Control: tags -1 patch
Please find a backport of the upstream commit attached.
Origin: upstream, f38f27635c384806c2a9d6500d80183d9f09d78b
From: Steve Waldman <
swaldman@mchange.com>
Date: Fri, 15 Mar 2019 22:29:39 -0700
Subject: Address more potential security concerns associated with the
possibility of adversarially constructed XML files, many thanks to Aaron
Massey at HackerOne.
---
--- a/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
+++ b/src/classes/com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java
@@ -147,10 +141,65 @@ public static C3P0Config extractXmlConfigFromDefaultResource( boolean expandEnti
}
}
+ private static void attemptSetFeature( DocumentBuilderFactory dbf, String featureUri, boolean setting )
+ {
+ try { dbf.setFeature( featureUri, setting ); }
+ catch (ParserConfigurationException e)
+ {
+ if ( logger.isLoggable( MLevel.FINE ) )
+ logger.log(MLevel.FINE, "Attempted but failed to set presumably unsupported feature '" + featureUri + "' to " + setting + ".");
+ }
+ }
+
+ // thanks to zhutougg on GitHub
https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
+ // let's address hazards associated with overliberal parsing of XML, CVE-2018-20433
+ //
+ // by default entity references will not be expanded, but callers can specify expansion if they wish (important
+ // to re