LUCENE-5072: Automatically patch javadocs generated by JDK versions before 7u25 to work around the frame injection vulnerability (CVE-2013-1571, VU#225657)

git-svn-id: https://svn.apache.org/repos/asf/lucene/dev/trunk@1495954 13f79535-47bb-0310-9956-ffa450edef68
This commit is contained in:
Uwe Schindler 2013-06-24 08:36:45 +00:00
parent 6ae55f1417
commit 084d39ce19
2 changed files with 67 additions and 1 deletions

View File

@ -263,6 +263,10 @@ Build
forbidden-api signatures, and parts of resources folders. (Ryan Ernst, forbidden-api signatures, and parts of resources folders. (Ryan Ernst,
Uwe Schindler) Uwe Schindler)
* LUCENE-5072: Automatically patch javadocs generated by JDK versions
before 7u25 to work around the frame injection vulnerability (CVE-2013-1571,
VU#225657). (Uwe Schindler)
Tests Tests
* LUCENE-4901: TestIndexWriterOnJRECrash should work on any * LUCENE-4901: TestIndexWriterOnJRECrash should work on any

View File

@ -1816,7 +1816,69 @@ ${tests-output}/junit4-*.suites - per-JVM executed suites
</condition> </condition>
</fail> </fail>
<patch-javadoc dir="@{destdir}" docencoding="${javadoc.charset}"/>
</sequential>
</macrodef>
<!--
Patch frame injection bugs in javadoc generated files - see CVE-2013-1571, http://www.kb.cert.org/vuls/id/225657
Feel free to use this macro in your own Ant build file. This macro works together with the javadoc task on Ant
and should be invoked directly after its execution to patch broken javadocs, e.g.:
<patch-javadoc dir="..." docencoding="UTF-8"/>
Please make sure that the docencoding parameter uses the same charset like javadoc's docencoding. Default
is the platform default encoding (like the javadoc task).
The specified dir is the destination directory of the javadoc task.
-->
<macrodef name="patch-javadoc">
<attribute name="dir"/>
<attribute name="docencoding" default="${file.encoding}"/>
<sequential>
<replace encoding="@{docencoding}" summary="true" taskname="patch-javadoc">
<restrict>
<fileset dir="@{dir}" casesensitive="false" includes="**/index.html,**/index.htm,**/toc.html,**/toc.htm"/>
<!-- TODO: add encoding="@{docencoding}" to contains check, when we are on ANT 1.9.0: -->
<not><contains text="function validURL(url) {" casesensitive="true" /></not>
</restrict>
<replacetoken><![CDATA[function loadFrames() {]]></replacetoken>
<replacevalue expandProperties="false"><![CDATA[if (targetPage != "" && !validURL(targetPage))
targetPage = "undefined";
function validURL(url) {
var pos = url.indexOf(".html");
if (pos == -1 || pos != url.length - 5)
return false;
var allowNumber = false;
var allowSep = false;
var seenDot = false;
for (var i = 0; i < url.length - 5; i++) {
var ch = url.charAt(i);
if ('a' <= ch && ch <= 'z' ||
'A' <= ch && ch <= 'Z' ||
ch == '$' ||
ch == '_') {
allowNumber = true;
allowSep = true;
} else if ('0' <= ch && ch <= '9'
|| ch == '-') {
if (!allowNumber)
return false;
} else if (ch == '/' || ch == '.') {
if (!allowSep)
return false;
allowNumber = false;
allowSep = false;
if (ch == '.')
seenDot = true;
if (ch == '/' && seenDot)
return false;
} else {
return false;
}
}
return true;
}
function loadFrames() {]]></replacevalue>
</replace>
</sequential> </sequential>
</macrodef> </macrodef>