Merge pull request apache#1 from exabrial/TRIBESTRM_3972_CVE_2016_8739

Tod Bookless · web-flow · commit 4da8081a364b · 2017-06-01T10:26:13.000-07:00
[Tribestrm-3972] cve-2016-8739
diff --git a/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/atom/AbstractAtomProvider.java b/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/atom/AbstractAtomProvider.java
@@ -31,6 +31,7 @@
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.ext.MessageBodyReader;
 import javax.ws.rs.ext.MessageBodyWriter;
+import javax.xml.stream.XMLStreamReader;
 
 import org.apache.abdera.Abdera;
 import org.apache.abdera.model.Document;
@@ -39,28 +40,29 @@
 import org.apache.abdera.parser.ParserOptions;
 import org.apache.abdera.writer.Writer;
 import org.apache.cxf.common.logging.LogUtils;
+import org.apache.cxf.staxutils.StaxUtils;
 
-public abstract class AbstractAtomProvider<T extends Element> 
+public abstract class AbstractAtomProvider<T extends Element>
     implements MessageBodyWriter<T>, MessageBodyReader<T> {
 
     private static final Logger LOG = LogUtils.getL7dLogger(AbstractAtomProvider.class);
     private static final Abdera ATOM_ENGINE = new Abdera();
     private boolean autodetectCharset;
     private boolean formattedOutput;
-    
+
     public long getSize(T element, Class<?> type, Type genericType, Annotation[] annotations, MediaType mt) {
         return -1;
     }
 
-    public void writeTo(T element, Class<?> clazz, Type type, Annotation[] a, 
-                        MediaType mt, MultivaluedMap<String, Object> headers, OutputStream os) 
+    public void writeTo(T element, Class<?> clazz, Type type, Annotation[] a,
+                        MediaType mt, MultivaluedMap<String, Object> headers, OutputStream os)
         throws IOException {
         if (MediaType.APPLICATION_JSON_TYPE.isCompatible(mt)) {
             Writer w = createWriter("json");
             if (w == null) {
                 throw new WebApplicationException(415);
             }
-            element.writeTo(w, os);   
+            element.writeTo(w, os);
         } else if (formattedOutput) {
             Writer w = createWriter("prettyxml");
             if (w != null) {
@@ -80,9 +82,9 @@ protected Writer createWriter(String writerName) {
         }
         return w;
     }
-    
-    public T readFrom(Class<T> clazz, Type t, Annotation[] a, MediaType mt, 
-                         MultivaluedMap<String, String> headers, InputStream is) 
+
+    public T readFrom(Class<T> clazz, Type t, Annotation[] a, MediaType mt,
+                         MultivaluedMap<String, String> headers, InputStream is)
         throws IOException {
         Parser parser = ATOM_ENGINE.getParser();
         synchronized (parser) {
@@ -91,7 +93,8 @@ public T readFrom(Class<T> clazz, Type t, Annotation[] a, MediaType mt,
                 options.setAutodetectCharset(autodetectCharset);
             }
         }
-        Document<T> doc = parser.parse(is);
+        XMLStreamReader reader = StaxUtils.createXMLStreamReader(is);
+        Document<T> doc = parser.parse(reader);
         return doc.getRoot();
     }
 
diff --git a/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/atom/AtomPojoProvider.java b/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/atom/AtomPojoProvider.java
@@ -558,8 +558,8 @@ private void reportError(String message, Exception ex) {
         reportError(message, ex, 500);
     }
     
-    private boolean isFeedRequested(MediaType mt) {
-        if ("entry".equals(mt.getParameters().get("type"))) {
+    protected boolean isFeedRequested(MediaType mt) {
+        if ("entry".equalsIgnoreCase(mt.getParameters().get("type"))) {
             return false;
         }
         return true;
@@ -600,25 +600,29 @@ public Object readFrom(Class<Object> cls, Type type, Annotation[] anns, MediaTyp
         boolean isFeed = isFeedRequested(mt);
         
         if (isFeed) {
-            return readFromFeed(cls, mt, headers, is);
+            return readFromFeedOrEntry(cls, mt, headers, is);
         } else {
             AtomEntryProvider p = new AtomEntryProvider();
             p.setAutodetectCharset(autodetectCharset);
             Entry entry = p.readFrom(Entry.class, Entry.class, 
                                      new Annotation[]{}, mt, headers, is);
-            return readFromEntry(entry, cls, mt, headers, is);
+            return readFromEntry(entry, cls);
         }
     }
     
     @SuppressWarnings("unchecked")
-    private Object readFromFeed(Class<Object> cls, MediaType mt, 
+    private Object readFromFeedOrEntry(Class<Object> cls, MediaType mt, 
                            MultivaluedMap<String, String> headers, InputStream is) 
         throws IOException {
         
         AtomFeedProvider p = new AtomFeedProvider();
         p.setAutodetectCharset(autodetectCharset);
-        Feed feed = p.readFrom(Feed.class, Feed.class, new Annotation[]{}, mt, headers, is);
-        
+        Object atomObject = p.readFrom(Feed.class, Feed.class, new Annotation[]{}, mt, headers, is);
+        if (atomObject instanceof Entry) {
+            return this.readFromEntry((Entry)atomObject, cls);
+        }
+            
+        Feed feed = (Feed)atomObject;
         AtomElementReader<?, ?> reader = getAtomReader(cls);
         if (reader != null) {
             return ((AtomElementReader<Feed, Object>)reader).readFrom(feed);
@@ -631,7 +635,7 @@ private Object readFromFeed(Class<Object> cls, MediaType mt,
                 = (Class<Object>)InjectionUtils.getActualType(m.getGenericParameterTypes()[0]);
             List<Object> objects = new ArrayList<Object>();
             for (Entry e : feed.getEntries()) {
-                objects.add(readFromEntry(e, realCls, mt, headers, is));
+                objects.add(readFromEntry(e, realCls));
             }
             instance = cls.newInstance();
             m.invoke(instance, new Object[]{objects});
@@ -643,20 +647,22 @@ private Object readFromFeed(Class<Object> cls, MediaType mt,
     }
     
     @SuppressWarnings("unchecked")
-    private Object readFromEntry(Entry entry, Class<Object> cls, MediaType mt, 
-                            MultivaluedMap<String, String> headers, InputStream is) 
+    private Object readFromEntry(Entry entry, Class<Object> cls) 
         throws IOException {
         
         AtomElementReader<?, ?> reader = getAtomReader(cls);
         if (reader != null) {
             return ((AtomElementReader<Entry, Object>)reader).readFrom(entry);
         }
-        try {
-            Unmarshaller um = 
-                jaxbProvider.getJAXBContext(cls, cls).createUnmarshaller();
-            return cls.cast(um.unmarshal(new StringReader(entry.getContent())));
-        } catch (Exception ex) {
-            reportError("Object of type " + cls.getName() + " can not be deserialized from Entry", ex, 400);
+        String entryContent = entry.getContent();
+        if (entryContent != null) {
+            try {
+                Unmarshaller um = 
+                    jaxbProvider.getJAXBContext(cls, cls).createUnmarshaller();
+                return cls.cast(um.unmarshal(new StringReader(entryContent)));
+            } catch (Exception ex) {
+                reportError("Object of type " + cls.getName() + " can not be deserialized from Entry", ex, 400);
+            }
         }
         return null;
     }
diff --git a/rt/rs/extensions/providers/src/test/java/org/apache/cxf/jaxrs/provider/atom/AtomPojoProviderTest.java b/rt/rs/extensions/providers/src/test/java/org/apache/cxf/jaxrs/provider/atom/AtomPojoProviderTest.java
