[
https://jira.jboss.org/browse/JBPM-2774?page=com.atlassian.jira.plugin.sy...
]
Alejandro Guizar edited comment on JBPM-2774 at 10/26/10 2:32 PM:
------------------------------------------------------------------
jBPM loads the pageflow-2.0 schema from resource org/jboss/seam/pageflow-2.0.xsd since
version 3.2.4, other schema resources can be registered with
JpdlParser.addSchemaResource() - see JBPM-1707. The change proposed in
http://seamframework.org/Documentation/WhyDoesDeploymentFailWithASAXExcep... does not
apply to jBPM 3.2.4 and above since we have abandoned the EntityResolver in favor of the
JAXP schema source property. The motivation for this change was that jBPM does not use
DTDs.
The schema source property does not lend itself to resolve the pageflow schema resource
for an arbitrary version as the entity resolver does. However, the Seam proposed code has
a vulnerability: it can be used to access arbitrary resources in the classpath by crafting
the systemId.
if (systemId.startsWith(SEAM_NAMESPACE)) {
String path = "org/jboss/seam/" +
systemId.substring(SEAM_NAMESPACE.length());
inputSource = new InputSource(org.jboss.seam.Seam.class.getResourceAsStream(path));
}
There are several options here.
a) Have JpdlParser try to load any schema resources named org/jboss/seam/pageflow-2.n.xsd,
n >= 0 from the classpath
b) Have Seam register pageflow schemas more recent than 2.0 by calling
JpdlParser.addSchemaResource()
c) Introduce a configuration property jbpm.schema.resources and load only the resources
specified there from the classpath
was (Author: alex.guizar(a)jboss.com):
jBPM loads the pageflow-2.0 schema from resource org/jboss/seam/pageflow-2.0.xsd since
version 3.2.4, other schema resources can be registered with
JpdlParser.addSchemaResource() - see JBPM-1707. The change proposed in
http://seamframework.org/Documentation/WhyDoesDeploymentFailWithASAXExcep... does not
apply to jBPM 3.2.4 and above since we have abandoned the EntityResolver in favor of the
JAXP schema source property. The motivation for this change was that jBPM does not use
DTDs.
The schema source property does not lend itself to resolve the pageflow schema resource
for an arbitrary version as the entity resolver does. However, the Seam proposed code has
a vulnerability: it can be used to access arbitrary resources in the classpath by crafting
the systemId.
if (systemId.startsWith(SEAM_NAMESPACE)) {
String path = "org/jboss/seam/" +
systemId.substring(SEAM_NAMESPACE.length());
inputSource = new InputSource(org.jboss.seam.Seam.class.getResourceAsStream(path));
}
There are several options here.
(a) Have JpdlParser try to load any schema resources named
org/jboss/seam/pageflow-2.n.xsd, n >= 0 from the classpath.
(b) Have Seam register pageflow schemas more recent than 2.0 by calling
org/jboss/seam/pageflow-2.0.xsd.
(c) Introduce a configuration property jbpm.schema.resources and load only the resources
specified there from the classpath.
parsing of pageflow causes to require internet connection
---------------------------------------------------------
Key: JBPM-2774
URL:
https://jira.jboss.org/browse/JBPM-2774
Project: jBPM
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Runtime Engine
Affects Versions: jBPM 3.2.2, jBPM 3.2.3, jBPM 3.2.4 GA, jBPM 3.2.5 GA ,
jBPM-3.2.5.SP1, jBPM-3.2.5.SP2, jBPM-3.2.5.SP3, jBPM 3.2.6.SP1, jBPM-3.2.5.SP4
Reporter: Marek Novotny
Assignee: Alejandro Guizar
Fix For: jBPM 3.2.x
Original Estimate: 0 minutes
Remaining Estimate: 0 minutes
JpdlParser has hard coded XSDs for local parsing instead of regular expression or
wildcards in the file name of pageflow xsd.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira