diff --git a/BUILD.txt b/BUILD.txt
index db3a4c3..04da29f 100644
--- a/BUILD.txt
+++ b/BUILD.txt
@@ -11,7 +11,7 @@
Before deploying:
copy settings-template.xml to ~/.m2/settings.xml adding your Sonatype OSSRH
-username and passwords.
+username and passwords and also your GPG key and password.
To deploy (optionally adding sources and javadoc jars):
mvn deploy
diff --git a/pom.xml b/pom.xml
index 5aaac54..2c5cb43 100644
--- a/pom.xml
+++ b/pom.xml
@@ -14,7 +14,7 @@
com.thoughtworks.xstream
xstream-parent
pom
- 1.4.14
+ 1.4.15
XStream Parent
http://x-stream.github.io
@@ -410,12 +410,12 @@
com.thoughtworks.xstream
xstream
- 1.4.14
+ 1.4.15
com.thoughtworks.xstream
xstream
- 1.4.14
+ 1.4.15
tests
test-jar
test
@@ -423,43 +423,43 @@
com.thoughtworks.xstream
xstream
- 1.4.14
+ 1.4.15
javadoc
provided
com.thoughtworks.xstream
xstream-hibernate
- 1.4.14
+ 1.4.15
com.thoughtworks.xstream
xstream-hibernate
- 1.4.14
+ 1.4.15
javadoc
provided
com.thoughtworks.xstream
xstream-jmh
- 1.4.14
+ 1.4.15
com.thoughtworks.xstream
xstream-jmh
- 1.4.14
+ 1.4.15
javadoc
provided
com.thoughtworks.xstream
xstream-benchmark
- 1.4.14
+ 1.4.15
com.thoughtworks.xstream
xstream-benchmark
- 1.4.14
+ 1.4.15
javadoc
provided
@@ -634,6 +634,11 @@
javax.xml.bind
jaxb-api
${version.javax.xml.bind.api}
+
+
+ com.sun.xml.ws
+ jaxws-rt
+ ${version.javax.xml.ws.jaxws.rt}
@@ -844,6 +849,10 @@
org.apache.maven.plugins
maven-gpg-plugin
${version.plugin.maven.gpg}
+
+ ${gpg.keyname}
+ ${gpg.keyname}
+
org.apache.maven.plugins
@@ -1114,7 +1123,7 @@
2.3
1.4
2.22.0
- 1.4
+ 1.6
2.2
2.2
2.10
@@ -1142,6 +1151,7 @@
1.3.2
2.4.0
2.3.1
+ 2.2
1.0.1
1.6
3.8.1
@@ -1155,7 +1165,7 @@
2.0.5
20080701
1.21
- 3.5.0
+ 3.5.0
1.6.1
1.2.0
1.0.1
diff --git a/settings-template.xml b/settings-template.xml
index ffea412..e48b65f 100644
--- a/settings-template.xml
+++ b/settings-template.xml
@@ -20,6 +20,13 @@
ossrh-staging
your-sonatype.org-id
your-sonatype.org-pwd
-
+
+
+ ${gpg.keyname}
+ your-gpg-key-pwd
+
+
+ your-gpg-keyname
+
diff --git a/xstream/pom.xml b/xstream/pom.xml
index bde74f1..1679ded 100644
--- a/xstream/pom.xml
+++ b/xstream/pom.xml
@@ -14,7 +14,7 @@
com.thoughtworks.xstream
xstream-parent
- 1.4.14
+ 1.4.15
xstream
jar
@@ -142,6 +142,54 @@
commons-lang
commons-lang
test
+
+
+
+ com.sun.xml.ws
+ jaxws-rt
+ test
+
+
+ javax.xml.ws
+ jaxws-api
+
+
+ com.sun.istack
+ istack-commons-runtime
+
+
+ com.sun.xml.bind
+ jaxb-impl
+
+
+ com.sun.xml.messaging.saaj
+ saaj-impl
+
+
+ com.sun.xml.stream.buffer
+ streambuffer
+
+
+ com.sun.xml.ws
+ policy
+
+
+ com.sun.org.apache.xml.internal
+ resolver
+
+
+ org.glassfish.gmbal
+ gmbal-api-only
+
+
+ org.jvnet
+ mimepull
+
+
+ org.jvnet.staxex
+ stax-ex
+
+
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
index b6e4e14..8415da2 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -337,6 +337,7 @@
private static final Pattern IGNORE_ALL = Pattern.compile(".*");
private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
+ private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
/**
* Constructs a default XStream.
@@ -642,8 +643,12 @@
}
addPermission(AnyTypePermission.ANY);
- denyTypes(new String[]{"java.beans.EventHandler", "java.lang.ProcessBuilder", "javax.imageio.ImageIO$ContainsFilter"});
- denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO});
+ denyTypes(new String[]{
+ "java.beans.EventHandler", //
+ "java.lang.ProcessBuilder", //
+ "javax.imageio.ImageIO$ContainsFilter", //
+ "jdk.nashorn.internal.objects.NativeString" });
+ denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
allowTypeHierarchy(Exception.class);
securityInitialized = false;
}
diff --git a/xstream/src/java/com/thoughtworks/xstream/io/xml/XmlFriendlyNameCoder.java b/xstream/src/java/com/thoughtworks/xstream/io/xml/XmlFriendlyNameCoder.java
index b8e19f8..b1c6f51 100644
--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/XmlFriendlyNameCoder.java
+++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/XmlFriendlyNameCoder.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2019 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2019, 2020 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -279,7 +279,7 @@
final BitSet XML_NAME_CHARS_4TH = new BitSet(0xFFFFF);
XML_NAME_CHARS_4TH.set('-');
XML_NAME_CHARS_4TH.set('.');
- XML_NAME_CHARS_4TH.set('0', '9');
+ XML_NAME_CHARS_4TH.set('0', '9' + 1);
XML_NAME_CHARS_4TH.set(0xB7);
final BitSet XML_NAME_CHARS_5TH = (BitSet)XML_NAME_CHARS_4TH.clone();
@@ -406,8 +406,8 @@
XML_NAME_CHARS_4TH.set(0x30FC, 0x30FE + 1);
XML_NAME_CHARS_5TH.or(XML_NAME_START_CHARS_5TH);
- XML_NAME_CHARS_5TH.set(0x300, 0x36F);
- XML_NAME_CHARS_5TH.set(0x203F, 0x2040);
+ XML_NAME_CHARS_5TH.set(0x300, 0x36F + 1);
+ XML_NAME_CHARS_5TH.set(0x203F, 0x2040 + 1);
XML_NAME_START_CHARS = (BitSet)XML_NAME_START_CHARS_4TH.clone();
XML_NAME_START_CHARS.and(XML_NAME_START_CHARS_5TH);
@@ -493,9 +493,9 @@
// First, fast (common) case: nothing to escape
int i = 0;
- for (; i < length; i++ ) {
- char c = name.charAt(i);
- if (c == '$' || c == '_' || c <= 27 || c >= 127) {
+ for (; i < length; i++) {
+ final char c = name.charAt(i);
+ if (c < 'A' || (c > 'Z' && c < 'a') || c > 'Z') {
break;
}
}
diff --git a/xstream/src/java/com/thoughtworks/xstream/mapper/DefaultMapper.java b/xstream/src/java/com/thoughtworks/xstream/mapper/DefaultMapper.java
index 02faf80..f5a3d0b 100644
--- a/xstream/src/java/com/thoughtworks/xstream/mapper/DefaultMapper.java
+++ b/xstream/src/java/com/thoughtworks/xstream/mapper/DefaultMapper.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2005, 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2015, 2016 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2015, 2016, 2020 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -77,7 +77,9 @@
initialize = elementName.charAt(0) == '[';
}
return Class.forName(elementName, initialize, classLoader);
- } catch (ClassNotFoundException e) {
+ } catch (final ClassNotFoundException e) {
+ throw new CannotResolveClassException(elementName);
+ } catch (final IllegalArgumentException e) {
throw new CannotResolveClassException(elementName);
}
}
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
index 848db02..da5f861 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -11,6 +11,11 @@
package com.thoughtworks.acceptance;
import java.beans.EventHandler;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
import java.util.Iterator;
import com.thoughtworks.xstream.XStream;
@@ -213,4 +218,68 @@
// OK
}
}
+
+ public void testCannotUseJaxwsInputStreamToDeleteFile() {
+ if (JVM.isVersion(5)) {
+ final String xml = ""
+ + "\n"
+ + " target/junit/test.txt\n"
+ + "";
+
+ xstream.aliasType("is", InputStream.class);
+ try {
+ xstream.fromXML(xml);
+ fail("Thrown " + ConversionException.class.getName() + " expected");
+ } catch (final ForbiddenClassException e) {
+ // OK
+ }
+ }
+ }
+
+ public void testExplicitlyUseJaxwsInputStreamToDeleteFile() throws IOException {
+ if (JVM.isVersion(5)) {
+ final File testDir = new File("target/junit");
+ final File testFile = new File(testDir, "test.txt");
+ try {
+ testDir.mkdirs();
+
+ final OutputStream out = new FileOutputStream(testFile);
+ out.write("JUnit".getBytes());
+ out.flush();
+ out.close();
+
+ assertTrue("Test file " + testFile.getPath() + " does not exist.", testFile.exists());
+
+ final String xml = ""
+ + "\n"
+ + " target/junit/test.txt\n"
+ + "";
+
+ xstream.addPermission(AnyTypePermission.ANY); // clear out defaults
+ xstream.aliasType("is", InputStream.class);
+
+ InputStream is = null;
+ try {
+ is = (InputStream)xstream.fromXML(xml);
+ } catch (final ForbiddenClassException e) {
+ // OK
+ }
+
+ assertTrue("Test file " + testFile.getPath() + " no longer exists.", testFile.exists());
+
+ byte[] data = new byte[10];
+ is.read(data);
+ is.close();
+
+ assertFalse("Test file " + testFile.getPath() + " still exists exist.", testFile.exists());
+ } finally {
+ if (testFile.exists()) {
+ testFile.delete();
+ }
+ if (testDir.exists()) {
+ testDir.delete();
+ }
+ }
+ }
+ }
}
diff --git a/xstream/src/test/com/thoughtworks/acceptance/XmlFriendlyTest.java b/xstream/src/test/com/thoughtworks/acceptance/XmlFriendlyTest.java
index 21b68a3..130c635 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/XmlFriendlyTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/XmlFriendlyTest.java
@@ -187,6 +187,11 @@
assertBothWays("\"", """);
}
+ public void testsDigitsOnly() {
+ xstream.alias("0123456789", String.class);
+ assertBothWays("", "<_.0030123456789>");
+ }
+
public void testDecimalFormatSymbols() {
final String xml;
if (!JVM.is14()) {
diff --git a/xstream-benchmark/pom.xml b/xstream-benchmark/pom.xml
index 4f97308..724aaf5 100644
--- a/xstream-benchmark/pom.xml
+++ b/xstream-benchmark/pom.xml
@@ -14,7 +14,7 @@
com.thoughtworks.xstream
xstream-parent
- 1.4.14
+ 1.4.15
xstream-benchmark
jar
diff --git a/xstream-distribution/pom.xml b/xstream-distribution/pom.xml
index bd4f534..2154950 100644
--- a/xstream-distribution/pom.xml
+++ b/xstream-distribution/pom.xml
@@ -14,7 +14,7 @@
com.thoughtworks.xstream
xstream-parent
- 1.4.14
+ 1.4.15
xstream-distribution
pom
diff --git a/xstream-distribution/src/content/CVE-2020-26217.html b/xstream-distribution/src/content/CVE-2020-26217.html
index 469a85c..0d6670a 100644
--- a/xstream-distribution/src/content/CVE-2020-26217.html
+++ b/xstream-distribution/src/content/CVE-2020-26217.html
@@ -22,7 +22,7 @@
All versions until and including version 1.4.13 are affected, if using the version out of the box. No user is
affected, who followed the recommendation to setup XStream's security
- framework with a white list.
+ framework with a whitelist.
Description
@@ -109,12 +109,12 @@
input stream.
Workaround
- As recommended, use XStream's security framework to implement a white list for the allowed types.
- Users of XStream 1.4.13 who want to use XStream default black list can simply add two lines to XStream's setup code:
+ As recommended, use XStream's security framework to implement a whitelist for the allowed types.
+ Users of XStream 1.4.13 who want to use XStream default blacklist can simply add two lines to XStream's setup code:
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
- Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a black list will have to setup such a list from
+
Users of XStream 1.4.12 to 1.4.7 who want to use XStream with a blacklist will have to setup such a list from
scratch and deny at least the following types: javax.imageio.ImageIO$ContainsFilter,
java.beans.EventHandler, java.lang.ProcessBuilder, java.lang.Void and void.
xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
@@ -139,8 +139,8 @@
Credits
- Chen L reported the issue to XStream and provided the required information to reproduce it. The issue was found
- by Zhihong Tian and Hui Lu, both from Guangzhou University.
+ Chen L found and reported the issue to XStream and provided the required information to reproduce it. He was
+ supported by Zhihong Tian and Hui Lu, both from Guangzhou University.