You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ve...@apache.org on 2010/06/13 23:42:13 UTC
svn commit: r954315 - in /axis/axis2/java/core/security: ./
secfix-cve-2010-1632/ secfix-cve-2010-1632/src/
secfix-cve-2010-1632/src/main/ secfix-cve-2010-1632/src/main/java/
secfix-cve-2010-1632/src/main/java/org/
secfix-cve-2010-1632/src/main/java/or...
Author: veithen
Date: Sun Jun 13 21:42:13 2010
New Revision: 954315
URL: http://svn.apache.org/viewvc?rev=954315&view=rev
Log:
Security advisory and fix for CVE-2010-1632.
Added:
axis/axis2/java/core/security/CVE-2010-1632.pdf (with props)
axis/axis2/java/core/security/secfix-cve-2010-1632/
axis/axis2/java/core/security/secfix-cve-2010-1632/pom.xml (with props)
axis/axis2/java/core/security/secfix-cve-2010-1632/src/
axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/
axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/
axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/
axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/
axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/
axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/
axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/DisallowDoctypeDeclStreamReaderWrapper.java (with props)
axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/SecureApplicationXMLBuilder.java (with props)
axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/XMLStreamReaderWrapper.java (with props)
Added: axis/axis2/java/core/security/CVE-2010-1632.pdf
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/security/CVE-2010-1632.pdf?rev=954315&view=auto
==============================================================================
Binary file - no diff available.
Propchange: axis/axis2/java/core/security/CVE-2010-1632.pdf
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: axis/axis2/java/core/security/secfix-cve-2010-1632/pom.xml
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/security/secfix-cve-2010-1632/pom.xml?rev=954315&view=auto
==============================================================================
--- axis/axis2/java/core/security/secfix-cve-2010-1632/pom.xml (added)
+++ axis/axis2/java/core/security/secfix-cve-2010-1632/pom.xml Sun Jun 13 21:42:13 2010
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache</groupId>
+ <artifactId>apache</artifactId>
+ <version>7</version>
+ </parent>
+ <groupId>org.apache.axis2</groupId>
+ <artifactId>secfix-cve-2010-1632</artifactId>
+ <version>1</version>
+ <name>Axis2 Security Fix for CVE-2010-1632</name>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.axis2</groupId>
+ <artifactId>axis2-kernel</artifactId>
+ <version>1.4</version>
+ </dependency>
+ </dependencies>
+</project>
\ No newline at end of file
Propchange: axis/axis2/java/core/security/secfix-cve-2010-1632/pom.xml
------------------------------------------------------------------------------
svn:eol-style = native
Added: axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/DisallowDoctypeDeclStreamReaderWrapper.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/DisallowDoctypeDeclStreamReaderWrapper.java?rev=954315&view=auto
==============================================================================
--- axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/DisallowDoctypeDeclStreamReaderWrapper.java (added)
+++ axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/DisallowDoctypeDeclStreamReaderWrapper.java Sun Jun 13 21:42:13 2010
@@ -0,0 +1,38 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.axis2.builder;
+
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+
+// Taken from Axiom 1.2.9 (package org.apache.axiom.util.stax.dialect)
+class DisallowDoctypeDeclStreamReaderWrapper extends XMLStreamReaderWrapper {
+ public DisallowDoctypeDeclStreamReaderWrapper(XMLStreamReader parent) {
+ super(parent);
+ }
+
+ public int next() throws XMLStreamException {
+ int event = super.next();
+ if (event == DTD) {
+ throw new XMLStreamException("DOCTYPE is not allowed");
+ }
+ return event;
+ }
+}
Propchange: axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/DisallowDoctypeDeclStreamReaderWrapper.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/SecureApplicationXMLBuilder.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/SecureApplicationXMLBuilder.java?rev=954315&view=auto
==============================================================================
--- axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/SecureApplicationXMLBuilder.java (added)
+++ axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/SecureApplicationXMLBuilder.java Sun Jun 13 21:42:13 2010
@@ -0,0 +1,88 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.axis2.builder;
+
+import org.apache.axiom.om.OMAbstractFactory;
+import org.apache.axiom.om.OMElement;
+import org.apache.axiom.om.impl.OMNodeEx;
+import org.apache.axiom.om.impl.builder.StAXBuilder;
+import org.apache.axiom.om.impl.builder.StAXOMBuilder;
+import org.apache.axiom.soap.SOAPBody;
+import org.apache.axiom.soap.SOAPEnvelope;
+import org.apache.axiom.soap.SOAPFactory;
+import org.apache.axis2.AxisFault;
+import org.apache.axis2.Constants;
+import org.apache.axis2.context.MessageContext;
+
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.PushbackInputStream;
+
+// Based on ApplicationXMLBuilder r559336
+public class SecureApplicationXMLBuilder implements Builder {
+ private final XMLInputFactory inputFactory;
+
+ public SecureApplicationXMLBuilder() {
+ // Older versions of Axiom don't allow to apply custom settings to XMLInputFactory;
+ // we need to create our own one.
+ inputFactory = XMLInputFactory.newInstance();
+ inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, Boolean.FALSE);
+ inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.FALSE);
+ inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+ }
+
+ /**
+ * @return Returns the document element.
+ */
+ public OMElement processDocument(InputStream inputStream, String contentType,
+ MessageContext messageContext)
+ throws AxisFault {
+ SOAPFactory soapFactory = OMAbstractFactory.getSOAP11Factory();
+ SOAPEnvelope soapEnvelope = soapFactory.getDefaultEnvelope();
+ if (inputStream != null) {
+ try {
+ PushbackInputStream pushbackInputStream = new PushbackInputStream(inputStream);
+ int b;
+ if ((b = pushbackInputStream.read()) > 0) {
+ pushbackInputStream.unread(b);
+ XMLStreamReader xmlreader = new DisallowDoctypeDeclStreamReaderWrapper(
+ inputFactory.createXMLStreamReader(pushbackInputStream,
+ (String) messageContext.getProperty(
+ Constants.Configuration.CHARACTER_SET_ENCODING)));
+ StAXBuilder builder = new StAXOMBuilder(xmlreader);
+ OMNodeEx documentElement = (OMNodeEx) builder.getDocumentElement();
+ documentElement.setParent(null);
+ SOAPBody body = soapEnvelope.getBody();
+ body.addChild(documentElement);
+ }
+
+ } catch (XMLStreamException e) {
+ throw AxisFault.makeFault(e);
+ } catch (IOException e) {
+ throw AxisFault.makeFault(e);
+ }
+ }
+ return soapEnvelope;
+ }
+}
Propchange: axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/SecureApplicationXMLBuilder.java
------------------------------------------------------------------------------
svn:eol-style = native
Added: axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/XMLStreamReaderWrapper.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/XMLStreamReaderWrapper.java?rev=954315&view=auto
==============================================================================
--- axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/XMLStreamReaderWrapper.java (added)
+++ axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/XMLStreamReaderWrapper.java Sun Jun 13 21:42:13 2010
@@ -0,0 +1,230 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.axis2.builder;
+
+import javax.xml.namespace.NamespaceContext;
+import javax.xml.namespace.QName;
+import javax.xml.stream.Location;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+
+// Taken from Axiom 1.2.9 (package org.apache.axiom.util.stax.wrapper)
+class XMLStreamReaderWrapper implements XMLStreamReader {
+ private final XMLStreamReader parent;
+
+ /**
+ * Constructor.
+ *
+ * @param parent the parent reader
+ */
+ public XMLStreamReaderWrapper(XMLStreamReader parent) {
+ this.parent = parent;
+ }
+
+ /**
+ * Get Parent
+ * Note that setParent is intentionally omitted. XMLStreamReaderWrapper is immutable.
+ * @return XMLStreamReader parent
+ */
+ public XMLStreamReader getParent() {
+ return parent;
+ }
+
+ public void close() throws XMLStreamException {
+ parent.close();
+ }
+
+ public int getAttributeCount() {
+ return parent.getAttributeCount();
+ }
+
+ public String getAttributeLocalName(int index) {
+ return parent.getAttributeLocalName(index);
+ }
+
+ public QName getAttributeName(int index) {
+ return parent.getAttributeName(index);
+ }
+
+ public String getAttributeNamespace(int index) {
+ return parent.getAttributeNamespace(index);
+ }
+
+ public String getAttributePrefix(int index) {
+ return parent.getAttributePrefix(index);
+ }
+
+ public String getAttributeType(int index) {
+ return parent.getAttributeType(index);
+ }
+
+ public String getAttributeValue(int index) {
+ return parent.getAttributeValue(index);
+ }
+
+ public String getAttributeValue(String namespaceURI, String localName) {
+ return parent.getAttributeValue(namespaceURI, localName);
+ }
+
+ public String getCharacterEncodingScheme() {
+ return parent.getCharacterEncodingScheme();
+ }
+
+ public String getElementText() throws XMLStreamException {
+ return parent.getElementText();
+ }
+
+ public String getEncoding() {
+ return parent.getEncoding();
+ }
+
+ public int getEventType() {
+ return parent.getEventType();
+ }
+
+ public String getLocalName() {
+ return parent.getLocalName();
+ }
+
+ public Location getLocation() {
+ return parent.getLocation();
+ }
+
+ public QName getName() {
+ return parent.getName();
+ }
+
+ public NamespaceContext getNamespaceContext() {
+ return parent.getNamespaceContext();
+ }
+
+ public int getNamespaceCount() {
+ return parent.getNamespaceCount();
+ }
+
+ public String getNamespacePrefix(int index) {
+ return parent.getNamespacePrefix(index);
+ }
+
+ public String getNamespaceURI() {
+ return parent.getNamespaceURI();
+ }
+
+ public String getNamespaceURI(int index) {
+ return parent.getNamespaceURI(index);
+ }
+
+ public String getNamespaceURI(String prefix) {
+ return parent.getNamespaceURI(prefix);
+ }
+
+ public String getPIData() {
+ return parent.getPIData();
+ }
+
+ public String getPITarget() {
+ return parent.getPITarget();
+ }
+
+ public String getPrefix() {
+ return parent.getPrefix();
+ }
+
+ public Object getProperty(String name) throws IllegalArgumentException {
+ return parent.getProperty(name);
+ }
+
+ public String getText() {
+ return parent.getText();
+ }
+
+ public char[] getTextCharacters() {
+ return parent.getTextCharacters();
+ }
+
+ public int getTextCharacters(int sourceStart, char[] target, int targetStart, int length)
+ throws XMLStreamException {
+ return parent.getTextCharacters(sourceStart, target, targetStart, length);
+ }
+
+ public int getTextLength() {
+ return parent.getTextLength();
+ }
+
+ public int getTextStart() {
+ return parent.getTextStart();
+ }
+
+ public String getVersion() {
+ return parent.getVersion();
+ }
+
+ public boolean hasName() {
+ return parent.hasName();
+ }
+
+ public boolean hasNext() throws XMLStreamException {
+ return parent.hasNext();
+ }
+
+ public boolean hasText() {
+ return parent.hasText();
+ }
+
+ public boolean isAttributeSpecified(int index) {
+ return parent.isAttributeSpecified(index);
+ }
+
+ public boolean isCharacters() {
+ return parent.isCharacters();
+ }
+
+ public boolean isEndElement() {
+ return parent.isEndElement();
+ }
+
+ public boolean isStandalone() {
+ return parent.isStandalone();
+ }
+
+ public boolean isStartElement() {
+ return parent.isStartElement();
+ }
+
+ public boolean isWhiteSpace() {
+ return parent.isWhiteSpace();
+ }
+
+ public int next() throws XMLStreamException {
+ return parent.next();
+ }
+
+ public int nextTag() throws XMLStreamException {
+ return parent.nextTag();
+ }
+
+ public void require(int type, String namespaceURI, String localName) throws XMLStreamException {
+ parent.require(type, namespaceURI, localName);
+ }
+
+ public boolean standaloneSet() {
+ return parent.standaloneSet();
+ }
+}
Propchange: axis/axis2/java/core/security/secfix-cve-2010-1632/src/main/java/org/apache/axis2/builder/XMLStreamReaderWrapper.java
------------------------------------------------------------------------------
svn:eol-style = native