You are viewing a plain text version of this content. The canonical link for it is here.
Posted to axis-cvs@ws.apache.org by ga...@apache.org on 2009/03/24 21:36:17 UTC
svn commit: r758006 - in
/webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2:
description/AxisService.java util/IOUtils.java
Author: gawor
Date: Tue Mar 24 20:36:16 2009
New Revision: 758006
URL: http://svn.apache.org/viewvc?rev=758006&view=rev
Log:
Basic fix for Local File Inclusion Vulnerability on parsing WSDL related XSD files (AXIS2-4279)
Added:
webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/util/IOUtils.java (with props)
Modified:
webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/description/AxisService.java
Modified: webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/description/AxisService.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/description/AxisService.java?rev=758006&r1=758005&r2=758006&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/description/AxisService.java (original)
+++ webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/description/AxisService.java Tue Mar 24 20:36:16 2009
@@ -19,7 +19,6 @@
package org.apache.axis2.description;
-import org.apache.axiom.attachments.utils.IOUtils;
import org.apache.axiom.om.OMElement;
import org.apache.axis2.AxisFault;
import org.apache.axis2.Constants;
@@ -1245,16 +1244,21 @@
out.flush();
out.close();
} else {
+ // make sure we are only serving .xsd files and ignore requests with
+ // ".." in the name.
+ if (xsd.endsWith(".xsd") && xsd.indexOf("..") == -1) {
InputStream in = getClassLoader().getResourceAsStream(
DeploymentConstants.META_INF + "/" + xsd);
if (in != null) {
- out.write(IOUtils.getStreamAsByteArray(in));
- out.flush();
- out.close();
+ IOUtils.copy(in, out, true);
} else {
- // Can't find the schema
- return -1;
+ // Can't find the schema
+ return -1;
}
+ } else {
+ // bad schema request
+ return -1;
+ }
}
} else if (schemas.size() > 1) {
// multiple schemas are present and the user specified
@@ -1569,6 +1573,44 @@
}
}
+ /**
+ * Produces a WSDL2 for this AxisService and prints it to the specified
+ * OutputStream.
+ *
+ * @param out
+ * destination stream.
+ * @param wsdl
+ * wsdl name
+ * @return -1 implies not found, 0 implies redirect to root, 1 implies
+ * found/printed wsdl
+ * @throws IOException
+ */
+ public int printWSDL2(OutputStream out, String requestIP, String wsdl)
+ throws IOException, AxisFault {
+ // a name is present - try to pump the requested wsdl file
+ if (!"".equals(wsdl)) {
+ // make sure we are only serving .wsdl files and ignore requests with
+ // ".." in the name.
+ if (wsdl.endsWith(".wsdl") && wsdl.indexOf("..") == -1) {
+ InputStream in = getClassLoader().getResourceAsStream(
+ DeploymentConstants.META_INF + "/" + wsdl);
+ if (in != null) {
+ IOUtils.copy(in, out, true);
+ } else {
+ // can't find the wsdl
+ return -1;
+ }
+ } else {
+ // bad wsdl2 request
+ return -1;
+ }
+ } else {
+ printWSDL2(out, requestIP);
+ }
+
+ return 1;
+ }
+
/**
* Gets the description about the service which is specified in
* services.xml.
Added: webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/util/IOUtils.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/util/IOUtils.java?rev=758006&view=auto
==============================================================================
--- webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/util/IOUtils.java (added)
+++ webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/util/IOUtils.java Tue Mar 24 20:36:16 2009
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.axis2.util;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+public class IOUtils {
+
+ /**
+ * Copies the input stream to the output stream
+ *
+ * @param in the <code>InputStream</code>
+ * @param out the <code>OutputStream</code>
+ * @param close close input and output stream
+ */
+ public static void copy(InputStream in, OutputStream out, boolean close) throws IOException {
+ byte[] buffer = new byte[4096];
+ int count;
+ try {
+ while ((count = in.read(buffer)) > 0) {
+ out.write(buffer, 0, count);
+ }
+ } finally {
+ if (close) {
+ try { in.close(); } catch (IOException e) {}
+ try { out.close(); } catch (IOException e) {}
+ }
+ }
+ }
+
+}
Propchange: webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/util/IOUtils.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/util/IOUtils.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/util/IOUtils.java
------------------------------------------------------------------------------
svn:mime-type = text/plain