Sophie

Sophie

distrib > Mageia > 6 > i586 > by-pkgid > 90a313edc5ffae0c445e8de91e27f222 > files > 6

cxf-3.1.6-5.mga6.src.rpm

diff -Nru apache-cxf-3.1.6-src/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/atom/AbstractAtomProvider.java apache-cxf-3.1.6-src.CVE-2016-8739/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/atom/AbstractAtomProvider.java
--- apache-cxf-3.1.6-src/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/atom/AbstractAtomProvider.java	2016-03-23 18:30:27.000000000 +0100
+++ apache-cxf-3.1.6-src.CVE-2016-8739/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/atom/AbstractAtomProvider.java	2016-12-21 16:35:46.840033631 +0100
@@ -30,6 +30,7 @@
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.ext.MessageBodyReader;
 import javax.ws.rs.ext.MessageBodyWriter;
+import javax.xml.stream.XMLStreamReader;
 
 import org.apache.abdera.Abdera;
 import org.apache.abdera.model.Document;
@@ -39,6 +40,7 @@
 import org.apache.abdera.writer.Writer;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.jaxrs.utils.ExceptionUtils;
+import org.apache.cxf.staxutils.StaxUtils;
 
 public abstract class AbstractAtomProvider<T extends Element> 
     implements MessageBodyWriter<T>, MessageBodyReader<T> {
@@ -91,7 +93,8 @@
                 options.setAutodetectCharset(autodetectCharset);
             }
         }
-        Document<T> doc = parser.parse(is);
+        XMLStreamReader reader = StaxUtils.createXMLStreamReader(is);
+        Document<T> doc = parser.parse(reader);
         return doc.getRoot();
     }
 
diff -Nru apache-cxf-3.1.6-src/rt/rs/extensions/providers/src/test/java/org/apache/cxf/jaxrs/provider/atom/AtomPojoProviderTest.java apache-cxf-3.1.6-src.CVE-2016-8739/rt/rs/extensions/providers/src/test/java/org/apache/cxf/jaxrs/provider/atom/AtomPojoProviderTest.java
--- apache-cxf-3.1.6-src/rt/rs/extensions/providers/src/test/java/org/apache/cxf/jaxrs/provider/atom/AtomPojoProviderTest.java	2016-03-23 18:30:27.000000000 +0100
+++ apache-cxf-3.1.6-src.CVE-2016-8739/rt/rs/extensions/providers/src/test/java/org/apache/cxf/jaxrs/provider/atom/AtomPojoProviderTest.java	2016-12-21 16:38:22.312961598 +0100
@@ -146,7 +146,26 @@
         assertEquals("a", book.getName());
     }
     
-    
+    @Test
+    public void testReadEntryNoBuilders2() throws Exception {
+        final String entry = 
+            "<!DOCTYPE entry SYSTEM \"entry://entry\"><entry xmlns=\"http://www.w3.org/2005/Atom\">"
+            + "<title type=\"text\">a</title>"
+            + "<content type=\"application/xml\">"
+            + "<book xmlns=\"\">"
+            + "<name>a</name>"
+            + "</book>"
+            + "</content>"
+            + "</entry>";
+        AtomPojoProvider provider = new AtomPojoProvider();
+        ByteArrayInputStream bis = new ByteArrayInputStream(entry.getBytes());
+        MediaType mt = MediaType.valueOf("application/atom+xml;type=entry");
+        @SuppressWarnings({"unchecked", "rawtypes" })
+        Book book = (Book)provider.readFrom((Class)Book.class, Book.class, 
+                                            new Annotation[]{}, mt, null, bis);
+        assertEquals("a", book.getName());
+    }
+
     @Test
     public void testReadFeedWithBuilders() throws Exception {
         AtomPojoProvider provider = (AtomPojoProvider)ctx.getBean("atom4");
@@ -178,7 +197,26 @@
         assertTrue("a".equals(list.get(0).getName()) || "a".equals(list.get(1).getName()));
         assertTrue("b".equals(list.get(0).getName()) || "b".equals(list.get(1).getName()));        
     }
-     
+
+    @Test
+    public void testReadFeedWithoutBuilders2() throws Exception {
+        AtomPojoProvider provider = new AtomPojoProvider();
+        final String feed = 
+            "<!DOCTYPE feed SYSTEM \"feed://feed\"><feed xmlns=\"http://www.w3.org/2005/Atom\">"
+            + "<entry><content type=\"application/xml\"><book xmlns=\"\"><name>a</name></book></content></entry>"
+            + "<entry><content type=\"application/xml\"><book xmlns=\"\"><name>b</name></book></content></entry>"
+            + "</feed>";
+        MediaType mt = MediaType.valueOf("application/atom+xml;type=feed");
+        ByteArrayInputStream bis = new ByteArrayInputStream(feed.getBytes());
+        @SuppressWarnings({"unchecked", "rawtypes" })
+        Books books2 = (Books)provider.readFrom((Class)Books.class, Books.class, 
+                                            new Annotation[]{}, mt, null, bis);
+        List<Book> list = books2.getBooks();
+        assertEquals(2, list.size());
+        assertTrue("a".equals(list.get(0).getName()) || "a".equals(list.get(1).getName()));
+        assertTrue("b".equals(list.get(0).getName()) || "b".equals(list.get(1).getName()));
+    }
+
     @Test
     public void testReadEntryNoContent() throws Exception {
         /** A sample entry without content. */

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional