diff --git a/pom.xml b/pom.xml
index 842364c84..30b52d1a3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -440,8 +440,6 @@ under the License.
**/*element-list*
**/*package-list*
-
- src/main/resources/org/apache/maven/plugins/javadoc/frame-injection-fix.txt
src/test/resources/unit/test-javadoc-test/junit/junit/3.8.1/junit-3.8.1.pom
diff --git a/src/main/java/org/apache/maven/plugins/javadoc/AbstractJavadocMojo.java b/src/main/java/org/apache/maven/plugins/javadoc/AbstractJavadocMojo.java
index d0f1a2724..242e622b6 100644
--- a/src/main/java/org/apache/maven/plugins/javadoc/AbstractJavadocMojo.java
+++ b/src/main/java/org/apache/maven/plugins/javadoc/AbstractJavadocMojo.java
@@ -19,7 +19,6 @@
package org.apache.maven.plugins.javadoc;
import java.io.File;
-import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.Writer;
@@ -118,9 +117,7 @@
import org.codehaus.plexus.languages.java.jpms.ResolvePathsRequest;
import org.codehaus.plexus.languages.java.jpms.ResolvePathsResult;
import org.codehaus.plexus.languages.java.version.JavaVersion;
-import org.codehaus.plexus.util.DirectoryScanner;
import org.codehaus.plexus.util.FileUtils;
-import org.codehaus.plexus.util.IOUtil;
import org.codehaus.plexus.util.WriterFactory;
import org.codehaus.plexus.util.cli.CommandLineException;
import org.codehaus.plexus.util.cli.CommandLineUtils;
@@ -735,6 +732,7 @@ public AbstractJavadocMojo(
/**
* This option creates documentation with the appearance and functionality of documentation generated by
* Javadoc 1.1. This is no longer supported since Javadoc 1.4 (shipped with JDK 1.4)
+ *
* @see Javadoc option 1.1.
*/
@Parameter(property = "old", defaultValue = "false")
@@ -1567,10 +1565,13 @@ public AbstractJavadocMojo(
private List sourceFileExcludes;
/**
- * To apply a security fix on generated javadoc, see
- * 0) {
- getLog().info(String.format(
- "Fixed Javadoc frame injection vulnerability (CVE-2013-1571) in %d files.", patched));
- }
- } catch (IOException e) {
- throw new MavenReportException("Failed to patch javadocs vulnerability: " + e.getMessage(), e);
- }
- } else {
- getLog().info("applying javadoc security fix has been disabled");
- }
}
/**
@@ -5197,53 +5184,7 @@ private boolean isInformationalOutput(String str) {
}
/**
- * Patches the given Javadoc output directory to work around CVE-2013-1571
- * (see http://www.kb.cert.org/vuls/id/225657).
- *
- * @param javadocOutputDirectory directory to scan for vulnerabilities
- * @param outputEncoding encoding used by the javadoc tool (-docencoding parameter).
- * If {@code null}, the platform's default encoding is used (like javadoc does).
- * @return the number of patched files
- */
- private int fixFrameInjectionBug(File javadocOutputDirectory, String outputEncoding) throws IOException {
- final String fixData;
-
- try (InputStream in = this.getClass().getResourceAsStream("frame-injection-fix.txt")) {
- if (in == null) {
- throw new FileNotFoundException("Missing resource 'frame-injection-fix.txt' in classpath.");
- }
- fixData = org.codehaus.plexus.util.StringUtils.unifyLineSeparators(IOUtil.toString(in, "US-ASCII"))
- .trim();
- }
-
- final DirectoryScanner ds = new DirectoryScanner();
- ds.setBasedir(javadocOutputDirectory);
- ds.setCaseSensitive(false);
- ds.setIncludes(new String[] {"**/index.html", "**/index.htm", "**/toc.html", "**/toc.htm"});
- ds.addDefaultExcludes();
- ds.scan();
- int patched = 0;
- for (String f : ds.getIncludedFiles()) {
- final File file = new File(javadocOutputDirectory, f);
- // we load the whole file as one String (toc/index files are
- // generally small, because they only contain frameset declaration):
- final String fileContents = FileUtils.fileRead(file, outputEncoding);
- // check if file may be vulnerable because it was not patched with "validURL(url)":
- if (!StringUtils.contains(fileContents, "function validURL(url) {")) {
- // we need to patch the file!
- final String patchedFileContents =
- StringUtils.replaceOnce(fileContents, "function loadFrames() {", fixData);
- if (!patchedFileContents.equals(fileContents)) {
- FileUtils.fileWrite(file, outputEncoding, patchedFileContents);
- patched++;
- }
- }
- }
- return patched;
- }
-
- /**
- * @param outputFile not nul
+ * @param outputFile not null
* @param inputResourceName a not null resource in src/main/java, src/main/resources or
* src/main/javadoc or in the Javadoc plugin dependencies.
* @return the resource file absolute path as String
diff --git a/src/main/resources/org/apache/maven/plugins/javadoc/frame-injection-fix.txt b/src/main/resources/org/apache/maven/plugins/javadoc/frame-injection-fix.txt
deleted file mode 100644
index fcc4d9b04..000000000
--- a/src/main/resources/org/apache/maven/plugins/javadoc/frame-injection-fix.txt
+++ /dev/null
@@ -1,37 +0,0 @@
- if (targetPage != "" && !validURL(targetPage))
- targetPage = "undefined";
- function validURL(url) {
- var pos = url.indexOf(".html");
- if (pos == -1 || pos != url.length - 5)
- return false;
- var allowNumber = false;
- var allowSep = false;
- var seenDot = false;
- for (var i = 0; i < url.length - 5; i++) {
- var ch = url.charAt(i);
- if ('a' <= ch && ch <= 'z' ||
- 'A' <= ch && ch <= 'Z' ||
- ch == '$' ||
- ch == '_') {
- allowNumber = true;
- allowSep = true;
- } else if ('0' <= ch && ch <= '9'
- || ch == '-') {
- if (!allowNumber)
- return false;
- } else if (ch == '/' || ch == '.') {
- if (!allowSep)
- return false;
- allowNumber = false;
- allowSep = false;
- if (ch == '.')
- seenDot = true;
- if (ch == '/' && seenDot)
- return false;
- } else {
- return false;
- }
- }
- return true;
- }
- function loadFrames() {
\ No newline at end of file