You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-commits@axis.apache.org by ve...@apache.org on 2017/04/23 11:40:21 UTC
svn commit: r1792354 - in /axis/axis2/java/core/branches/1_7: ./
modules/transport/http/src/org/apache/axis2/transport/http/
Author: veithen
Date: Sun Apr 23 11:40:21 2017
New Revision: 1792354
URL: http://svn.apache.org/viewvc?rev=1792354&view=rev
Log:
AXIS2-5846: Merge r1792353 to the 1.7 branch.
Modified:
axis/axis2/java/core/branches/1_7/ (props changed)
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/HTTPTransportUtils.java
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/HTTPWorker.java
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
Propchange: axis/axis2/java/core/branches/1_7/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sun Apr 23 11:40:21 2017
@@ -1,4 +1,4 @@
/axis/axis2/java/core/branches/1_6:1295540
/axis/axis2/java/core/branches/AXIOM-420:1334386-1336397
/axis/axis2/java/core/branches/AXIS2-4318:1230452,1295542,1324772,1327468,1329571,1332141,1335355,1335357,1340985
-/axis/axis2/java/core/trunk:1726494,1726509,1726513,1727171,1727174,1727177,1727180,1729891,1730095,1730139,1730180,1730186,1730195,1730197,1730222,1730300,1730308,1730310,1730317,1730322,1730335,1730369,1730427,1730618,1731425,1731441,1731446,1731448,1732354,1733137,1733663,1733713,1733766,1733770,1733773,1733850,1734176,1735331,1735795,1736512,1736543,1737030,1737567,1739001,1739186,1739343,1739346,1739348,1739493,1739592,1739594-1739595,1739815,1739826,1740693-1740694,1741976,1742201,1743824,1745826,1745860,1745869,1745875,1745912,1745924,1745929,1745941,1746001,1746028,1746109,1746782,1746784,1746787,1746813,1746842,1746880,1746883,1746889,1746894,1747448,1747466,1747503,1747575,1747578,1747601,1747773,1747920,1751057,1752039,1765132,1765183,1765188,1765193,1775081,1775102,1776253,1776585,1776594,1778204,1780290
+/axis/axis2/java/core/trunk:1726494,1726509,1726513,1727171,1727174,1727177,1727180,1729891,1730095,1730139,1730180,1730186,1730195,1730197,1730222,1730300,1730308,1730310,1730317,1730322,1730335,1730369,1730427,1730618,1731425,1731441,1731446,1731448,1732354,1733137,1733663,1733713,1733766,1733770,1733773,1733850,1734176,1735331,1735795,1736512,1736543,1737030,1737567,1739001,1739186,1739343,1739346,1739348,1739493,1739592,1739594-1739595,1739815,1739826,1740693-1740694,1741976,1742201,1743824,1745826,1745860,1745869,1745875,1745912,1745924,1745929,1745941,1746001,1746028,1746109,1746782,1746784,1746787,1746813,1746842,1746880,1746883,1746889,1746894,1747448,1747466,1747503,1747575,1747578,1747601,1747773,1747920,1751057,1752039,1765132,1765183,1765188,1765193,1775081,1775102,1776253,1776585,1776594,1778204,1780290,1792353
Modified: axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/HTTPTransportUtils.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/HTTPTransportUtils.java?rev=1792354&r1=1792353&r2=1792354&view=diff
==============================================================================
--- axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/HTTPTransportUtils.java (original)
+++ axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/HTTPTransportUtils.java Sun Apr 23 11:40:21 2017
@@ -54,6 +54,8 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.SocketException;
+import java.net.URL;
+import java.net.URLClassLoader;
import java.util.Iterator;
import java.util.Map;
import java.util.zip.GZIPInputStream;
@@ -382,4 +384,20 @@ public class HTTPTransportUtils {
epr.append('/');
return new EndpointReference[]{new EndpointReference(epr.toString())};
}
+
+ static InputStream getMetaInfResourceAsStream(AxisService service, String name) {
+ ClassLoader classLoader = service.getClassLoader();
+ if (classLoader instanceof URLClassLoader) {
+ // Only search the service class loader and skip searching the ancestors to
+ // avoid local file inclusion vulnerabilities such as AXIS2-5846.
+ URL url = ((URLClassLoader)classLoader).findResource("META-INF/" + name);
+ try {
+ return url == null ? null : url.openStream();
+ } catch (IOException ex) {
+ return null;
+ }
+ } else {
+ return null;
+ }
+ }
}
Modified: axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/HTTPWorker.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/HTTPWorker.java?rev=1792354&r1=1792353&r2=1792354&view=diff
==============================================================================
--- axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/HTTPWorker.java (original)
+++ axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/HTTPWorker.java Sun Apr 23 11:40:21 2017
@@ -22,7 +22,6 @@ package org.apache.axis2.transport.http;
import org.apache.axis2.Constants;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.MessageContext;
-import org.apache.axis2.deployment.DeploymentConstants;
import org.apache.axis2.description.AxisService;
import org.apache.axis2.description.Parameter;
import org.apache.axis2.engine.Handler.InvocationResponse;
@@ -100,8 +99,7 @@ public class HTTPWorker implements Worke
Iterator i = services.values().iterator();
while (i.hasNext()) {
AxisService service = (AxisService) i.next();
- InputStream stream = service.getClassLoader().
- getResourceAsStream("META-INF/" + file);
+ InputStream stream = HTTPTransportUtils.getMetaInfResourceAsStream(service, file);
if (stream != null) {
OutputStream out = response.getOutputStream();
response.setContentType("text/xml");
@@ -205,8 +203,7 @@ public class HTTPWorker implements Worke
schema.write(response.getOutputStream());
return;
} else {
- InputStream instream = service.getClassLoader()
- .getResourceAsStream(DeploymentConstants.META_INF + "/" + schemaName);
+ InputStream instream = HTTPTransportUtils.getMetaInfResourceAsStream(service, schemaName);
if (instream != null) {
response.setStatus(HttpStatus.SC_OK);
Modified: axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
URL: http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java?rev=1792354&r1=1792353&r2=1792354&view=diff
==============================================================================
--- axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java (original)
+++ axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java Sun Apr 23 11:40:21 2017
@@ -125,7 +125,7 @@ public class ListingAgent extends Abstra
Iterator<AxisService> i = services.values().iterator();
while (i.hasNext()) {
AxisService service = (AxisService) i.next();
- InputStream stream = service.getClassLoader().getResourceAsStream("META-INF/" + schema);
+ InputStream stream = HTTPTransportUtils.getMetaInfResourceAsStream(service, schema);
if (stream != null) {
OutputStream out = res.getOutputStream();
res.setContentType("text/xml");