[
https://jira.jboss.org/jira/browse/JBPM-2774?page=com.atlassian.jira.plug...
]
Alejandro Guizar edited comment on JBPM-2774 at 4/19/10 8:45 PM:
-----------------------------------------------------------------
jBPM loads the pageflow-2.0 schema from resource org/jboss/seam/pageflow-2.0.xsd since
version 3.2.4, other schema resources can be registered with
JpdlParser.addSchemaResource() - see JBPM-1707. The change proposed in
http://seamframework.org/Documentation/WhyDoesDeploymentFailWithASAXExcep... does not
apply to jBPM 3.2.4 and above since we have abandoned the EntityResolver in favor of the
JAXP schema source property. The motivation for this change was that jBPM does not use
DTDs.
The schema source property does not lend itself to resolve the pageflow schema resource
for an arbitrary version as the entity resolver does. However, the Seam proposed code has
a vulnerability: it can be used to access arbitrary resources in the classpath by crafting
the systemId.
if (systemId.startsWith(SEAM_NAMESPACE)) {
String path = "org/jboss/seam/" +
systemId.substring(SEAM_NAMESPACE.length());
inputSource = new InputSource(org.jboss.seam.Seam.class.getResourceAsStream(path));
}
There are several options here.
(a) Have JpdlParser try to load any schema resources named
org/jboss/seam/pageflow-2.n.xsd, n >= 0 from the classpath.
(b) Have Seam register pageflow schemas more recent than 2.0 by calling
org/jboss/seam/pageflow-2.0.xsd.
(c) Introduce a configuration property jbpm.schema.resources and load only the resources
specified there from the classpath.
was (Author: alex.guizar(a)jboss.com):
jBPM loads the pageflow-2.0 schema from resource org/jboss/seam/pageflow-2.0.xsd since
version 3.2.4, other schema resources can be registered with
JpdlParser.addSchemaResource() - see JBPM-1707. The change proposed in
http://seamframework.org/Documentation/WhyDoesDeploymentFailWithASAXExcep... does not
apply to jBPM 3.2.4 and above since we have abandoned the EntityResolver in favor of the
JAXP schema source property. The motivation for this change was that jBPM does not use
DTDs.
The schema source property does not lend itself to resolve the pageflow schema resource
for an arbitrary version as the entity resolver does. However, the Seam proposed code has
a vulnerability: it can be used to access arbitrary resources in the classpath by crafting
the systemId.
if (systemId.startsWith(SEAM_NAMESPACE)) {
log.debug("recognized Seam namespace; attempting to resolve on classpath
under org/jboss/seam/");
String path = "org/jboss/seam/" +
systemId.substring(SEAM_NAMESPACE.length());
try {
inputSource = new
InputSource(org.jboss.seam.Seam.class.getResourceAsStream(path));
} catch (Exception e) {
log.debug(e.toString());
}
}
There are several options here.
(a) Have JpdlParser try to load any schema resources named
org/jboss/seam/pageflow-2.n.xsd, n >= 0 from the classpath.
(b) Have Seam register pageflow schemas more recent than 2.0 by calling
org/jboss/seam/pageflow-2.0.xsd.
(c) Introduce a configuration property jbpm.schema.resources and load only the resources
specified there from the classpath.
parsing of pageflow causes to require internet connection
---------------------------------------------------------
Key: JBPM-2774
URL:
https://jira.jboss.org/jira/browse/JBPM-2774
Project: jBPM
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: jBPM 3.2.2, jBPM 3.2.3, jBPM 3.2.4 GA, jBPM 3.2.5 GA ,
jBPM-3.2.5.SP1, jBPM-3.2.5.SP2, jBPM-3.2.5.SP3, jBPM 3.2.6.SP1, jBPM-3.2.5.SP4, jBPM
3.2.5.SP5
Reporter: Marek Novotny
Assignee: Alejandro Guizar
JpdlParser has hard coded XSDs for local parsing instead of regular expression or
wildcards in the file name of pageflow xsd.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira