File axis-CVE-2018-8032.patch of Package axis.28016
From e7ce8a92bc02be54da102efb64c99aeee21a2106 Mon Sep 17 00:00:00 2001
From: Andreas Veithen <veithen@apache.org>
Date: Sun, 20 May 2018 20:10:32 +0000
Subject: [PATCH] Correctly escape namespace URIs in namespace declarations.
git-svn-id: https://svn.apache.org/repos/asf/axis/axis1/java/trunk@1831943 13f79535-47bb-0310-9956-ffa450edef68
---
 .../axis/encoding/SerializationContext.java   | 11 ++--
 axis-war/pom.xml                              | 13 +++++
 .../test/java/org/apache/axis/war/Utils.java  | 33 +++++++++++
 .../java/org/apache/axis/war/XssTest.java     | 57 +++++++++++++++++++
 .../java/test/httpunit/HttpUnitTestBase.java  |  5 +-
 .../org/apache/axis/war/getVersion-xss.xml    |  9 +++
 pom.xml                                       |  5 ++
 7 files changed, 125 insertions(+), 8 deletions(-)
 create mode 100644 axis-war/src/test/java/org/apache/axis/war/Utils.java
 create mode 100644 axis-war/src/test/java/org/apache/axis/war/XssTest.java
 create mode 100644 axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml
diff --git a/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java b/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java
index 0cf0ac907..f33ec28df 100644
--- a/src/org/apache/axis/encoding/SerializationContext.java
+++ b/src/org/apache/axis/encoding/SerializationContext.java
@@ -1181,12 +1181,13 @@ public void startElement(QName qName, Attributes attributes)
                         sb.append(':');
                         sb.append(map.getPrefix());
                     }
-                    if ((vecQNames==null) || (vecQNames.indexOf(sb.toString())==-1)) {
+                    String qname = sb.toString();
+                    if ((vecQNames==null) || (vecQNames.indexOf(qname)==-1)) {
                         writer.write(' ');
-                        sb.append("=\"");
-                        sb.append(map.getNamespaceURI());
-                        sb.append('"');
-                        writer.write(sb.toString());
+                        writer.write(qname);
+                        writer.write("=\"");
+                        getEncoder().writeEncoded(writer, map.getNamespaceURI());
+                        writer.write('"');
                     }
                 }
             }
diff --git a/axis-war/src/test/java/org/apache/axis/war/Utils.java b/axis-war/src/test/java/org/apache/axis/war/Utils.java
new file mode 100644
index 000000000..77d03ee25
--- /dev/null
+++ b/org/apache/axis/war/Utils.java
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.axis.war;
+
+import static org.junit.Assert.assertNotNull;
+
+public final class Utils {
+    private static String URL_PROPERTY = "test.functional.webapp.url";
+
+    private Utils() {}
+
+    public static String getWebappUrl() {
+        String url = System.getProperty(URL_PROPERTY);
+        assertNotNull(URL_PROPERTY + " not set", url);
+        return url;
+    }
+}
diff --git a/axis-war/src/test/java/org/apache/axis/war/XssTest.java b/axis-war/src/test/java/org/apache/axis/war/XssTest.java
new file mode 100644
index 000000000..0504e1a8c
--- /dev/null
+++ b/org/apache/axis/war/XssTest.java
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.axis.war;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+import org.apache.commons.io.IOUtils;
+import org.junit.Test;
+
+public class XssTest {
+    /**
+     * Tests for potential XSS vulnerability in the Version service.
+     * <p>
+     * The Version service returns a body with whatever namespace URI was used in the request. If
+     * the namespace URI is not properly encoded in the response, then this creates a potential
+     * XSS vulnerability.
+     * 
+     * @throws Exception
+     */
+    @Test
+    public void testGetVersion() throws Exception {
+        HttpURLConnection conn = (HttpURLConnection)new URL(Utils.getWebappUrl() + "/services/Version").openConnection();
+        conn.setDoInput(true);
+        conn.setDoOutput(true);
+        conn.setRequestProperty("SOAPAction", "");
+        conn.setRequestProperty("Content-Type", "text/xml;charset=UTF-8");
+        InputStream payload = XssTest.class.getResourceAsStream("getVersion-xss.xml");
+        OutputStream out = conn.getOutputStream();
+        IOUtils.copy(payload, out);
+        payload.close();
+        out.close();
+        assertThat(conn.getResponseCode()).isEqualTo(200);
+        InputStream in = conn.getInputStream();
+        assertThat(IOUtils.toString(in, "UTF-8")).doesNotContain("<script");
+    }
+}
diff --git a/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java b/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java
index 8ca191a8d..98a66b5c5 100644
--- a/test/httpunit/HttpUnitTestBase.java
+++ b/test/httpunit/HttpUnitTestBase.java
@@ -22,6 +22,7 @@
 import java.io.*;
 import java.net.MalformedURLException;
 
+import org.apache.axis.war.Utils;
 import org.xml.sax.SAXException;
 
 /**
@@ -38,14 +39,12 @@ public HttpUnitTestBase(String s) {
         super(s);
     }
 
-    private static String URL_PROPERTY="test.functional.webapp.url";
     /**
      *  The JUnit setup method
      *
      */
     public void setUp() throws Exception {
-        url=System.getProperty(URL_PROPERTY);
-        assertNotNull(URL_PROPERTY+" not set",url);
+        url = Utils.getWebappUrl();
         HttpUnitOptions.setExceptionsThrownOnErrorStatus(true);
         HttpUnitOptions.setMatchesIgnoreCase(true);
         HttpUnitOptions.setParserWarningsEnabled(true);
diff --git a/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml b/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml
new file mode 100644
index 000000000..380009e16
--- /dev/null
+++ b/org/apache/axis/war/getVersion-xss.xml
@@ -0,0 +1,9 @@
+<soapenv:Envelope
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+    xmlns:axis="http://axis.apache.org        "><script xmlns="http://www.w3.org/1999/xhtml">
            alert('Hello');
        </script>">
+  <soapenv:Body>
+    <axis:getVersion soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
+  </soapenv:Body>
+</soapenv:Envelope>