||||
--- a/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java
|
|
||||||
+++ b/pgjdbc/src/test/java/org/postgresql/test/jdbc2/Jdbc2TestSuite.java
|
|
||||||
@@ -13,6 +13,7 @@ import org.postgresql.core.ParserTest;
|
|
||||||
import org.postgresql.core.ReturningParserTest;
|
|
||||||
import org.postgresql.core.v3.V3ParameterListTests;
|
|
||||||
import org.postgresql.jdbc.DeepBatchedInsertStatementTest;
|
|
||||||
+import org.postgresql.jdbc.PgSQLXMLTest;
|
|
||||||
import org.postgresql.jdbc.PrimitiveArraySupportTest;
|
|
||||||
import org.postgresql.test.core.JavaVersionTest;
|
|
||||||
import org.postgresql.test.core.NativeQueryBindLengthTest;
|
|
||||||
@@ -76,6 +77,7 @@ import org.junit.runners.Suite;
|
|
||||||
TimestampTest.class,
|
|
||||||
TimezoneTest.class,
|
|
||||||
PGTimeTest.class,
|
|
||||||
+ PgSQLXMLTest.class,
|
|
||||||
PGTimestampTest.class,
|
|
||||||
TimezoneCachingTest.class,
|
|
||||||
ParserTest.class,
|
|
||||||
--
|
|
||||||
2.24.1
|
|
||||||
|
|
@ -28,63 +28,27 @@
|
|||||||
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||||
|
|
||||||
|
|
||||||
# Configuration for rpmbuild, might be specified by options
|
|
||||||
# like e.g. 'rpmbuild --define "runselftest 0"'.
|
|
||||||
|
|
||||||
%{!?runselftest:%global runselftest 1}
|
|
||||||
|
|
||||||
|
|
||||||
%global section devel
|
|
||||||
%global source_path pgjdbc/src/main/java/org/postgresql
|
|
||||||
%global parent_ver 1.1.5
|
|
||||||
%global parent_poms_builddir ./pgjdbc-parent-poms
|
|
||||||
|
|
||||||
%global pgjdbc_mvn_options -DwaffleEnabled=false -DosgiEnabled=false \\\
|
|
||||||
-DexcludePackageNames=org.postgresql.osgi:org.postgresql.sspi
|
|
||||||
|
|
||||||
Summary: JDBC driver for PostgreSQL
|
Summary: JDBC driver for PostgreSQL
|
||||||
Name: postgresql-jdbc
|
Name: postgresql-jdbc
|
||||||
Version: 42.2.3
|
Version: 42.2.14
|
||||||
Release: 3%{?dist}
|
Release: 1%{?dist}
|
||||||
License: BSD
|
License: BSD
|
||||||
URL: http://jdbc.postgresql.org/
|
URL: http://jdbc.postgresql.org/
|
||||||
|
|
||||||
Source0: https://github.com/pgjdbc/pgjdbc/archive/REL%{version}/pgjdbc-REL%{version}.tar.gz
|
Source0: https://repo1.maven.org/maven2/org/postgresql/postgresql/%{version}/postgresql-%{version}-src.tar.gz
|
||||||
Provides: pgjdbc = %version-%release
|
Provides: pgjdbc = %version-%release
|
||||||
|
|
||||||
# Upstream moved parent pom.xml into separate project (even though there is only
|
|
||||||
# one dependant project on it?). Let's try to not complicate packaging by
|
|
||||||
# having separate spec file for it, too.
|
|
||||||
Source1: https://github.com/pgjdbc/pgjdbc-parent-poms/archive/REL%parent_ver/pgjdbc-parent-poms-REL%{parent_ver}.tar.gz
|
|
||||||
|
|
||||||
# disable test that makes unpredictable assumptions about non-routable IPs
|
|
||||||
# See https://github.com/pgjdbc/pgjdbc/issues/556
|
|
||||||
Patch0: disable-ConnectTimeoutTest.patch
|
|
||||||
Patch1: fix-XXE-vulnerability.patch
|
|
||||||
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
BuildRequires: java-devel >= 1.8
|
|
||||||
BuildRequires: maven-local
|
BuildRequires: maven-local
|
||||||
BuildRequires: java-comment-preprocessor
|
BuildRequires: java-comment-preprocessor
|
||||||
BuildRequires: properties-maven-plugin
|
BuildRequires: properties-maven-plugin
|
||||||
BuildRequires: maven-enforcer-plugin
|
BuildRequires: maven-enforcer-plugin
|
||||||
BuildRequires: maven-plugin-bundle
|
BuildRequires: maven-plugin-bundle
|
||||||
BuildRequires: maven-plugin-build-helper
|
BuildRequires: maven-plugin-build-helper
|
||||||
BuildRequires: classloader-leak-test-framework
|
|
||||||
|
|
||||||
BuildRequires: mvn(com.ongres.scram:client)
|
BuildRequires: mvn(com.ongres.scram:client)
|
||||||
BuildRequires: mvn(org.apache.maven.plugins:maven-clean-plugin)
|
|
||||||
|
|
||||||
|
Obsoletes: %{name}-parent-poms < 42.2.2-2
|
||||||
%if %runselftest
|
|
||||||
BuildRequires: postgresql-contrib
|
|
||||||
BuildRequires: postgresql-test-rpm-macros
|
|
||||||
%endif
|
|
||||||
|
|
||||||
# gettext is only needed if we try to update translations
|
|
||||||
#BuildRequires: gettext
|
|
||||||
|
|
||||||
Obsoletes: %{name}-parent-poms < 42.2.2-2
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
PostgreSQL is an advanced Object-Relational database management
|
PostgreSQL is an advanced Object-Relational database management
|
||||||
@ -100,38 +64,20 @@ This package contains the API Documentation for %{name}.
|
|||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -c -q -a 1
|
%setup -c -q
|
||||||
|
|
||||||
mv pgjdbc-REL%version/* .
|
|
||||||
mv pgjdbc-parent-poms-REL%parent_ver pgjdbc-parent-poms
|
|
||||||
|
|
||||||
%patch0 -p1
|
|
||||||
%patch1 -p1
|
|
||||||
|
|
||||||
# remove any binary libs
|
# remove any binary libs
|
||||||
find -name "*.jar" -or -name "*.class" | xargs rm -f
|
find -type f \( -name "*.jar" -or -name "*.class" \) | xargs rm -f
|
||||||
|
|
||||||
# Build parent POMs in the same Maven call.
|
%pom_xpath_remove "pom:plugin[pom:artifactId = 'maven-javadoc-plugin']"
|
||||||
%pom_xpath_inject pom:modules "<module>%parent_poms_builddir</module>"
|
|
||||||
%pom_xpath_inject pom:parent "<relativePath>pgjdbc-parent-poms/pgjdbc-versions</relativePath>"
|
|
||||||
%pom_xpath_set pom:relativePath ../pgjdbc-parent-poms/pgjdbc-core-parent pgjdbc
|
|
||||||
%pom_xpath_remove "pom:plugin[pom:artifactId = 'maven-shade-plugin']" pgjdbc
|
|
||||||
|
|
||||||
# compat symlink: requested by dtardon (libreoffice), reverts part of
|
# compat symlink: requested by dtardon (libreoffice), reverts part of
|
||||||
# 0af97ce32de877 commit.
|
# 0af97ce32de877 commit.
|
||||||
%mvn_file org.postgresql:postgresql %{name}/postgresql %{name} postgresql
|
%mvn_file org.postgresql:postgresql %{name}/postgresql %{name} postgresql
|
||||||
|
|
||||||
# Parent POMs should not be installed.
|
|
||||||
%mvn_package ":*{parent,versions,prevjre}*" __noinstall
|
|
||||||
|
|
||||||
# For compat reasons, make Maven artifact available under older coordinates.
|
# For compat reasons, make Maven artifact available under older coordinates.
|
||||||
%mvn_alias org.postgresql:postgresql postgresql:postgresql
|
%mvn_alias org.postgresql:postgresql postgresql:postgresql
|
||||||
|
|
||||||
# Hack #1! This directory is missing for some reason, it is most probably some
|
|
||||||
# misunderstanding between maven, maven-compiler-plugin and
|
|
||||||
# java-comment-preprocessor? Not solved yet. See rhbz#1325060.
|
|
||||||
mkdir -p pgjdbc/target/generated-sources/annotations
|
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
# Ideally we would run "sh update-translations.sh" here, but that results
|
# Ideally we would run "sh update-translations.sh" here, but that results
|
||||||
@ -140,33 +86,7 @@ mkdir -p pgjdbc/target/generated-sources/annotations
|
|||||||
# different platforms don't build in the same minute. For now, rely on
|
# different platforms don't build in the same minute. For now, rely on
|
||||||
# upstream to have updated the translations files before packaging.
|
# upstream to have updated the translations files before packaging.
|
||||||
|
|
||||||
# Include PostgreSQL testing methods and variables.
|
%mvn_build -f
|
||||||
%if %runselftest
|
|
||||||
%postgresql_tests_init
|
|
||||||
|
|
||||||
PGTESTS_LOCALE=C.UTF-8
|
|
||||||
|
|
||||||
cat <<EOF > build.local.properties
|
|
||||||
server=localhost
|
|
||||||
port=$PGTESTS_PORT
|
|
||||||
database=test
|
|
||||||
username=test
|
|
||||||
password=test
|
|
||||||
privilegedUser=$PGTESTS_ADMIN
|
|
||||||
privilegedPassword=$PGTESTS_ADMINPASS
|
|
||||||
preparethreshold=5
|
|
||||||
loglevel=0
|
|
||||||
protocolVersion=0
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Start the local PG cluster.
|
|
||||||
%postgresql_tests_start
|
|
||||||
%else
|
|
||||||
# -f is equal to -Dmaven.test.skip=true
|
|
||||||
opts="-f"
|
|
||||||
%endif
|
|
||||||
|
|
||||||
%mvn_build $opts -- %pgjdbc_mvn_options
|
|
||||||
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
@ -183,6 +103,9 @@ opts="-f"
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Dec 14 2021 Zuzana Miklankova <zmiklank@redhat.com> - 42.2.14-1
|
||||||
|
- Rebase on 42.2.14
|
||||||
|
|
||||||
* Wed Jul 22 2020 Ondrej Dubaj <odubaj@redhat.com> - 42.2.3-3
|
* Wed Jul 22 2020 Ondrej Dubaj <odubaj@redhat.com> - 42.2.3-3
|
||||||
- fixed XXE vulnerability unit test
|
- fixed XXE vulnerability unit test
|
||||||
|
|
||||||
|
3
sources
3
sources
@ -1,2 +1 @@
|
|||||||
SHA512 (pgjdbc-REL42.2.3.tar.gz) = c73976999baa752d5b0f24ef367c3dd11c46e4969554e1e39cc34c650f3436911a5320f38cfa28d6269acc3ce809de1e3b69ea98bcccc6745399843dab86642f
|
SHA512 (postgresql-42.2.14-src.tar.gz) = 35964f95f05d9e6adc4d2639a156f7c8d6dc0e8b829107e0d3d2f34eab5f4b08976fb7c79e5fa2f1412cbc323572b8a88525035e45c4e84abb2d38f11a777c94
|
||||||
SHA512 (pgjdbc-parent-poms-REL1.1.5.tar.gz) = 924cfca194555e81174ccc8128810744ea7fe3b573e87353a0720e39e0846076dd115e40ad628c0b68fe46cf6993f402a2b01f07c71b580dddab2fd896cfa464
|
|
||||||
|
Loading…
Reference in New Issue
Block a user