debian/0000775000000000000000000000000012775224246007203 5ustar debian/maven.cleanIgnoreRules0000664000000000000000000000150112772261562013470 0ustar # Maven clean ignore rules - ignore some Maven dependencies and plugins # during the clean phase of a Maven build # Format of this file is: # [group] [artifact] [type] [version] [classifier] [scope] # where each element can be either # - the exact string, for example org.apache for the group, or 3.1 # for the version. In this case, the element is simply matched # and left as it is # - * (the star character, alone). In this case, anything will # match and be left as it is. For example, using * on the # position of the artifact field will match any artifact id # All elements much match before a rule can be applied # Example rule: match jar with groupid= junit, artifactid= junit # and version starting with 3., this dependency is then removed # from the POM before mvn clean is called # junit junit jar s/3\\..*/3.x/ debian/watch0000664000000000000000000000022112772261562010226 0ustar version=3 opts="uversionmangle=s/-(alpha|beta)-/~$1/" \ http://svn.apache.org/repos/asf/jackrabbit/tags/ \ (\d.*)/ debian debian/orig-tar.sh debian/copyright0000664000000000000000000001002112772261562011127 0ustar Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/. Upstream-Name: Apache Jackrabbit Source: http://jackrabbit.apache.org/ Files: * Copyright: Copyright (C) 2011 The Apache Software Foundation License: Apache-2.0 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at . http://www.apache.org/licenses/LICENSE-2.0 . Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. . On Debian systems the full text of the Apache License can be found in `/usr/share/common-licenses/Apache-2.0'. Files: jackrabbit-spi-commons/src/main/javacc/xpath/javacc.xsl, jackrabbit-spi-commons/src/main/javacc/xpath/jjtree.xsl, jackrabbit-spi-commons/src/main/javacc/xpath/strip.xsl, jackrabbit-spi-commons/src/main/javacc/xpath/xpath-grammar.xml Copyright: Copyright (c) 2002 World Wide Web Consortium (Massachusetts Institute of Technology, Institut National de Recherche en Informatique et en Automatique, Keio University) License: W3C All Rights Reserved. This program is distributed under the W3C's Software Intellectual Property License. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. . W3C(R) SOFTWARE NOTICE AND LICENSE http://www.w3.org/Consortium/Legal/2002/copyright-software-20021231 . This work (and included software, documentation such as READMEs, or other related items) is being provided by the copyright holders under the following license. By obtaining, using and/or copying this work, you (the licensee) agree that you have read, understood, and will comply with the following terms and conditions. . Permission to copy, modify, and distribute this software and its documentation, with or without modification, for any purpose and without fee or royalty is hereby granted, provided that you include the following on ALL copies of the software and documentation or portions thereof, including modifications: . 1. The full text of this NOTICE in a location viewable to users of the redistributed or derivative work. . 2. Any pre-existing intellectual property disclaimers, notices, or terms and conditions. If none exist, the W3C Software Short Notice should be included (hypertext is preferred, text is permitted) within the body of any redistributed or derivative code. . 3. Notice of any changes or modifications to the files, including the date changes were made. (We recommend you provide URIs to the location from which the code is derived.) . THIS SOFTWARE AND DOCUMENTATION IS PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS. . COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF ANY USE OF THE SOFTWARE OR DOCUMENTATION. . The name and trademarks of copyright holders may NOT be used in advertising or publicity pertaining to the software without specific, written prior permission. Title to copyright in this software and any associated documentation will at all times remain with copyright holders. Files: debian/* Copyright: Copyright (C) 2011, Damien Raude-Morvan License: Apache-2.0 On Debian systems the full text of the Apache License can be found in `/usr/share/common-licenses/Apache-2.0'. debian/patches/0000775000000000000000000000000012772261562010631 5ustar debian/patches/CVE-2016-6801.patch0000664000000000000000000002115212772261562013252 0ustar From: Markus Koschany Date: Sun, 18 Sep 2016 16:46:33 +0200 Subject: CVE-2016-6801 The CSRF content-type check for POST requests did not handle missing Content-Type header fields, nor variations in field values with respect to upper/lower case or optional parameters. This could be exploited to create a resource via CSRF. Backported to the 2.3 branch. Origin: https://svn.apache.org/viewvc?view=revision&revision=1758791 --- .../apache/jackrabbit/spi2davex/PostMethod.java | 1 + .../org/apache/jackrabbit/webdav/DavResource.java | 2 +- .../webdav/server/AbstractWebdavServlet.java | 3 +- .../apache/jackrabbit/webdav/util/CSRFUtil.java | 83 ++++++++++++++++++---- 4 files changed, 74 insertions(+), 15 deletions(-) diff --git a/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java b/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java index 5355a72..f6e243c 100644 --- a/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java +++ b/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java @@ -47,6 +47,7 @@ class PostMethod extends DavMethodBase { public PostMethod(String uri) { super(uri); + super.setRequestHeader("Referer", uri); HttpMethodParams params = getParams(); params.setContentCharset("UTF-8"); } diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java index c99b5cd..6e70a42 100644 --- a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java +++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java @@ -40,7 +40,7 @@ public interface DavResource { /** * String constant representing the WebDAV 1 and 2 method set. */ - public static final String METHODS = "OPTIONS, GET, HEAD, POST, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, PUT, DELETE, MOVE, LOCK, UNLOCK"; + public static final String METHODS = "OPTIONS, GET, HEAD, TRACE, PROPFIND, PROPPATCH, MKCOL, COPY, PUT, DELETE, MOVE, LOCK, UNLOCK"; /** * Returns a comma separated list of all compliance classes the given diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java index 128946e..a1bdbf4 100644 --- a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java +++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java @@ -568,7 +568,7 @@ abstract public class AbstractWebdavServlet extends HttpServlet implements DavCo */ protected void doPost(WebdavRequest request, WebdavResponse response, DavResource resource) throws IOException, DavException { - doPut(request, response, resource); + response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED); } /** @@ -1356,7 +1356,6 @@ abstract public class AbstractWebdavServlet extends HttpServlet implements DavCo * @param out * @return * @see #doPut(WebdavRequest, WebdavResponse, DavResource) - * @see #doPost(WebdavRequest, WebdavResponse, DavResource) * @see #doMkCol(WebdavRequest, WebdavResponse, DavResource) */ protected OutputContext getOutputContext(DavServletResponse response, OutputStream out) { diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java index 4d431eb..b5fc8f4 100644 --- a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java +++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java @@ -19,12 +19,18 @@ package org.apache.jackrabbit.webdav.util; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.servlet.http.HttpServletRequest; -import java.net.MalformedURLException; -import java.net.URL; +import java.net.URI; +import java.net.URISyntaxException; +import java.util.Arrays; import java.util.Collections; +import java.util.Enumeration; import java.util.HashSet; import java.util.Set; +import java.util.Locale; +import javax.servlet.http.HttpServletRequest; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; /** * CSRFUtil... @@ -37,6 +43,19 @@ public class CSRFUtil { public static final String DISABLED = "disabled"; /** + * Request content types for CSRF checking, see JCR-3909, JCR-4002, and JCR-4009 + */ + public static final Set CONTENT_TYPES = Collections.unmodifiableSet(new HashSet( + Arrays.asList( + new String[] { + "application/x-www-form-urlencoded", + "multipart/form-data", + "text/plain" + } + ) + )); + + /** * logger instance */ private static final Logger log = LoggerFactory.getLogger(CSRFUtil.class); @@ -77,6 +96,7 @@ public class CSRFUtil { if (config == null || config.length() == 0) { disabled = false; allowedReferrerHosts = Collections.emptySet(); + log.debug("CSRF protection disabled"); } else { if (DISABLED.equalsIgnoreCase(config.trim())) { disabled = true; @@ -89,23 +109,62 @@ public class CSRFUtil { allowedReferrerHosts.add(entry.trim()); } } + log.debug("CSRF protection enabled, allowed referrers: " + allowedReferrerHosts); } } - public boolean isValidRequest(HttpServletRequest request) throws MalformedURLException { + public boolean isValidRequest(HttpServletRequest request) { + if (disabled) { return true; + } else if (!"POST".equals(request.getMethod())) { + // protection only needed for POST + return true; } else { + Enumeration cts = (Enumeration) request.getHeaders("Content-Type"); + String ct = null; + if (cts != null && cts.hasMoreElements()) { + String t = cts.nextElement(); + // prune parameters + int semicolon = t.indexOf(';'); + if (semicolon >= 0) { + t = t.substring(0, semicolon); + } + ct = t.trim().toLowerCase(Locale.ENGLISH); + } + if (cts != null && cts.hasMoreElements()) { + // reject if there are more header field instances + log.debug("request blocked because there were multiple content-type header fields"); + return false; + } + if (ct != null && !CONTENT_TYPES.contains(ct)) { + // type present and not in blacklist + return true; + } + String refHeader = request.getHeader("Referer"); + // empty referrer headers are not allowed for POST + relevant + // content types (see JCR-3909) if (refHeader == null) { - // empty referrer is always allowed - return true; - } else { - String host = new URL(refHeader).getHost(); - // test referrer-host equelst server or - // if it is contained in the set of explicitly allowed host names - return host.equals(request.getServerName()) || allowedReferrerHosts.contains(host); + log.debug("POST with content type" + ct + " blocked due to missing referer header field"); + return false; + } + + try { + String host = new URI(refHeader).getHost(); + // test referrer-host equals server or + // if it is contained in the set of explicitly allowed host + // names + boolean ok = host == null || host.equals(request.getServerName()) || allowedReferrerHosts.contains(host); + if (!ok) { + log.debug("POST with content type" + ct + " blocked due to referer header field being: " + refHeader); + } + return ok; + } catch (URISyntaxException ex) { + // referrer malformed -> block access + log.debug("POST with content type" + ct + " blocked due to malformed referer header field: " + refHeader); + return false; } } } -} \ No newline at end of file +} debian/patches/servlet_api_25.diff0000664000000000000000000000246112772261562014311 0ustar Description: Add some methods for Servlet API 2.5 compat Author: Damien Raude-Morvan Last-Update: 2012-01-21 Forwarded: no --- a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/WebdavRequestImpl.java +++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/WebdavRequestImpl.java @@ -996,4 +996,21 @@ public String getRealPath(String s) { return httpRequest.getRealPath(s); } + + // Compat Servlet 2.4 + public int getRemotePort() { + return httpRequest.getRemotePort(); + } + + public int getLocalPort() { + return httpRequest.getLocalPort(); + } + + public String getLocalName() { + return httpRequest.getLocalName(); + } + + public String getLocalAddr() { + return httpRequest.getLocalAddr(); + } } --- a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/WebdavResponseImpl.java +++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/WebdavResponseImpl.java @@ -310,4 +310,13 @@ public Locale getLocale() { return httpResponse.getLocale(); } + + // Compat Servlet 2.4 + public void setCharacterEncoding(String env) { + httpResponse.setCharacterEncoding(env); + } + + public String getContentType() { + return httpResponse.getContentType(); + } } debian/patches/modules.diff0000664000000000000000000000216212772261562013134 0ustar Description: Disable all modules except webdav Author: Damien Raude-Morvan Last-Update: 2012-01-21 Forwarded: not-needed Index: b/pom.xml =================================================================== --- a/pom.xml +++ b/pom.xml @@ -37,25 +37,7 @@ jackrabbit-parent - jackrabbit-api - jackrabbit-jcr-commons - jackrabbit-jcr-tests - jackrabbit-core jackrabbit-webdav - jackrabbit-jcr-server - jackrabbit-jcr-rmi - jackrabbit-jcr-servlet - jackrabbit-webapp - jackrabbit-jca - jackrabbit-spi - jackrabbit-spi-commons - jackrabbit-jcr2spi - jackrabbit-spi2jcr - jackrabbit-spi2dav - jackrabbit-jcr2dav - jackrabbit-jcr-client - jackrabbit-bundle - jackrabbit-standalone debian/patches/CVE-2015-1833.patch0000664000000000000000000002632012772261562013253 0ustar From: Markus Koschany Date: Wed, 24 Jun 2015 03:16:44 +0200 Subject: CVE-2015-1833 --- .../webdav/xml/DavDocumentBuilderFactory.java | 86 ++++++++++++++++++++++ .../org/apache/jackrabbit/webdav/xml/DomUtil.java | 22 +----- .../apache/jackrabbit/webdav/xml/ParserTest.java | 78 ++++++++++++++++++++ .../org/apache/jackrabbit/webdav/xml/TestAll.java | 1 + 4 files changed, 168 insertions(+), 19 deletions(-) create mode 100644 jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java create mode 100644 jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java new file mode 100644 index 0000000..60660a0 --- /dev/null +++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DavDocumentBuilderFactory.java @@ -0,0 +1,86 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.webdav.xml; + +import java.io.IOException; + +import javax.xml.XMLConstants; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.xml.sax.EntityResolver; +import org.xml.sax.InputSource; +import org.xml.sax.helpers.DefaultHandler; + +/** + * Custom {@link DocumentBuilderFactory} extended for use in WebDAV. + */ +public class DavDocumentBuilderFactory { + + private static final Logger LOG = LoggerFactory.getLogger(DomUtil.class); + + private final DocumentBuilderFactory DEFAULT_FACTORY = createFactory(); + + private DocumentBuilderFactory BUILDER_FACTORY = DEFAULT_FACTORY; + + private DocumentBuilderFactory createFactory() { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setNamespaceAware(true); + factory.setIgnoringComments(true); + factory.setIgnoringElementContentWhitespace(true); + factory.setCoalescing(true); + try { + factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + LOG.warn("Secure XML processing is not supported", e); + } catch (AbstractMethodError e) { + LOG.warn("Secure XML processing is not supported", e); + } + return factory; + } + + public void setFactory(DocumentBuilderFactory documentBuilderFactory) { + LOG.debug("DocumentBuilderFactory changed to: " + documentBuilderFactory); + BUILDER_FACTORY = documentBuilderFactory != null ? documentBuilderFactory : DEFAULT_FACTORY; + } + + /** + * An entity resolver that does not allow external entity resolution. See + * RFC 4918, Section 20.6 + */ + private static final EntityResolver DEFAULT_ENTITY_RESOLVER = new EntityResolver() { + public InputSource resolveEntity(String publicId, String systemId) throws IOException { + LOG.debug("Resolution of external entities in XML payload not supported - publicId: " + publicId + ", systemId: " + + systemId); + throw new IOException("This parser does not support resolution of external entities (publicId: " + publicId + + ", systemId: " + systemId + ")"); + } + }; + + public DocumentBuilder newDocumentBuilder() throws ParserConfigurationException { + DocumentBuilder db = BUILDER_FACTORY.newDocumentBuilder(); + if (BUILDER_FACTORY == DEFAULT_FACTORY) { + // if this is the default factory: set the default entity resolver as well + db.setEntityResolver(DEFAULT_ENTITY_RESOLVER); + } + db.setErrorHandler(new DefaultHandler()); + return db; + } +} diff --git a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java index 70508cc..ad77c97 100644 --- a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java +++ b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/xml/DomUtil.java @@ -56,26 +56,10 @@ public class DomUtil { private static Logger log = LoggerFactory.getLogger(DomUtil.class); /** - * Constant for DocumentBuilderFactory which is used + * Constant for DavDocumentBuilderFactory which is used * to create and parse DOM documents. */ - private static DocumentBuilderFactory BUILDER_FACTORY = createFactory(); - - private static DocumentBuilderFactory createFactory() { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - factory.setNamespaceAware(true); - factory.setIgnoringComments(true); - factory.setIgnoringElementContentWhitespace(true); - factory.setCoalescing(true); - try { - factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); - } catch (ParserConfigurationException e) { - log.warn("Secure XML processing is not supported", e); - } catch (AbstractMethodError e) { - log.warn("Secure XML processing is not supported", e); - } - return factory; - } + private static DavDocumentBuilderFactory BUILDER_FACTORY = new DavDocumentBuilderFactory(); /** * Support the replacement of {@link #BUILDER_FACTORY}. This is useful @@ -88,7 +72,7 @@ public class DomUtil { */ public static void setBuilderFactory( DocumentBuilderFactory documentBuilderFactory) { - BUILDER_FACTORY = documentBuilderFactory; + BUILDER_FACTORY.setFactory(documentBuilderFactory); } /** diff --git a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java new file mode 100644 index 0000000..19aaa1b --- /dev/null +++ b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/ParserTest.java @@ -0,0 +1,78 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the \"License\"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an \"AS IS\" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.jackrabbit.webdav.xml; + +import java.io.ByteArrayInputStream; +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.OutputStream; +import java.io.UnsupportedEncodingException; + +import junit.framework.TestCase; + +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +public class ParserTest extends TestCase { + + // see + public void testBillionLaughs() throws UnsupportedEncodingException { + + String testBody = "" + "" + " " + + " " + + " " + + " " + + " " + + " " + + " " + + " " + + " " + + " " + "]>" + "&lol9;"; + InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8")); + + try { + DomUtil.parseDocument(is); + fail("parsing this document should cause an exception"); + } catch (Exception expected) { + } + } + + public void testExternalEntities() throws IOException { + + String dname = "target"; + String fname = "test.xml"; + + File f = new File(dname, fname); + OutputStream os = new FileOutputStream(f); + os.write("testdata".getBytes()); + os.close(); + + String testBody = "\n" + + "]>\n&test;"; + InputStream is = new ByteArrayInputStream(testBody.getBytes("UTF-8")); + + try { + Document d = DomUtil.parseDocument(is); + Element root = d.getDocumentElement(); + String text = DomUtil.getText(root); + fail("parsing this document should cause an exception, but the following external content was included: " + text); + } catch (Exception expected) { + } + } +} \ No newline at end of file diff --git a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java index 1ca395a..f3ff354 100644 --- a/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java +++ b/jackrabbit-webdav/src/test/java/org/apache/jackrabbit/webdav/xml/TestAll.java @@ -33,6 +33,7 @@ public class TestAll extends TestCase { TestSuite suite = new TestSuite("org.apache.jackrabbit.webdav.xml tests"); suite.addTestSuite(NamespaceTest.class); + suite.addTestSuite(ParserTest.class); return suite; } debian/patches/series0000664000000000000000000000011112772261562012037 0ustar modules.diff servlet_api_25.diff CVE-2015-1833.patch CVE-2016-6801.patch debian/build.properties0000664000000000000000000000005412772261562012416 0ustar build.directory=target maven.test.skip=true debian/build.xml0000664000000000000000000000252612772261562011030 0ustar debian/changelog0000664000000000000000000000270312775224246011057 0ustar jackrabbit (2.3.6-1+deb8u2build0.14.04.1) trusty-security; urgency=medium * fake sync from Debian -- Emily Ratliff Wed, 05 Oct 2016 11:21:58 -0500 jackrabbit (2.3.6-1+deb8u2) jessie-security; urgency=high * Team upload. * Fix CVE-2016-6801: The CSRF content-type check for POST requests did not handle missing Content-Type header fields, nor variations in field values with respect to upper/lower case or optional parameters. This could be exploited to create a resource via CSRF. -- Markus Koschany Mon, 26 Sep 2016 20:05:38 +0200 jackrabbit (2.3.6-1+deb8u1) jessie-security; urgency=medium * Team upload. * Add CVE-2015-1833.patch. Fix XXE/XEE vulnerability of the Jackrabbit WebDAV bundle. When processing a WebDAV request body containing XML, the XML parser can be instructed to read content from network resources accessible to the host, identified by URI schemes such as "http(s)" or "file". Depending on the WebDAV request, this can not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others. (Closes: #787316) -- Markus Koschany Thu, 25 Jun 2015 18:47:39 +0200 jackrabbit (2.3.6-1) unstable; urgency=low * Initial release (Closes: #589450). -- Damien Raude-Morvan Sat, 21 Jan 2012 23:20:41 +0100 debian/orig-tar.sh0000775000000000000000000000044312772261562011266 0ustar #!/bin/sh -e VERSION=$2 TAR=../jackrabbit_$VERSION.orig.tar.gz DIR=jackrabbit-$VERSION TAG=$(echo "$VERSION" | sed -re's/~(alpha|beta)/-\1-/') svn export http://svn.apache.org/repos/asf/jackrabbit/tags/${TAG}/ $DIR GZIP=--best tar -c -z -f $TAR -X debian/orig-tar.exclude $DIR rm -rf $DIR debian/libjackrabbit-java.poms0000664000000000000000000000467312772261562013616 0ustar # List of POM files for the package # Format of this file is: # [option]* # where option can be: # --ignore: ignore this POM and its artifact if any # --ignore-pom: don't install the POM. To use on POM files that are created # temporarily for certain artifacts such as Javadoc jars. [mh_install, mh_installpoms] # --no-parent: remove the tag from the POM # --package=: an alternative package to use when installing this POM # and its artifact # --has-package-version: to indicate that the original version of the POM is the same as the upstream part # of the version for the package. # --keep-elements=: a list of XML elements to keep in the POM # during a clean operation with mh_cleanpom or mh_installpom # --artifact=: path to the build artifact associated with this POM, # it will be installed when using the command mh_install. [mh_install] # --java-lib: install the jar into /usr/share/java to comply with Debian # packaging guidelines # --usj-name=: name to use when installing the library in /usr/share/java # --usj-version=: version to use when installing the library in /usr/share/java # --no-usj-versionless: don't install the versionless link in /usr/share/java # --dest-jar=: the destination for the real jar. # It will be installed with mh_install. [mh_install] # --classifier=: Optional, the classifier for the jar. Empty by default. # --site-xml=: Optional, the location for site.xml if it needs to be installed. # Empty by default. [mh_install] # pom.xml --no-parent --has-package-version jackrabbit-parent/pom.xml --has-package-version jackrabbit-api/pom.xml --ignore jackrabbit-jcr-commons/pom.xml --ignore jackrabbit-jcr-tests/pom.xml --ignore jackrabbit-core/pom.xml --ignore jackrabbit-webdav/pom.xml --has-package-version --artifact=jackrabbit-webdav/target/jackrabbit-webdav-*.jar --java-lib jackrabbit-jcr-server/pom.xml --ignore jackrabbit-jcr-rmi/pom.xml --ignore jackrabbit-jcr-servlet/pom.xml --ignore jackrabbit-webapp/pom.xml --ignore jackrabbit-jca/pom.xml --ignore jackrabbit-spi/pom.xml --ignore jackrabbit-spi-commons/pom.xml --ignore jackrabbit-jcr2spi/pom.xml --ignore jackrabbit-spi2jcr/pom.xml --ignore jackrabbit-spi2dav/pom.xml --ignore jackrabbit-jcr2dav/pom.xml --ignore jackrabbit-jcr-client/pom.xml --ignore jackrabbit-bundle/pom.xml --ignore jackrabbit-standalone/pom.xml --ignore debian/maven.rules0000664000000000000000000000256412772261562011373 0ustar # Maven rules - transform Maven dependencies and plugins # Format of this file is: # [group] [artifact] [type] [version] [classifier] [scope] # where each element can be either # - the exact string, for example org.apache for the group, or 3.1 # for the version. In this case, the element is simply matched # and left as it is # - * (the star character, alone). In this case, anything will # match and be left as it is. For example, using * on the # position of the artifact field will match any artifact id # - a regular expression of the form s/match/replace/ # in this case, elements that match are transformed using # the regex rule. # All elements much match before a rule can be applied # Example rule: match jar with groupid= junit, artifactid= junit # and version starting with 3., replacing the version with 3.x # junit junit jar s/3\\..*/3.x/ commons-collections commons-collections jar s/3\..*/3.x/ * * commons-httpclient commons-httpclient jar s/3\..*/3.x/ * * junit junit jar s/4\..*/4.x/ * * org.apache apache pom s/.*/debian/ * * org.apache.felix maven-bundle-plugin maven-plugin s/.*/2.3.5/ * * org.apache.jackrabbit jackrabbit-parent pom s/.*/debian/ * * org.apache.jackrabbit jackrabbit-webdav bundle s/.*/debian/ * * org.apache.jackrabbit jackrabbit pom s/.*/debian/ * * s/easymock/org.easymock/ easymock * s/.*/debian/ * * org.mortbay.jetty * * s/6\..*/6.x/ * * debian/source/0000775000000000000000000000000012772261562010502 5ustar debian/source/format0000664000000000000000000000001412772261562011710 0ustar 3.0 (quilt) debian/rules0000775000000000000000000000120312772261562010256 0ustar #!/usr/bin/make -f DEB_SOURCE_PACKAGE := $(shell dpkg-parsechangelog | grep '^Source:' | cut -f 2 -d ' ') DEB_UPSTREAM_VERSION := $(shell dpkg-parsechangelog | egrep '^Version:' | cut -f 2 -d ' ' | cut -d: -f2- | sed 's/-[^-]*$$//') export JAVA_HOME=/usr/lib/jvm/default-java export CLASSPATH=$(shell for jar in `cat debian/build-classpath`; do if [ -f "$$jar" ]; then echo -n "$${jar}:"; fi; done) export ANT_ARGS=-Dbasedir=$(realpath .) -Dpackage=$(DEB_SOURCE_PACKAGE) -f debian/build.xml %: dh $@ --buildsystem=ant --with maven_repo_helper get-orig-source: uscan --download-version $(DEB_UPSTREAM_VERSION) --force-download --rename debian/README.source0000664000000000000000000000023212772261562011356 0ustar Information about jackrabbit ------------------------------ This package was debianized using the mh_make command from the maven-debian-helper package. debian/libjackrabbit-java.README.Debian0000664000000000000000000000061312772261562014744 0ustar Jackrabbit package for Debian ============================= IMPORTANT NOTE: This package doesn't contains yet full Apache Jackrabbit stack but just jackrabbit-webdav module for Maven usage. All others modules depends on JCR API (JSR 170 and 283) which is licensed under a non-DFSG compliant license. For full history, please have a look to #573482 debian/compat0000664000000000000000000000000212772261562010400 0ustar 7 debian/maven.ignoreRules0000664000000000000000000000476212772261562012541 0ustar # Maven ignore rules - ignore some Maven dependencies and plugins # Format of this file is: # [group] [artifact] [type] [version] [classifier] [scope] # where each element can be either # - the exact string, for example org.apache for the group, or 3.1 # for the version. In this case, the element is simply matched # and left as it is # - * (the star character, alone). In this case, anything will # match and be left as it is. For example, using * on the # position of the artifact field will match any artifact id # All elements much match before a rule can be applied # Example rule: match jar with groupid= junit, artifactid= junit # and version starting with 3., this dependency is then removed # from the POM # junit junit jar s/3\\..*/3.x/ org.apache.jackrabbit jackrabbit-api bundle * * * org.apache.jackrabbit jackrabbit-bundle bundle * * * org.apache.jackrabbit jackrabbit-core jar * * * org.apache.jackrabbit jackrabbit-jca rar * * * org.apache.jackrabbit jackrabbit-jcr-client jar * * * org.apache.jackrabbit jackrabbit-jcr-commons bundle * * * org.apache.jackrabbit jackrabbit-jcr-rmi bundle * * * org.apache.jackrabbit jackrabbit-jcr-server bundle * * * org.apache.jackrabbit jackrabbit-jcr-servlet jar * * * org.apache.jackrabbit jackrabbit-jcr-tests jar * * * org.apache.jackrabbit jackrabbit-jcr2dav jar * * * org.apache.jackrabbit jackrabbit-jcr2spi bundle * * * org.apache.jackrabbit jackrabbit-spi-commons bundle * * * org.apache.jackrabbit jackrabbit-spi2dav jar * * * org.apache.jackrabbit jackrabbit-spi2jcr jar * * * org.apache.jackrabbit jackrabbit-spi bundle * * * org.apache.jackrabbit jackrabbit-standalone bundle * * * org.apache.jackrabbit jackrabbit-webapp war * * * ch.qos.logback logback-classic * * * * junit junit * * * * org.apache.maven.plugins maven-checkstyle-plugin * * * * org.apache.maven.plugins maven-deploy-plugin * * * * org.apache.maven.plugins maven-eclipse-plugin * * * * org.apache.maven.plugins maven-failsafe-plugin * * * * org.apache.maven.plugins maven-idea-plugin * * * * org.apache.maven.plugins maven-javadoc-plugin * * * * org.apache.maven.plugins maven-jxr-plugin * * * * org.apache.maven.plugins maven-pmd-plugin * * * * org.apache.maven.plugins maven-release-plugin * * * * org.apache.maven.plugins maven-surefire-plugin * * * * org.apache.maven.plugins maven-surefire-report-plugin * * * * org.apache.rat apache-rat-plugin * * * * org.codehaus.mojo clirr-maven-plugin * * * * org.codehaus.mojo cobertura-maven-plugin * * * * org.codehaus.mojo findbugs-maven-plugin * * * * debian/maven.publishedRules0000664000000000000000000000164212772261562013227 0ustar # Maven published rules - additional rules to publish, to help # the packaging work of Debian maintainers using mh_make # Format of this file is: # [group] [artifact] [type] [version] [classifier] [scope] # where each element can be either # - the exact string, for example org.apache for the group, or 3.1 # for the version. In this case, the element is simply matched # and left as it is # - * (the star character, alone). In this case, anything will # match and be left as it is. For example, using * on the # position of the artifact field will match any artifact id # - a regular expression of the form s/match/replace/ # in this case, elements that match are transformed using # the regex rule. # All elements much match before a rule can be applied # Example rule: match jar with groupid= junit, artifactid= junit # and version starting with 3., replacing the version with 3.x # junit junit jar s/3\\..*/3.x/ debian/build-classpath0000664000000000000000000000021412772261562012201 0ustar /usr/share/java/slf4j-api.jar /usr/share/java/servlet-api-2.5.jar /usr/share/java/commons-httpclient.jar /usr/share/java/bnd.annotation.jar debian/orig-tar.exclude0000664000000000000000000000031512772261562012300 0ustar *.jar *.class jackrabbit-core/src/test/resources/org/apache/jackrabbit/core/query/test.rtf jackrabbit-core/src/test/resources/compatibility.zip jackrabbit-core/src/test/repository/workspaces/index-format-*debian/control0000664000000000000000000000227112772261562010607 0ustar Source: jackrabbit Section: java Priority: optional Maintainer: Debian Java Maintainers Uploaders: Damien Raude-Morvan Build-Depends: ant-optional, bnd, debhelper (>= 7), default-jdk, libapache-pom-java, libcommons-httpclient-java, libservlet2.5-java, libslf4j-java, maven-ant-helper, maven-repo-helper (>= 1.5~) Standards-Version: 3.9.2 Vcs-Git: git://git.debian.org/git/pkg-java/jackrabbit.git Vcs-Browser: http://git.debian.org/?p=pkg-java/jackrabbit.git Homepage: http://jackrabbit.apache.org/ Package: libjackrabbit-java Architecture: all Depends: libapache-pom-java, libcommons-httpclient-java, libservlet2.5-java, libslf4j-java, ${misc:Depends} Description: content repository implementation (JCR API) Apache Jackrabbit is content repository implementation of JSR 170 and 283 standards, the Content Repository for Java Technology API. . NOTE: This package doesn't contains yet full Apache Jackrabbit stack but just jackrabbit-webdav module for Maven usage.