Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 #55

Merged
merged 2 commits into from
Mar 22, 2021
Merged

[JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 #55

merged 2 commits into from
Mar 22, 2021

Conversation

olamy
Copy link
Member

@olamy olamy commented Mar 18, 2021

No description provided.

olamy added 2 commits March 18, 2021 18:45
@olamy
[JENKINS-65161] get rid of commons-digester from core
2b40aa4 
Signed-off-by: olivier lamy <olamy@apache.org>
@olamy
commons-beanutils 1.9.3 as 1.9.4 cannot be use yet
6f8aa8e 
Signed-off-by: olivier lamy <olamy@apache.org>
@olamy olamy changed the title [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3" [JENKINS-65161] remove commons-digester2 from core and upgrade plugins to commons-digester3 Mar 18, 2021
@mrmoritz01 mrmoritz01 merged commit d034737 into jenkinsci:master Mar 22, 2021
@olamy olamy deleted the JENKINS-65161 branch March 22, 2021 20:45
@olamy
Copy link
Member Author

olamy commented Mar 24, 2021

jenkinsci/jenkins#5320

@jtnord jtnord mentioned this pull request Apr 29, 2021
Merged
10 tasks
@batmat
Copy link
Member

batmat commented Apr 30, 2021

Hi @mrmoritz01, thanks a lot for merging this PR :).
Would you be able to consider releasing this?

Thanks again!

@basil
Copy link
Member

basil commented Apr 30, 2021

Does this not introduce a security vulnerability? I don't see the XXE mitigations in this PR that I see in the other similar PRs.

@jtnord
Copy link
Member

jtnord commented Apr 30, 2021
edited
Loading

Does this not introduce a security vulnerability? I don't see the XXE mitigations in this PR that I see in the other similar PRs.

The plugin already had them ->

cvs-plugin/src/main/java/hudson/scm/CVSChangeLogSet.java

Lines 120 to 134 in 6f8aa8e

Digester digester = new Digester();
digester.setXIncludeAware(false);
if (!Boolean.getBoolean(CVSChangeLogParser.class.getName() + ".UNSAFE")) {
try {
digester.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
digester.setFeature("http://xml.org/sax/features/external-general-entities", false);
digester.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
digester.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
}
catch (ParserConfigurationException ex) {
throw new SAXException("Failed to securely configure CVS changelog parser", ex);
}
}

@basil
Copy link
Member

basil commented Apr 30, 2021

Phew, sorry for the false alarm.

@batmat
Copy link
Member

batmat commented Apr 30, 2021

Better safe than sorry, thanks for cross-checking Basil!

@mrmoritz01
Copy link
Contributor

@batmat This is released in cvs-plugin 2.19 now.

basil added a commit to basil/jep that referenced this pull request May 25, 2021
@basil
Noting the release of jenkinsci/cvs-plugin#55, jenkinsci/vectorcast-c…
e7f0c2f 
…overage-plugin#4, and jenkinsci/dimensionsscm-plugin#21.
basil added a commit to basil/jep that referenced this pull request May 25, 2021
@basil
Noting the release of jenkinsci/cvs-plugin#55, jenkinsci/vectorcast-c…
c9e0e7e 
…overage-plugin#4, jenkinsci/dimensionsscm-plugin#21, and jenkinsci/plasticscm-mergebot-plugin#3.
basil added a commit to basil/jep that referenced this pull request May 25, 2021
@basil
Noting the release of jenkinsci/cvs-plugin#55, jenkinsci/clearcase-uc…
105ecc0 
…m-plugin#5, jenkinsci/vectorcast-coverage-plugin#4, jenkinsci/dimensionsscm-plugin#21, and jenkinsci/plasticscm-mergebot-plugin#3.
basil added a commit to basil/jep that referenced this pull request May 25, 2021
@basil
Noting the release of jenkinsci/cvs-plugin#55, jenkinsci/plasticscm-p…
70b6e66 
…lugin#40, jenkinsci/clearcase-ucm-plugin#5, jenkinsci/vectorcast-coverage-plugin#4, and jenkinsci/dimensionsscm-plugin#21.
basil added a commit to basil/jep that referenced this pull request May 25, 2021
@basil
Noting the release of jenkinsci/cvs-plugin#55, jenkinsci/plasticscm-p…
7165f5d 
…lugin#40, jenkinsci/clearcase-ucm-plugin#5, jenkinsci/vectorcast-coverage-plugin#4, jenkinsci/dimensionsscm-plugin#21, and jenkinsci/plasticscm-mergebot-plugin#3.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@olamy @batmat @basil @jtnord @mrmoritz01