-
Notifications
You must be signed in to change notification settings - Fork 194
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump xalan from version 2.7.2 to version 2.7.3 #4902
base: 2.13.x
Are you sure you want to change the base?
Conversation
a3b174c
to
44f7dc1
Compare
@oscerd could you re-approve the workflows? I had to force-push some changes in order to make the pipeline succeed. |
It seem that there are |
The 2.7.3 POM is a bit screwed up compared with 2.7.2. It is missing dependencies. |
Oh nice... so... should we close this PR and wait for an update instead? |
It's not clear to me whether they are going to patch it or not.... I think we could work around it by adding |
Okay, will update my PR as soon as I have some time. There is, however, a major concern here: CVE-2022-34169. For me, it is unclear whether the issue is actually fixed in |
44f7dc1
to
1d85d7a
Compare
@jamesnetherton @oscerd @zhfeng Updated the PR, |
- Add xalan:serializer dependency since it is missing from xalan's pom
1d85d7a
to
1d1cf8e
Compare
... welp... |
The fix commit seems to be this one apache/xalan-java@2e60d0a |
Okay nice. Only question is now: what is missing so that the pipeline succeeds? |
Let me have a look |
I was able to do some hacks to make the XML security test pass - see https://github.com/ppalaga/camel-quarkus/commits/pr4902 |
The XML test are weired. They are working in JVM mode but throwing the Exception during native building.
I will take a look. |
Well, it seems that xalan 2.7.3 added a new checking before dumping a generated translet class. See https://github.com/apache/xalan-java/blame/master/src/org/apache/xalan/xsltc/compiler/XSLTC.java#L860-L865 byte[] classByteArray = clazz.getBytes();
ByteArrayClassLoader classLoader = new ByteArrayClassLoader(classByteArray);
Class clz = classLoader.findClass(clazz.getClassName()); And I have no idea how to fix it and don't undertand the motivation for the checking in XSLTC. |
Sooo... what's our course of action now? Xalan 2.7.2 is vulnerable to https://cve.circl.lu/cve/CVE-2022-34169 and 2.7.3 does not seem to work. |
@zhfeng could you please try changing the constructor of |
Or even better |
@ppalaga yeah, I tried such changes and it works with |
Let's propose it in Xalan then. Should I help with formulating why we need it? |
Yeah, please file an issue on XALANJ ? |
You mean I should file an issue on Xalan? - no problem, let me do it. |
@ppalaga I'm just curious in what case the |
When it is not set via |
Would you like to care for sending the PR, @zhfeng ? |
Thanks @ppalaga and I will prepare a PR. |
IIRC, the default value of |
We revisit the following issue and will try to put the fix to the upstream jdk |
Bump xalan from version 2.7.2 to version 2.7.3