[
https://issues.apache.org/jira/browse/LUCENE-5072?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13691419#comment-13691419
]
Uwe Schindler edited comment on LUCENE-5072 at 6/27/13 9:56 AM:
----------------------------------------------------------------
For all other projects that use ANT and want to fix the javadocs directly after
execution of Ant's Javadoc task: Just copy the following Ant macro into your
project and invoke it directly after <javadoc/>:
{code:xml}
<!--
Patch frame injection bugs in javadoc generated files - see CVE-2013-1571,
http://www.kb.cert.org/vuls/id/225657
Feel free to use this macro in your own Ant build file. This macro works
together with the javadoc task on Ant
and should be invoked directly after its execution to patch broken
javadocs, e.g.:
<patch-javadoc dir="..." docencoding="UTF-8"/>
Please make sure that the docencoding parameter uses the same charset like
javadoc's docencoding. Default
is the platform default encoding (like the javadoc task).
The specified dir is the destination directory of the javadoc task.
-->
<macrodef name="patch-javadoc">
<attribute name="dir"/>
<attribute name="docencoding" default="${file.encoding}"/>
<sequential>
<replace encoding="@{docencoding}" summary="true"
taskname="patch-javadoc">
<fileset dir="@{dir}" casesensitive="false"
includes="**/index.html,**/index.htm,**/toc.html,**/toc.htm">
<!-- TODO: add encoding="@{docencoding}" to contains check, when we
are on ANT 1.9.0: -->
<not><contains text="function validURL(url) {" casesensitive="true"
/></not>
</fileset>
<replacetoken><![CDATA[function loadFrames() {]]></replacetoken>
<replacevalue expandProperties="false"><![CDATA[if (targetPage != "" &&
!validURL(targetPage))
targetPage = "undefined";
function validURL(url) {
var pos = url.indexOf(".html");
if (pos == -1 || pos != url.length - 5)
return false;
var allowNumber = false;
var allowSep = false;
var seenDot = false;
for (var i = 0; i < url.length - 5; i++) {
var ch = url.charAt(i);
if ('a' <= ch && ch <= 'z' ||
'A' <= ch && ch <= 'Z' ||
ch == '$' ||
ch == '_') {
allowNumber = true;
allowSep = true;
} else if ('0' <= ch && ch <= '9'
|| ch == '-') {
if (!allowNumber)
return false;
} else if (ch == '/' || ch == '.') {
if (!allowSep)
return false;
allowNumber = false;
allowSep = false;
if (ch == '.')
seenDot = true;
if (ch == '/' && seenDot)
return false;
} else {
return false;
}
}
return true;
}
function loadFrames() {]]></replacevalue>
</replace>
</sequential>
</macrodef>
{code}
was (Author: thetaphi):
For all other projects that use ANT and want to fix the javadocs directly
after execution of Ant's Javadoc task: Just copy the following Ant macro into
your project and invoke it directly after <javadoc/>:
{code:xml}
<!--
Patch frame injection bugs in javadoc generated files - see CVE-2013-1571,
http://www.kb.cert.org/vuls/id/225657
Feel free to use this macro in your own Ant build file. This macro works
together with the javadoc task on Ant
and should be invoked directly after its execution to patch broken
javadocs, e.g.:
<patch-javadoc dir="..." docencoding="UTF-8"/>
Please make sure that the docencoding parameter uses the same charset like
javadoc's docencoding. Default
is the platform default encoding (like the javadoc task).
The specified dir is the destination directory of the javadoc task.
-->
<macrodef name="patch-javadoc">
<attribute name="dir"/>
<attribute name="docencoding" default="${file.encoding}"/>
<sequential>
<replace encoding="@{docencoding}" summary="true"
taskname="patch-javadoc">
<restrict>
<fileset dir="@{dir}" casesensitive="false"
includes="**/index.html,**/index.htm,**/toc.html,**/toc.htm"/>
<!-- TODO: add encoding="@{docencoding}" to contains check, when we
are on ANT 1.9.0: -->
<not><contains text="function validURL(url) {" casesensitive="true"
/></not>
</restrict>
<replacetoken><![CDATA[function loadFrames() {]]></replacetoken>
<replacevalue expandProperties="false"><![CDATA[if (targetPage != "" &&
!validURL(targetPage))
targetPage = "undefined";
function validURL(url) {
var pos = url.indexOf(".html");
if (pos == -1 || pos != url.length - 5)
return false;
var allowNumber = false;
var allowSep = false;
var seenDot = false;
for (var i = 0; i < url.length - 5; i++) {
var ch = url.charAt(i);
if ('a' <= ch && ch <= 'z' ||
'A' <= ch && ch <= 'Z' ||
ch == '$' ||
ch == '_') {
allowNumber = true;
allowSep = true;
} else if ('0' <= ch && ch <= '9'
|| ch == '-') {
if (!allowNumber)
return false;
} else if (ch == '/' || ch == '.') {
if (!allowSep)
return false;
allowNumber = false;
allowSep = false;
if (ch == '.')
seenDot = true;
if (ch == '/' && seenDot)
return false;
} else {
return false;
}
}
return true;
}
function loadFrames() {]]></replacevalue>
</replace>
</sequential>
</macrodef>
{code}
> Fix frame injection bug in javadocs generated with Java 6 (and Java 7 prior
> u25)
> --------------------------------------------------------------------------------
>
> Key: LUCENE-5072
> URL: https://issues.apache.org/jira/browse/LUCENE-5072
> Project: Lucene - Core
> Issue Type: Bug
> Components: general/build
> Affects Versions: 4.3.1
> Reporter: Uwe Schindler
> Assignee: Uwe Schindler
> Fix For: 5.0, 4.4
>
> Attachments: LUCENE-5072.patch, LUCENE-5072.patch, LUCENE-5072.patch,
> LUCENE-5072.patch
>
>
> The Apache Infra / Security team posted to all committers:
> {quote}
> Hi All,
> Oracle has announced [1], [2] a frame injection vulnerability in Javadoc
> generated by Java 5, Java 6 and Java 7 before update 22.
> [...]
> Please take the necessary steps to fix any currently published Javadoc and to
> ensure that any future Javadoc published by your project does not contain the
> vulnerability. The announcement by Oracle includes a link to a tool that can
> be used to fix Javadoc without regeneration.
> The infrastructure team is investigating options for preventing the
> publication of vulnerable Javadoc.
> The issue is public and may be discussed freely on your project's dev list.
> Thanks,
> Mark (ASF Infra)
> {quote}
> I fixed all published Javadocs on http://lucene.apache.org (for all historic
> releases where we have public available Javadocs on the web page).
> The mail also notes that we should not publish javadocs with this javadocs
> problem in the future. Unfortunately the release manager has to use the
> latest Java 7u25 version (released 2 days) ago. This would be fine for Lucene
> trunk (which is Java 7 only).
> But when we generate Javadocs JARs for Lucene 3 and 4, we cannot use Java 7
> (to build the official release) because the javadocs would contain e.g.
> AutoCloaseable interface unless we use a JDK 6 or 5 bootclasspath (like we do
> for web pages).
> We also want the lucene/solr-*-javadoc.jar files to be correct, but those are
> built with Java 5 (3.x) or Java 6 (4.x).
> Unfortunately Oracle does not relaese a newer JDK 5 or JDK 6, so its
> impossible to do a release.
> But Oracle publishes the binary and source code of a "fix tool", that can be
> run on top of a tree of HTML files, patching all broken files (and only
> those). You can run it theoretically on the root folder of your harddisk - I
> did this on the whole lucene.apache.org web site.
> Robert Muir and I were looking for a IVY-compatible solution (the original
> Oracle tool cannot be automatically downloaded by IVY, as Oracle's website
> sets cookies and requests license confirmations). We found the following
> GITHUB project by olamy/karianna:
> https://github.com/AdoptOpenJDK/JavadocUpdaterTool
> As soon as they release the JAR file officially on Maven, we can download it
> with IVY and use it. This is a Maven Plugin, but it still contains the
> original source code of Oracle's tool, so we can execute it as ANT task after
> loading the JAR with IVY's coordinates: {{<java fork="false" class="..."/>}}
> In the GITHUB project description they note that you need JDK7 to use the
> tool, but this is no longer true, the -source/-target is Java 5 now, so we
> can run it easily.
> I will add the required tasks in common-build.xml's javadoc macro so it
> post-processes all javadocs and patches vulnerable files. If you build
> javadocs with a recent JDK, it would do nothing.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
