java-packages/jgit
SHA256
6
0
Fork 0
forked from pool/jgit
Code Pull Requests Activity
Files
main
jgit/jgit-CVE-2025-4949.patch

64 lines
3.0 KiB
Diff
Raw Permalink Blame History

diff -urEbwB jgit-5.11.0.202103091610-r.orig/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java jgit-5.11.0.202103091610-r/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java
--- jgit-5.11.0.202103091610-r.orig/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java 2025-06-25 16:24:04.047615423 +0200
+++ jgit-5.11.0.202103091610-r/org.eclipse.jgit/src/org/eclipse/jgit/gitrepo/ManifestParser.java 2025-06-25 16:44:36.017221393 +0200
@@ -24,6 +24,9 @@
import java.util.Map;
import java.util.Set;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParserFactory;
+
import org.eclipse.jgit.annotations.NonNull;
import org.eclipse.jgit.api.errors.GitAPIException;
import org.eclipse.jgit.gitrepo.RepoProject.CopyFile;
@@ -137,8 +140,12 @@
xmlInRead++;
final XMLReader xr;
try {
- xr = XMLReaderFactory.createXMLReader();
- } catch (SAXException e) {
+ SAXParserFactory spf = SAXParserFactory.newInstance();
+ spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ xr = spf.newSAXParser().getXMLReader();
+ } catch (SAXException | ParserConfigurationException e) {
throw new IOException(JGitText.get().noXMLParserAvailable, e);
}
xr.setContentHandler(this);
diff -urEbwB jgit-5.11.0.202103091610-r.orig/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java jgit-5.11.0.202103091610-r/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java
--- jgit-5.11.0.202103091610-r.orig/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java 2025-06-25 16:24:04.059648144 +0200
+++ jgit-5.11.0.202103091610-r/org.eclipse.jgit/src/org/eclipse/jgit/transport/AmazonS3.java 2025-06-25 16:43:58.800496097 +0200
@@ -50,6 +50,8 @@
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParserFactory;
import org.eclipse.jgit.internal.JGitText;
import org.eclipse.jgit.lib.Constants;
@@ -683,8 +685,20 @@
final XMLReader xr;
try {
- xr = XMLReaderFactory.createXMLReader();
- } catch (SAXException e) {
+ SAXParserFactory saxParserFactory = SAXParserFactory
+ .newInstance();
+ saxParserFactory.setNamespaceAware(true);
+ saxParserFactory.setFeature(
+ "http://xml.org/sax/features/external-general-entities", //$NON-NLS-1$
+ false);
+ saxParserFactory.setFeature(
+ "http://xml.org/sax/features/external-parameter-entities", //$NON-NLS-1$
+ false);
+ saxParserFactory.setFeature(
+ "http://apache.org/xml/features/disallow-doctype-decl", //$NON-NLS-1$
+ true);
+ xr = saxParserFactory.newSAXParser().getXMLReader();
+ } catch (SAXException | ParserConfigurationException e) {
throw new IOException(
JGitText.get().noXMLParserAvailable, e);
}
View Git Blame Copy Permalink