Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE
axis.8907
axis-CVE-2018-8032.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File axis-CVE-2018-8032.patch of Package axis.8907
From e7ce8a92bc02be54da102efb64c99aeee21a2106 Mon Sep 17 00:00:00 2001 From: Andreas Veithen <veithen@apache.org> Date: Sun, 20 May 2018 20:10:32 +0000 Subject: [PATCH] Correctly escape namespace URIs in namespace declarations. git-svn-id: https://svn.apache.org/repos/asf/axis/axis1/java/trunk@1831943 13f79535-47bb-0310-9956-ffa450edef68 --- .../axis/encoding/SerializationContext.java | 11 ++-- axis-war/pom.xml | 13 +++++ .../test/java/org/apache/axis/war/Utils.java | 33 +++++++++++ .../java/org/apache/axis/war/XssTest.java | 57 +++++++++++++++++++ .../java/test/httpunit/HttpUnitTestBase.java | 5 +- .../org/apache/axis/war/getVersion-xss.xml | 9 +++ pom.xml | 5 ++ 7 files changed, 125 insertions(+), 8 deletions(-) create mode 100644 axis-war/src/test/java/org/apache/axis/war/Utils.java create mode 100644 axis-war/src/test/java/org/apache/axis/war/XssTest.java create mode 100644 axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml diff --git a/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java b/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java index 0cf0ac907..f33ec28df 100644 --- a/src/org/apache/axis/encoding/SerializationContext.java +++ b/src/org/apache/axis/encoding/SerializationContext.java @@ -1181,12 +1181,13 @@ public void startElement(QName qName, Attributes attributes) sb.append(':'); sb.append(map.getPrefix()); } - if ((vecQNames==null) || (vecQNames.indexOf(sb.toString())==-1)) { + String qname = sb.toString(); + if ((vecQNames==null) || (vecQNames.indexOf(qname)==-1)) { writer.write(' '); - sb.append("=\""); - sb.append(map.getNamespaceURI()); - sb.append('"'); - writer.write(sb.toString()); + writer.write(qname); + writer.write("=\""); + getEncoder().writeEncoded(writer, map.getNamespaceURI()); + writer.write('"'); } } } diff --git a/axis-war/src/test/java/org/apache/axis/war/Utils.java b/axis-war/src/test/java/org/apache/axis/war/Utils.java new file mode 100644 index 000000000..77d03ee25 --- /dev/null +++ b/org/apache/axis/war/Utils.java @@ -0,0 +1,33 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.axis.war; + +import static org.junit.Assert.assertNotNull; + +public final class Utils { + private static String URL_PROPERTY = "test.functional.webapp.url"; + + private Utils() {} + + public static String getWebappUrl() { + String url = System.getProperty(URL_PROPERTY); + assertNotNull(URL_PROPERTY + " not set", url); + return url; + } +} diff --git a/axis-war/src/test/java/org/apache/axis/war/XssTest.java b/axis-war/src/test/java/org/apache/axis/war/XssTest.java new file mode 100644 index 000000000..0504e1a8c --- /dev/null +++ b/org/apache/axis/war/XssTest.java @@ -0,0 +1,57 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.axis.war; + +import static com.google.common.truth.Truth.assertThat; + +import java.io.InputStream; +import java.io.OutputStream; +import java.net.HttpURLConnection; +import java.net.URL; + +import org.apache.commons.io.IOUtils; +import org.junit.Test; + +public class XssTest { + /** + * Tests for potential XSS vulnerability in the Version service. + * <p> + * The Version service returns a body with whatever namespace URI was used in the request. If + * the namespace URI is not properly encoded in the response, then this creates a potential + * XSS vulnerability. + * + * @throws Exception + */ + @Test + public void testGetVersion() throws Exception { + HttpURLConnection conn = (HttpURLConnection)new URL(Utils.getWebappUrl() + "/services/Version").openConnection(); + conn.setDoInput(true); + conn.setDoOutput(true); + conn.setRequestProperty("SOAPAction", ""); + conn.setRequestProperty("Content-Type", "text/xml;charset=UTF-8"); + InputStream payload = XssTest.class.getResourceAsStream("getVersion-xss.xml"); + OutputStream out = conn.getOutputStream(); + IOUtils.copy(payload, out); + payload.close(); + out.close(); + assertThat(conn.getResponseCode()).isEqualTo(200); + InputStream in = conn.getInputStream(); + assertThat(IOUtils.toString(in, "UTF-8")).doesNotContain("<script"); + } +} diff --git a/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java b/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java index 8ca191a8d..98a66b5c5 100644 --- a/test/httpunit/HttpUnitTestBase.java +++ b/test/httpunit/HttpUnitTestBase.java @@ -22,6 +22,7 @@ import java.io.*; import java.net.MalformedURLException; +import org.apache.axis.war.Utils; import org.xml.sax.SAXException; /** @@ -38,14 +39,12 @@ public HttpUnitTestBase(String s) { super(s); } - private static String URL_PROPERTY="test.functional.webapp.url"; /** * The JUnit setup method * */ public void setUp() throws Exception { - url=System.getProperty(URL_PROPERTY); - assertNotNull(URL_PROPERTY+" not set",url); + url = Utils.getWebappUrl(); HttpUnitOptions.setExceptionsThrownOnErrorStatus(true); HttpUnitOptions.setMatchesIgnoreCase(true); HttpUnitOptions.setParserWarningsEnabled(true); diff --git a/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml b/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml new file mode 100644 index 000000000..380009e16 --- /dev/null +++ b/org/apache/axis/war/getVersion-xss.xml @@ -0,0 +1,9 @@ +<soapenv:Envelope + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xmlns:xsd="http://www.w3.org/2001/XMLSchema" + xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" + xmlns:axis="http://axis.apache.org        "><script xmlns="http://www.w3.org/1999/xhtml">
            alert('Hello');
        </script>"> + <soapenv:Body> + <axis:getVersion soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/> + </soapenv:Body> +</soapenv:Envelope>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
