Commit 75547b65 authored by Evan Ward's avatar Evan Ward Committed by Luc Maisonobe

Disable external XML resources for rapid EOP data

External XML resources can be a security risk if the source of the XML
document
is not trusted. Also added a test case.

Part of fixing #368

# Conflicts:
#	src/site/xdoc/changes.xml

Conflicts:
	build.xml
	pom.xml
	src/site/markdown/downloads.md
	src/site/xdoc/changes.xml
parent 4ea16f36
......@@ -2,7 +2,7 @@
<project name="orekit" default="jar" basedir=".">
<property name="project.version" value="8.0" />
<property name="project.version" value="8.0.1" />
<property name="src.dir" location="src" />
<property name="main.src.dir" value="${src.dir}/main/java" />
......
......@@ -5,7 +5,7 @@
<groupId>org.orekit</groupId>
<artifactId>orekit</artifactId>
<packaging>jar</packaging>
<version>8.0</version>
<version>8.0.1</version>
<name>ORbit Extrapolation KIT</name>
<url>http://www.orekit.org/</url>
......
......@@ -114,6 +114,8 @@ class RapidDataAndPredictionXMLLoader implements EOPHistoryLoader {
// set up a reader for line-oriented bulletin B files
final XMLReader reader = SAXParserFactory.newInstance().newSAXParser().getXMLReader();
reader.setContentHandler(new EOPContentHandler(name));
// disable external entities
reader.setEntityResolver((publicId, systemId) -> new InputSource());
// read all file, ignoring header
reader.parse(new InputSource(new InputStreamReader(input, "UTF-8")));
......
......@@ -41,6 +41,13 @@ with groupID org.orekit and artifactId orekit so maven
internal mechanism will download automatically all artifacts and dependencies
as required.
| package | link |
|----------|---------------------------------------------------------------------------------------------------------------|
| source | [orekit-8.0.1-sources.zip](https://www.orekit.org/forge/attachments/download/xxx/orekit-8.0.1-sources.zip) |
| binary | [orekit-8.0.1.jar](https://www.orekit.org/forge/attachments/download/xxx/orekit-8.0.1.jar) |
| javadoc | [orekit-8.0.1-javadoc.jar](https://www.orekit.org/forge/attachments/download/xxx/orekit-8.0.1-javadoc.jar) |
version 8.0.1 downloads (release date: 2017-11-01)
| package | link |
|----------|-----------------------------------------------------------------------------------------------------------|
| source | [orekit-8.0-sources.zip](https://www.orekit.org/forge/attachments/download/611/orekit-8.0-sources.zip) |
......@@ -48,6 +55,13 @@ as required.
| javadoc | [orekit-8.0-javadoc.jar](https://www.orekit.org/forge/attachments/download/613/orekit-8.0-javadoc.jar) |
version 8.0 downloads (release date: 2016-06-30)
| package | link |
|----------|---------------------------------------------------------------------------------------------------------------|
| source | [orekit-7.2.1-sources.zip](https://www.orekit.org/forge/attachments/download/xxx/orekit-7.2.1-sources.zip) |
| binary | [orekit-7.2.1.jar](https://www.orekit.org/forge/attachments/download/xxx/orekit-7.2.1.jar) |
| javadoc | [orekit-7.2.1-javadoc.jar](https://www.orekit.org/forge/attachments/download/xxx/orekit-7.2.1-javadoc.jar) |
version 7.2.1 downloads (release date: 2017-11-01)
| package | link |
|----------|-----------------------------------------------------------------------------------------------------------|
| source | [orekit-7.2-sources.zip](https://www.orekit.org/forge/attachments/download/601/orekit-7.2-sources.zip) |
......
......@@ -20,6 +20,14 @@
<title>Orekit Changes</title>
</properties>
<body>
<release version="8.0.1" date="2017-11-01"
description="Version 8.0.1 is a patch release of Orekit.
It fixes security issus 368.">
<action dev="evan" type="fix">
Disabled XML external resources when parsing rapid XML EOP files.
Part of issue #368.
</action>
</release>
<release version="8.0" date="2016-06-30"
description="Version 8.0 is a major release of Orekit. It introduces several new
features and bug fixes as well as a major dependency change. New features introduced
......
......@@ -17,10 +17,12 @@
package org.orekit.frames;
import java.net.MalformedURLException;
import java.util.Collections;
import java.util.SortedSet;
import java.util.TreeSet;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Test;
import org.orekit.data.AbstractFilesLoaderTest;
......@@ -35,6 +37,33 @@ public class RapidDataAndPredictionXMLLoaderTest extends AbstractFilesLoaderTest
private static final ChronologicalComparator COMP = new ChronologicalComparator();
@Test
public void testExternalResourcesAreIgnoredIssue368() throws OrekitException {
// setup
setRoot("external-resources");
IERSConventions.NutationCorrectionConverter converter =
IERSConventions.IERS_1996.getNutationCorrectionConverter();
SortedSet<EOPEntry> history = new TreeSet<>(new ChronologicalComparator());
RapidDataAndPredictionXMLLoader loader =
new RapidDataAndPredictionXMLLoader("^finals2000A\\..*\\.xml$");
// action
try {
loader.fillHistory(converter, history);
// verify
Assert.fail("Expected Exception");
} catch (OrekitException e) {
// Malformed URL exception indicates external resource was disabled
// file not found exception indicates parser tried to load the resource
Assert.assertThat(e.getCause(),
CoreMatchers.instanceOf(MalformedURLException.class));
}
// problem if any EOP data is loaded
Assert.assertEquals(0, history.size());
}
@Test
public void testStartDateDaily1980() throws OrekitException {
setRoot("rapid-data-xml");
......
---------------
UTC-TAI.history
---------------
RELATIONSHIP BETWEEN TAI AND UTC
-------------------------------------------------------------------------------
Limits of validity(at 0h UTC) TAI - UTC
1961 Jan. 1 - 1961 Aug. 1 1.422 818 0s + (MJD - 37 300) x 0.001 296s
Aug. 1 - 1962 Jan. 1 1.372 818 0s + ""
1962 Jan. 1 - 1963 Nov. 1 1.845 858 0s + (MJD - 37 665) x 0.001 123 2s
1963 Nov. 1 - 1964 Jan. 1 1.945 858 0s + ""
1964 Jan. 1 - April 1 3.240 130 0s + (MJD - 38 761) x 0.001 296s
April 1 - Sept. 1 3.340 130 0s + ""
Sept. 1 - 1965 Jan. 1 3.440 130 0s + ""
1965 Jan. 1 - March 1 3.540 130 0s + ""
March 1 - Jul. 1 3.640 130 0s + ""
Jul. 1 - Sept. 1 3.740 130 0s + ""
Sept. 1 - 1966 Jan. 1 3.840 130 0s + ""
1966 Jan. 1 - 1968 Feb. 1 4.313 170 0s + (MJD - 39 126) x 0.002 592s
1968 Feb. 1 - 1972 Jan. 1 4.213 170 0s + ""
1972 Jan. 1 - Jul. 1 10s
Jul. 1 - 1973 Jan. 1 11s
1973 Jan. 1 - 1974 Jan. 1 12s
1974 Jan. 1 - 1975 Jan. 1 13s
1975 Jan. 1 - 1976 Jan. 1 14s
1976 Jan. 1 - 1977 Jan. 1 15s
1977 Jan. 1 - 1978 Jan. 1 16s
1978 Jan. 1 - 1979 Jan. 1 17s
1979 Jan. 1 - 1980 Jan. 1 18s
1980 Jan. 1 - 1981 Jul. 1 19s
1981 Jul. 1 - 1982 Jul. 1 20s
1982 Jul. 1 - 1983 Jul. 1 21s
1983 Jul. 1 - 1985 Jul. 1 22s
1985 Jul. 1 - 1988 Jan. 1 23s
1988 Jan. 1 - 1990 Jan. 1 24s
1990 Jan. 1 - 1991 Jan. 1 25s
1991 Jan. 1 - 1992 Jul. 1 26s
1992 Jul. 1.- 1993 Jul 1 27s
1993 Jul. 1 - 1994 Jul. 1 28s
1994 Jul. 1 - 1996 Jan. 1 29s
1996 Jan. 1 - 1997 Jul. 1 30s
1997 Jul. 1.- 1999 Jan. 1 31s
1999 Jan. 1.- 2006 Jan. 1 32s
2006 Jan. 1.- 2009 Jan. 1 33s
2009 Jan. 1.- 2012 Jul 1 34s
2012 Jul 1 - 2015 Jul 1 35s
2015 Jul 1 - 36s
----------------------------------------------------------------------
<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "file:./not-a-real-file.xml">
<foo>bar</foo>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment