Menu
▾
▴
[Sblim-commit] jsr48-client/src/org/sblim/cimclient/internal/util WBEMConfiguration.java, 1.44, 1.45 Util.java, 1.4, 1.5 WBEMConfigurationDefaults.java, 1.31, 1.32
|
From: Dave B. <bla...@us...> - 2012-11-15 14:46:08
|
Update of /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/util
In directory vz-cvs-3.sog:/tmp/cvs-serv26355/src/org/sblim/cimclient/internal/util
Modified Files:
WBEMConfiguration.java Util.java
WBEMConfigurationDefaults.java
Log Message:
3572993 parseDouble("2.2250738585072012e-308") DoS vulnerability
Index: WBEMConfigurationDefaults.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/util/WBEMConfigurationDefaults.java,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -d -r1.31 -r1.32
--- WBEMConfigurationDefaults.java 10 Sep 2012 10:18:43 -0000 1.31
+++ WBEMConfigurationDefaults.java 15 Nov 2012 14:46:05 -0000 1.32
@@ -36,6 +36,7 @@
* 3492224 2012-02-23 blaschke-oss Need two different timeouts for Socket connections
* 3521157 2012-05-10 blaschke-oss JSR48 1.0.0: PROP_ENABLE_*_LOGGING is Level, not 0/1
* 3536399 2012-08-25 hellerda Add client/listener peer authentication properties
+ * 3572993 2012-10-01 blaschke-oss parseDouble("2.2250738585072012e-308") DoS vulnerability
*/
package org.sblim.cimclient.internal.util;
@@ -291,4 +292,9 @@
*/
public static final String SSL_LISTENER_PEER_VERIFICATION = "ignore";
+ /**
+ * VERIFY_JAVA_LANG_DOUBLE_STRINGS
+ */
+ public static final String VERIFY_JAVA_LANG_DOUBLE_STRINGS = "true";
+
}
Index: Util.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/util/Util.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -d -r1.4 -r1.5
--- Util.java 5 Mar 2009 16:59:21 -0000 1.4
+++ Util.java 15 Nov 2012 14:46:05 -0000 1.5
@@ -1,5 +1,5 @@
/**
- * (C) Copyright IBM Corp. 2006, 2009
+ * (C) Copyright IBM Corp. 2006, 2012
*
* THIS FILE IS PROVIDED UNDER THE TERMS OF THE ECLIPSE PUBLIC LICENSE
* ("AGREEMENT"). ANY USE, REPRODUCTION OR DISTRIBUTION OF THIS FILE
@@ -15,10 +15,13 @@
* 1565892 2006-10-18 ebak Make SBLIM client JSR48 compliant
* 2003590 2008-06-30 blaschke-oss Change licensing from CPL to EPL
* 2524131 2009-01-21 raman_arora Upgrade client to JDK 1.5 (Phase 1)
+ * 3572993 2012-10-01 blaschke-oss parseDouble("2.2250738585072012e-308") DoS vulnerability
*/
package org.sblim.cimclient.internal.util;
+import java.math.BigDecimal;
+
/**
* Class Util is responsible for storing commonly used static methods.
*/
@@ -42,4 +45,33 @@
return dstBuf.toString();
}
+ /*
+ * Sun bug 4421494 identifies a range of <code>java.lang.Double</code>
+ * values that will hang the JVM due to an error in
+ * <code>FloatingDecimal.doubleValue()</code> that results in an infinite
+ * loop. The range is defined as (<code>lowBadDouble</code>,
+ * <code>hiBadDouble</code>).
+ */
+ private static final BigDecimal lowBadDouble = new BigDecimal(
+ "2.225073858507201136057409796709131975934E-308");
+
+ private static final BigDecimal hiBadDouble = new BigDecimal(
+ "2.225073858507201259573821257020768020078E-308");
+
+ /**
+ * isBadDoubleString checks if passed string could hang JVM.
+ *
+ * @param s
+ * A string to be converted to a Double.
+ * @return <code>true</code> if double is in range of bad values,
+ * <code>false</code> otherwise.
+ */
+ public static boolean isBadDoubleString(String s) {
+ BigDecimal val = new BigDecimal(s);
+ BigDecimal min = val.min(lowBadDouble);
+ BigDecimal max = val.max(hiBadDouble);
+
+ // Do not use string if min < value < max
+ return (min.compareTo(val) < 0 && max.compareTo(val) > 0);
+ }
}
Index: WBEMConfiguration.java
===================================================================
RCS file: /cvsroot/sblim/jsr48-client/src/org/sblim/cimclient/internal/util/WBEMConfiguration.java,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -d -r1.44 -r1.45
--- WBEMConfiguration.java 10 Sep 2012 10:18:43 -0000 1.44
+++ WBEMConfiguration.java 15 Nov 2012 14:46:04 -0000 1.45
@@ -42,6 +42,7 @@
* 3521157 2012-05-10 blaschke-oss JSR48 1.0.0: PROP_ENABLE_*_LOGGING is Level, not 0/1
* 3524050 2012-06-06 blaschke-oss Improve WWW-Authenticate in HTTPClient.java
* 3536399 2012-08-25 hellerda Add client/listener peer authentication properties
+ * 3572993 2012-10-01 blaschke-oss parseDouble("2.2250738585072012e-308") DoS vulnerability
*/
package org.sblim.cimclient.internal.util;
@@ -1003,4 +1004,18 @@
getProperty(WBEMConfigurationProperties.LISTENER_ADD_SENDER_IP_ADDRESS,
WBEMConfigurationDefaults.LISTENER_ADD_SENDER_IP_ADDRESS)).booleanValue();
}
+
+ /**
+ * Returns whether the client will attempt to verify strings passed into the
+ * <code>java.lang.Double</code> constructor or its <code>parseDouble</code>
+ * method won't hang the JVM in an infinite loop.
+ *
+ * @return <code>true</code> if the client will attempt to verify strings
+ * passed to <code>Double</code>, <code>false</code> otherwise
+ */
+ public boolean verifyJavaLangDoubleStrings() {
+ return Boolean.valueOf(
+ getProperty(WBEMConfigurationProperties.VERIFY_JAVA_LANG_DOUBLE_STRINGS,
+ WBEMConfigurationDefaults.VERIFY_JAVA_LANG_DOUBLE_STRINGS)).booleanValue();
+ }
}
|
