Bug 518031 - XML External Entity Vulnerability in Eclipse IDE
Ensure XML processors are configured to use
XMLConstants.FEATURE_SECURE_PROCESSING=true
to avoid accessing external DTDs and expanding external entities.
(Backport to 4.7)
Change-Id: Icabb6e0d55dd546a66ad506cde7e24a996484f1a
Signed-off-by: Brian de Alwis <bsd@mt.ca>
Signed-off-by: Thomas Watson <tjwatson@us.ibm.com>
diff --git a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java
index 8e7fae4..a8cf92c 100644
--- a/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java
+++ b/bundles/org.eclipse.equinox.p2.artifact.repository/src/org/eclipse/equinox/internal/p2/artifact/repository/MirrorSelector.java
@@ -24,8 +24,7 @@
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import org.eclipse.core.runtime.*;
-import org.eclipse.equinox.internal.p2.core.helpers.LogHelper;
-import org.eclipse.equinox.internal.p2.core.helpers.Tracing;
+import org.eclipse.equinox.internal.p2.core.helpers.*;
import org.eclipse.equinox.internal.p2.repository.DownloadStatus;
import org.eclipse.equinox.internal.p2.repository.Transport;
import org.eclipse.equinox.p2.repository.IRepository;
@@ -266,7 +265,7 @@
}
mirrorsURL = mirrorsURL + "countryCode=" + countryCode + "&timeZone=" + timeZone + "&format=xml"; //$NON-NLS-1$ //$NON-NLS-2$ //$NON-NLS-3$
- DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory domFactory = SecureXMLUtil.newSecureDocumentBuilderFactory();
DocumentBuilder builder = domFactory.newDocumentBuilder();
Document document = null;
// Use Transport to read the mirrors list (to benefit from proxy support, authentication, etc)
@@ -292,7 +291,7 @@
|| mirrorsURL.startsWith("https://") //$NON-NLS-1$
|| mirrorsURL.startsWith("file://") //$NON-NLS-1$
|| mirrorsURL.startsWith("ftp://") //$NON-NLS-1$
- || mirrorsURL.startsWith("jar://"))) //$NON-NLS-1$
+ || mirrorsURL.startsWith("jar://"))) //$NON-NLS-1$
log("Error processing mirrors URL: " + mirrorsURL, e); //$NON-NLS-1$
return null;
}
diff --git a/bundles/org.eclipse.equinox.p2.core/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.core/META-INF/MANIFEST.MF
index 4c3a8fb..18590e9 100644
--- a/bundles/org.eclipse.equinox.p2.core/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.core/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@
Bundle-ManifestVersion: 2
Bundle-Name: %pluginName
Bundle-SymbolicName: org.eclipse.equinox.p2.core;singleton:=true
-Bundle-Version: 2.4.100.qualifier
+Bundle-Version: 2.4.101.qualifier
Bundle-ClassPath: .
Bundle-Activator: org.eclipse.equinox.internal.p2.core.Activator
Bundle-Vendor: %providerName
diff --git a/bundles/org.eclipse.equinox.p2.core/pom.xml b/bundles/org.eclipse.equinox.p2.core/pom.xml
index a4c2ecb..3d2761a 100644
--- a/bundles/org.eclipse.equinox.p2.core/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.core/pom.xml
@@ -9,6 +9,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.core</artifactId>
- <version>2.4.100-SNAPSHOT</version>
+ <version>2.4.101-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java b/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java
new file mode 100644
index 0000000..4a0fc45
--- /dev/null
+++ b/bundles/org.eclipse.equinox.p2.core/src/org/eclipse/equinox/internal/p2/core/helpers/SecureXMLUtil.java
@@ -0,0 +1,75 @@
+/*******************************************************************************
+ * Copyright (c) 20017 Manumitting Technologies Inc and others.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ *
+ * Contributors:
+ * Manumitting Technologies Inc - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.equinox.internal.p2.core.helpers;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.*;
+import org.eclipse.core.runtime.IStatus;
+import org.eclipse.core.runtime.Status;
+import org.eclipse.equinox.internal.p2.core.Activator;
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLReader;
+import org.xml.sax.helpers.XMLReaderFactory;
+
+/**
+ * A utility class for processing XML data in a secure fashion,
+ * avoiding XML Entity Expansion problems
+ */
+public class SecureXMLUtil {
+ /**
+ * Create a new {@link DocumentBuilderFactory} suitable for processing
+ * XML data from possibly malicious sources. For example, data retrieved
+ * from remote p2 metadata and artifacts repositories.
+ */
+ public static DocumentBuilderFactory newSecureDocumentBuilderFactory() {
+ DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ // FEATURE_SECURE_PROCESSING is documented as must be supported by all implementations
+ try {
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ }
+ return factory;
+ }
+
+ /**
+ * Create a new {@link SAXParserFactory} suitable for processing
+ * XML data from possibly malicious sources. For example, data retrieved
+ * from remote p2 metadata and artifacts repositories.
+ */
+ public static SAXParserFactory newSecureSAXParserFactory() {
+ SAXParserFactory factory = SAXParserFactory.newInstance();
+ // FEATURE_SECURE_PROCESSING is documented as must be supported by all implementations
+ try {
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ } catch (SAXException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ }
+ return factory;
+ }
+
+ /**
+ * Create a new {@link XMLReader} suitable for processing
+ * XML data from possibly malicious sources. For example, data retrieved
+ * from remote p2 metadata and artifacts repositories.
+ */
+ public static XMLReader newSecureXMLReader() throws SAXException {
+ XMLReader reader = XMLReaderFactory.createXMLReader();
+ try {
+ reader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (SAXException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ }
+ return reader;
+ }
+}
diff --git a/bundles/org.eclipse.equinox.p2.discovery.compatibility/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.discovery.compatibility/META-INF/MANIFEST.MF
index 2d139b6..ad98f49 100644
--- a/bundles/org.eclipse.equinox.p2.discovery.compatibility/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.discovery.compatibility/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@
Bundle-ManifestVersion: 2
Bundle-Name: %Bundle-Name
Bundle-SymbolicName: org.eclipse.equinox.p2.discovery.compatibility;singleton:=true
-Bundle-Version: 1.0.200.qualifier
+Bundle-Version: 1.0.201.qualifier
Bundle-Vendor: %Bundle-Vendor
Bundle-RequiredExecutionEnvironment: J2SE-1.5
Require-Bundle: org.eclipse.core.runtime;bundle-version="3.3.0",
diff --git a/bundles/org.eclipse.equinox.p2.discovery.compatibility/pom.xml b/bundles/org.eclipse.equinox.p2.discovery.compatibility/pom.xml
index b580d47..537d3ba 100644
--- a/bundles/org.eclipse.equinox.p2.discovery.compatibility/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.discovery.compatibility/pom.xml
@@ -19,6 +19,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.discovery.compatibility</artifactId>
- <version>1.0.200-SNAPSHOT</version>
+ <version>1.0.201-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.discovery.compatibility/src/org/eclipse/equinox/internal/p2/discovery/compatibility/DirectoryParser.java b/bundles/org.eclipse.equinox.p2.discovery.compatibility/src/org/eclipse/equinox/internal/p2/discovery/compatibility/DirectoryParser.java
index 251b721..98ec852 100644
--- a/bundles/org.eclipse.equinox.p2.discovery.compatibility/src/org/eclipse/equinox/internal/p2/discovery/compatibility/DirectoryParser.java
+++ b/bundles/org.eclipse.equinox.p2.discovery.compatibility/src/org/eclipse/equinox/internal/p2/discovery/compatibility/DirectoryParser.java
@@ -13,12 +13,12 @@
import java.io.IOException;
import java.io.Reader;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
import org.eclipse.equinox.internal.p2.discovery.compatibility.Directory.Entry;
import org.eclipse.equinox.internal.p2.discovery.compatibility.util.DefaultSaxErrorHandler;
import org.eclipse.equinox.internal.p2.discovery.compatibility.util.IOWithCauseException;
import org.eclipse.osgi.util.NLS;
import org.xml.sax.*;
-import org.xml.sax.helpers.XMLReaderFactory;
/**
* A parser for {@link Directory directories}.
@@ -38,7 +38,7 @@
public Directory parse(Reader directoryContents) throws IOException {
XMLReader xmlReader;
try {
- xmlReader = XMLReaderFactory.createXMLReader();
+ xmlReader = SecureXMLUtil.newSecureXMLReader();
} catch (SAXException e) {
throw new IOWithCauseException(e.getMessage(), e);
}
diff --git a/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF
index 06c6ee6..b8fdf10 100644
--- a/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.metadata.repository/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@
Bundle-ManifestVersion: 2
Bundle-Name: %pluginName
Bundle-SymbolicName: org.eclipse.equinox.p2.metadata.repository;singleton:=true
-Bundle-Version: 1.2.400.qualifier
+Bundle-Version: 1.2.401.qualifier
Bundle-Activator: org.eclipse.equinox.internal.p2.metadata.repository.Activator
Bundle-Vendor: %providerName
Bundle-Localization: plugin
diff --git a/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml b/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml
index b2d98ee..0ea826c 100644
--- a/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.metadata.repository/pom.xml
@@ -19,6 +19,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.metadata.repository</artifactId>
- <version>1.2.400-SNAPSHOT</version>
+ <version>1.2.401-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java b/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java
index 63ace18..cd7b020 100644
--- a/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java
+++ b/bundles/org.eclipse.equinox.p2.metadata.repository/src/org/eclipse/equinox/p2/metadata/io/IUDeserializer.java
@@ -15,6 +15,7 @@
import java.util.Arrays;
import java.util.Collection;
import javax.xml.parsers.*;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
import org.eclipse.equinox.internal.p2.metadata.repository.io.MetadataParser;
import org.eclipse.equinox.internal.p2.persistence.Messages;
import org.eclipse.equinox.p2.metadata.IInstallableUnit;
@@ -33,7 +34,7 @@
* Construct a new instance of the deserializer.
*/
public IUDeserializer() {
- deserializer = new IUDeserializerParser(SAXParserFactory.newInstance());
+ deserializer = new IUDeserializerParser(SecureXMLUtil.newSecureSAXParserFactory());
}
/**
diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.publisher.eclipse/META-INF/MANIFEST.MF
index 3b28e9f..57a3105 100644
--- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@
Bundle-ManifestVersion: 2
Bundle-Name: %bundleName
Bundle-SymbolicName: org.eclipse.equinox.p2.publisher.eclipse;singleton:=true
-Bundle-Version: 1.2.200.qualifier
+Bundle-Version: 1.2.201.qualifier
Bundle-Activator: org.eclipse.pde.internal.publishing.Activator
Bundle-ActivationPolicy: lazy
Bundle-Vendor: %providerName
diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/pom.xml b/bundles/org.eclipse.equinox.p2.publisher.eclipse/pom.xml
index 00d1641..69281b2 100644
--- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/pom.xml
@@ -10,6 +10,6 @@
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.publisher.eclipse</artifactId>
- <version>1.2.200-SNAPSHOT</version>
+ <version>1.2.201-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java
index 955bf2f..e5274dd 100644
--- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java
+++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/FeatureManifestParser.java
@@ -19,6 +19,7 @@
import java.util.List;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
import org.eclipse.equinox.p2.metadata.VersionRange;
import org.eclipse.equinox.p2.publisher.eclipse.Feature;
import org.eclipse.equinox.p2.publisher.eclipse.FeatureEntry;
@@ -33,7 +34,7 @@
*/
public class FeatureManifestParser extends DefaultHandler {
- private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+ private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory();
private SAXParser parser;
protected Feature result;
private URL url;
diff --git a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java
index 2f89f04..bfe9c25 100644
--- a/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java
+++ b/bundles/org.eclipse.equinox.p2.publisher.eclipse/src/org/eclipse/equinox/internal/p2/publisher/eclipse/ProductFile.java
@@ -25,8 +25,7 @@
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
import org.eclipse.equinox.frameworkadmin.BundleInfo;
-import org.eclipse.equinox.internal.p2.core.helpers.ServiceHelper;
-import org.eclipse.equinox.internal.p2.core.helpers.URLUtil;
+import org.eclipse.equinox.internal.p2.core.helpers.*;
import org.eclipse.equinox.p2.metadata.IVersionedId;
import org.eclipse.equinox.p2.metadata.VersionedId;
import org.eclipse.equinox.p2.publisher.eclipse.FeatureEntry;
@@ -67,7 +66,7 @@
private static final String PROPERTY_ECLIPSE_APPLICATION = "eclipse.application"; //$NON-NLS-1$
private static final String PROPERTY_ECLIPSE_PRODUCT = "eclipse.product"; //$NON-NLS-1$
- private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+ private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory();
private static final String PROGRAM_ARGS = "programArgs"; //$NON-NLS-1$
private static final String PROGRAM_ARGS_LINUX = "programArgsLin"; //$NON-NLS-1$
diff --git a/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF
index 6c8562e..212c76c 100644
--- a/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.repository/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@
Bundle-ManifestVersion: 2
Bundle-Name: %pluginName
Bundle-SymbolicName: org.eclipse.equinox.p2.repository;singleton:=true
-Bundle-Version: 2.3.300.qualifier
+Bundle-Version: 2.3.301.qualifier
Bundle-Activator: org.eclipse.equinox.internal.p2.repository.Activator
Bundle-Vendor: %providerName
Bundle-Localization: plugin
diff --git a/bundles/org.eclipse.equinox.p2.repository/pom.xml b/bundles/org.eclipse.equinox.p2.repository/pom.xml
index ad34fe5..28a60bf 100644
--- a/bundles/org.eclipse.equinox.p2.repository/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.repository/pom.xml
@@ -9,6 +9,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.repository</artifactId>
- <version>2.3.300-SNAPSHOT</version>
+ <version>2.3.301-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/persistence/XMLParser.java b/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/persistence/XMLParser.java
index abc7032..b0c84f8 100644
--- a/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/persistence/XMLParser.java
+++ b/bundles/org.eclipse.equinox.p2.repository/src/org/eclipse/equinox/internal/p2/persistence/XMLParser.java
@@ -15,8 +15,7 @@
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
import org.eclipse.equinox.internal.p2.core.Activator;
-import org.eclipse.equinox.internal.p2.core.helpers.OrderedProperties;
-import org.eclipse.equinox.internal.p2.core.helpers.Tracing;
+import org.eclipse.equinox.internal.p2.core.helpers.*;
import org.eclipse.equinox.p2.metadata.Version;
import org.eclipse.equinox.p2.metadata.VersionRange;
import org.eclipse.osgi.util.NLS;
@@ -72,7 +71,16 @@
xmlTracker = new ServiceTracker<SAXParserFactory, SAXParserFactory>(context, SAXParserFactory.class, null);
xmlTracker.open();
}
- return xmlTracker.getService();
+ // FEATURE_SECURE_PROCESSING is documented as must be supported by all implementations
+ SAXParserFactory factory = xmlTracker.getService();
+ try {
+ factory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ } catch (ParserConfigurationException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ } catch (SAXException e) {
+ LogHelper.log(new Status(IStatus.WARNING, Activator.ID, "Feature not supported", e)); //$NON-NLS-1$
+ }
+ return factory;
}
protected synchronized static void releaseXMLParsing() {
diff --git a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/META-INF/MANIFEST.MF
index b3688d8..dea7924 100644
--- a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@
Bundle-ManifestVersion: 2
Bundle-Name: %pluginName
Bundle-SymbolicName: org.eclipse.equinox.p2.touchpoint.eclipse;singleton:=true
-Bundle-Version: 2.1.500.qualifier
+Bundle-Version: 2.1.501.qualifier
Bundle-Activator: org.eclipse.equinox.internal.p2.touchpoint.eclipse.Activator
Bundle-Vendor: %providerName
Bundle-Localization: plugin
diff --git a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/pom.xml b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/pom.xml
index 8a5ef79..3c8ae9f 100644
--- a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/pom.xml
@@ -9,6 +9,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.touchpoint.eclipse</artifactId>
- <version>2.1.500-SNAPSHOT</version>
+ <version>2.1.501-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/src/org/eclipse/equinox/internal/p2/update/ConfigurationParser.java b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/src/org/eclipse/equinox/internal/p2/update/ConfigurationParser.java
index da32cc1..d5297eb 100644
--- a/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/src/org/eclipse/equinox/internal/p2/update/ConfigurationParser.java
+++ b/bundles/org.eclipse.equinox.p2.touchpoint.eclipse/src/org/eclipse/equinox/internal/p2/update/ConfigurationParser.java
@@ -16,6 +16,7 @@
import java.util.StringTokenizer;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.URIUtil;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
import org.eclipse.equinox.p2.core.ProvisionException;
import org.eclipse.osgi.util.NLS;
import org.w3c.dom.*;
@@ -177,7 +178,7 @@
*/
private Document load(InputStream input) throws ParserConfigurationException, IOException, SAXException {
// load the feature xml
- DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory factory = SecureXMLUtil.newSecureDocumentBuilderFactory();
DocumentBuilder builder = factory.newDocumentBuilder();
input = new BufferedInputStream(input);
try {
diff --git a/bundles/org.eclipse.equinox.p2.ui/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.ui/META-INF/MANIFEST.MF
index 7e7a060..4511fcd 100644
--- a/bundles/org.eclipse.equinox.p2.ui/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.ui/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@
Bundle-ManifestVersion: 2
Bundle-Name: %bundleName
Bundle-SymbolicName: org.eclipse.equinox.p2.ui;singleton:=true
-Bundle-Version: 2.5.0.qualifier
+Bundle-Version: 2.5.1.qualifier
Bundle-Activator: org.eclipse.equinox.internal.p2.ui.ProvUIActivator
Bundle-Vendor: %providerName
Bundle-Localization: plugin
diff --git a/bundles/org.eclipse.equinox.p2.ui/pom.xml b/bundles/org.eclipse.equinox.p2.ui/pom.xml
index d80f703..1ca1129 100644
--- a/bundles/org.eclipse.equinox.p2.ui/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.ui/pom.xml
@@ -19,6 +19,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.ui</artifactId>
- <version>2.5.0-SNAPSHOT</version>
+ <version>2.5.1-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.ui/src/org/eclipse/equinox/internal/p2/ui/UpdateManagerCompatibility.java b/bundles/org.eclipse.equinox.p2.ui/src/org/eclipse/equinox/internal/p2/ui/UpdateManagerCompatibility.java
index b0173c2..1926671 100644
--- a/bundles/org.eclipse.equinox.p2.ui/src/org/eclipse/equinox/internal/p2/ui/UpdateManagerCompatibility.java
+++ b/bundles/org.eclipse.equinox.p2.ui/src/org/eclipse/equinox/internal/p2/ui/UpdateManagerCompatibility.java
@@ -17,6 +17,7 @@
import java.util.Vector;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
import org.eclipse.equinox.internal.p2.ui.model.MetadataRepositoryElement;
import org.eclipse.equinox.p2.engine.IProvisioningPlan;
import org.eclipse.equinox.p2.metadata.IInstallableUnit;
@@ -41,7 +42,6 @@
// This value was copied from MetadataGeneratorHelper. Must be the same.
private static final String ECLIPSE_INSTALL_HANDLER_PROP = "org.eclipse.update.installHandler"; //$NON-NLS-1$
- private static final DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
private static void parse(String fileName, Vector<MetadataRepositoryElement> bookmarks) {
File file = new File(fileName);
@@ -49,6 +49,7 @@
return;
try {
+ DocumentBuilderFactory documentBuilderFactory = SecureXMLUtil.newSecureDocumentBuilderFactory();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder parser = documentBuilderFactory.newDocumentBuilder();
Document doc = parser.parse(file);
diff --git a/bundles/org.eclipse.equinox.p2.updatesite/META-INF/MANIFEST.MF b/bundles/org.eclipse.equinox.p2.updatesite/META-INF/MANIFEST.MF
index 69b7047..51a21af 100644
--- a/bundles/org.eclipse.equinox.p2.updatesite/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.equinox.p2.updatesite/META-INF/MANIFEST.MF
@@ -2,7 +2,7 @@
Bundle-ManifestVersion: 2
Bundle-Name: %pluginName
Bundle-SymbolicName: org.eclipse.equinox.p2.updatesite;singleton:=true
-Bundle-Version: 1.0.600.qualifier
+Bundle-Version: 1.0.601.qualifier
Bundle-Activator: org.eclipse.equinox.internal.p2.updatesite.Activator
Bundle-Vendor: %providerName
Bundle-Localization: plugin
diff --git a/bundles/org.eclipse.equinox.p2.updatesite/pom.xml b/bundles/org.eclipse.equinox.p2.updatesite/pom.xml
index ea87f73..8cd3b6a 100644
--- a/bundles/org.eclipse.equinox.p2.updatesite/pom.xml
+++ b/bundles/org.eclipse.equinox.p2.updatesite/pom.xml
@@ -9,6 +9,6 @@
</parent>
<groupId>org.eclipse.equinox</groupId>
<artifactId>org.eclipse.equinox.p2.updatesite</artifactId>
- <version>1.0.600-SNAPSHOT</version>
+ <version>1.0.601-SNAPSHOT</version>
<packaging>eclipse-plugin</packaging>
</project>
diff --git a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/CategoryParser.java b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/CategoryParser.java
index 6871ab1..61501dc 100644
--- a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/CategoryParser.java
+++ b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/CategoryParser.java
@@ -18,8 +18,7 @@
import java.util.*;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
-import org.eclipse.equinox.internal.p2.core.helpers.LogHelper;
-import org.eclipse.equinox.internal.p2.core.helpers.Tracing;
+import org.eclipse.equinox.internal.p2.core.helpers.*;
import org.eclipse.equinox.p2.publisher.eclipse.URLEntry;
import org.eclipse.equinox.p2.repository.IRepository;
import org.eclipse.equinox.p2.repository.spi.RepositoryReference;
@@ -32,7 +31,7 @@
* This class was initially copied from org.eclipse.update.core.model.DefaultSiteParser.
*/
public class CategoryParser extends DefaultHandler {
- private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+ private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory();
private static final String PLUGIN_ID = Activator.ID;
private static final String ARCHIVE = "archive"; //$NON-NLS-1$
diff --git a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DefaultSiteParser.java b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DefaultSiteParser.java
index be49727..47c2de7 100644
--- a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DefaultSiteParser.java
+++ b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DefaultSiteParser.java
@@ -16,8 +16,7 @@
import java.util.*;
import javax.xml.parsers.*;
import org.eclipse.core.runtime.*;
-import org.eclipse.equinox.internal.p2.core.helpers.LogHelper;
-import org.eclipse.equinox.internal.p2.core.helpers.Tracing;
+import org.eclipse.equinox.internal.p2.core.helpers.*;
import org.eclipse.equinox.p2.publisher.eclipse.URLEntry;
import org.eclipse.osgi.util.NLS;
import org.w3c.dom.*;
@@ -42,7 +41,7 @@
private static final String BUNDLE = "bundle"; //$NON-NLS-1$
private static final String FEATURES = "features/"; //$NON-NLS-1$
private static final String PLUGINS = "plugins/"; //$NON-NLS-1$
- private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+ private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory();
private static final String PLUGIN_ID = Activator.ID;
private static final String SITE = "site"; //$NON-NLS-1$
@@ -85,7 +84,7 @@
private static URLEntry[] getAssociateSites(String associateSitesURL) {
try {
- DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
+ DocumentBuilderFactory domFactory = SecureXMLUtil.newSecureDocumentBuilderFactory();
DocumentBuilder builder = domFactory.newDocumentBuilder();
Document document = builder.parse(associateSitesURL);
if (document == null)
diff --git a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DigestParser.java b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DigestParser.java
index 86fabf2..b062065 100644
--- a/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DigestParser.java
+++ b/bundles/org.eclipse.equinox.p2.updatesite/src/org/eclipse/equinox/internal/p2/updatesite/DigestParser.java
@@ -20,6 +20,7 @@
import org.eclipse.core.runtime.IStatus;
import org.eclipse.core.runtime.Status;
import org.eclipse.equinox.internal.p2.core.helpers.LogHelper;
+import org.eclipse.equinox.internal.p2.core.helpers.SecureXMLUtil;
import org.eclipse.equinox.internal.p2.publisher.eclipse.FeatureManifestParser;
import org.eclipse.equinox.p2.publisher.eclipse.Feature;
import org.eclipse.osgi.util.NLS;
@@ -34,7 +35,7 @@
*/
public class DigestParser extends DefaultHandler {
- private final static SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+ private final static SAXParserFactory parserFactory = SecureXMLUtil.newSecureSAXParserFactory();
private SAXParser parser;
private final List<Feature> features = new ArrayList<Feature>();
private final FeatureManifestParser featureHandler = new FeatureManifestParser(false);
