You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by co...@apache.org on 2019/09/03 16:54:23 UTC
[cxf] branch 3.2.x-fixes updated (753ca87 -> 61e4c2e)
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a change to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git.
from 753ca87 Recording .gitmergeinfo Changes
new 44473b0 Restrict the number of message attachments
new 61e4c2e Recording .gitmergeinfo Changes
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.gitmergeinfo | 1 +
.../cxf/attachment/AttachmentDeserializer.java | 17 ++-
.../cxf/attachment/LazyAttachmentCollection.java | 9 +-
.../cxf/attachment/AttachmentDeserializerTest.java | 116 +++++++++++++++++----
4 files changed, 122 insertions(+), 21 deletions(-)
[cxf] 01/02: Restrict the number of message attachments
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 44473b051ea3b0ea11666070f50c16f018d9fa7d
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Sep 3 15:45:20 2019 +0100
Restrict the number of message attachments
(cherry picked from commit 6c3990144b56097502aa9f3ec9c06f3031109022)
(cherry picked from commit fd85803a73ad46f36816bcb55ed1c4f4b4c4312d)
# Conflicts:
# core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
---
.../cxf/attachment/AttachmentDeserializer.java | 17 ++-
.../cxf/attachment/LazyAttachmentCollection.java | 9 +-
.../cxf/attachment/AttachmentDeserializerTest.java | 116 +++++++++++++++++----
3 files changed, 121 insertions(+), 21 deletions(-)
diff --git a/core/src/main/java/org/apache/cxf/attachment/AttachmentDeserializer.java b/core/src/main/java/org/apache/cxf/attachment/AttachmentDeserializer.java
index 7f46ec5..784bc3e 100644
--- a/core/src/main/java/org/apache/cxf/attachment/AttachmentDeserializer.java
+++ b/core/src/main/java/org/apache/cxf/attachment/AttachmentDeserializer.java
@@ -54,6 +54,11 @@ public class AttachmentDeserializer {
public static final String ATTACHMENT_MAX_SIZE = "attachment-max-size";
/**
+ * The maximum number of attachments permitted in a message. The default is 50.
+ */
+ public static final String ATTACHMENT_MAX_COUNT = "attachment-max-count";
+
+ /**
* The maximum MIME Header Length. The default is 300.
*/
public static final String ATTACHMENT_MAX_HEADER_SIZE = "attachment-max-header-size";
@@ -109,7 +114,17 @@ public class AttachmentDeserializer {
public void initializeAttachments() throws IOException {
initializeRootMessage();
- attachments = new LazyAttachmentCollection(this);
+ Object maxCountProperty = message.getContextualProperty(AttachmentDeserializer.ATTACHMENT_MAX_COUNT);
+ int maxCount = 50;
+ if (maxCountProperty != null) {
+ if (maxCountProperty instanceof Integer) {
+ maxCount = (Integer)maxCountProperty;
+ } else {
+ maxCount = Integer.parseInt((String)maxCountProperty);
+ }
+ }
+
+ attachments = new LazyAttachmentCollection(this, maxCount);
message.setAttachments(attachments);
}
diff --git a/core/src/main/java/org/apache/cxf/attachment/LazyAttachmentCollection.java b/core/src/main/java/org/apache/cxf/attachment/LazyAttachmentCollection.java
index c44ea21..d866029 100644
--- a/core/src/main/java/org/apache/cxf/attachment/LazyAttachmentCollection.java
+++ b/core/src/main/java/org/apache/cxf/attachment/LazyAttachmentCollection.java
@@ -37,10 +37,12 @@ public class LazyAttachmentCollection
private AttachmentDeserializer deserializer;
private final List<Attachment> attachments = new ArrayList<>();
+ private final int maxAttachmentCount;
- public LazyAttachmentCollection(AttachmentDeserializer deserializer) {
+ public LazyAttachmentCollection(AttachmentDeserializer deserializer, int maxAttachmentCount) {
super();
this.deserializer = deserializer;
+ this.maxAttachmentCount = maxAttachmentCount;
}
public List<Attachment> getLoadedAttachments() {
@@ -50,8 +52,13 @@ public class LazyAttachmentCollection
private void loadAll() {
try {
Attachment a = deserializer.readNext();
+ int count = 0;
while (a != null) {
attachments.add(a);
+ count++;
+ if (count > maxAttachmentCount) {
+ throw new IOException("The message contains more attachments than are permitted");
+ }
a = deserializer.readNext();
}
} catch (IOException e) {
diff --git a/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java b/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
index 51eb3b5..871ce3c 100644
--- a/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
+++ b/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
@@ -20,7 +20,6 @@ package org.apache.cxf.attachment;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
-import java.io.IOException;
import java.io.InputStream;
import java.io.PushbackInputStream;
import java.nio.charset.StandardCharsets;
@@ -31,6 +30,7 @@ import java.util.Iterator;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
+import java.util.stream.IntStream;
import javax.activation.DataSource;
import javax.xml.parsers.SAXParser;
@@ -50,7 +50,13 @@ import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
-public class AttachmentDeserializerTest extends Assert {
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
+
+public class AttachmentDeserializerTest {
private MessageImpl msg;
@@ -465,32 +471,17 @@ public class AttachmentDeserializerTest extends Assert {
ad.initializeAttachments();
- String s = getString(message.getContent(InputStream.class));
+ String s = IOUtils.toString(message.getContent(InputStream.class));
assertEquals("JJJJ", s.trim());
int count = 1;
for (Attachment a : message.getAttachments()) {
- s = getString(a.getDataHandler().getInputStream());
+ s = IOUtils.toString(a.getDataHandler().getInputStream());
assertEquals("ABCD" + count++, s);
}
in.close();
}
- private String getString(InputStream ins) throws Exception {
- try (ByteArrayOutputStream bout = new ByteArrayOutputStream(100)) {
- byte b[] = new byte[100];
- int i = ins.read(b);
- while (i > 0) {
- bout.write(b, 0, i);
- i = ins.read(b);
- }
- if (i == 0) {
- throw new IOException("Should not be 0");
- }
- return bout.toString();
- }
- }
-
@Test
public void testCXF3383() throws Exception {
String contentType = "multipart/related; type=\"application/xop+xml\";"
@@ -676,5 +667,92 @@ public class AttachmentDeserializerTest extends Assert {
assertEquals(-1, ins.read(new byte[1000], 100, 600));
ins.close();
}
+
+ @Test
+ public void testManyAttachments() throws Exception {
+ StringBuilder sb = new StringBuilder(1000);
+ sb.append("SomeHeader: foo\n")
+ .append("------=_Part_34950_1098328613.1263781527359\n")
+ .append("Content-Type: text/xml; charset=UTF-8\n")
+ .append("Content-Transfer-Encoding: binary\n")
+ .append("Content-Id: <31...@auhpap02>\n")
+ .append('\n')
+ .append("<envelope/>\n");
+
+ // Add many attachments
+ IntStream.range(0, 100000).forEach(i -> {
+ sb.append("------=_Part_34950_1098328613.1263781527359\n")
+ .append("Content-Type: text/xml\n")
+ .append("Content-Transfer-Encoding: binary\n")
+ .append("Content-Id: <b86a5f2d-e7af-4e5e-b71a-9f6f2307cab0>\n")
+ .append('\n')
+ .append("<message>\n")
+ .append("------=_Part_34950_1098328613.1263781527359--\n");
+ });
+
+ msg = new MessageImpl();
+ msg.setContent(InputStream.class, new ByteArrayInputStream(sb.toString().getBytes(StandardCharsets.UTF_8)));
+ msg.put(Message.CONTENT_TYPE, "multipart/related");
+ AttachmentDeserializer ad = new AttachmentDeserializer(msg);
+ ad.initializeAttachments();
+
+ // Force it to load the attachments
+ try {
+ msg.getAttachments().size();
+ fail("Failure expected on too many attachments");
+ } catch (RuntimeException ex) {
+ // expected
+ }
+ }
+
+ @Test
+ public void testChangingMaxAttachmentCount() throws Exception {
+ StringBuilder sb = new StringBuilder(1000);
+ sb.append("SomeHeader: foo\n")
+ .append("------=_Part_34950_1098328613.1263781527359\n")
+ .append("Content-Type: text/xml; charset=UTF-8\n")
+ .append("Content-Transfer-Encoding: binary\n")
+ .append("Content-Id: <31...@auhpap02>\n")
+ .append('\n')
+ .append("<envelope/>\n");
+
+ // Add many attachments
+ IntStream.range(0, 40).forEach(i -> {
+ sb.append("------=_Part_34950_1098328613.1263781527359\n")
+ .append("Content-Type: text/xml\n")
+ .append("Content-Transfer-Encoding: binary\n")
+ .append("Content-Id: <b86a5f2d-e7af-4e5e-b71a-9f6f2307cab0>\n")
+ .append('\n')
+ .append("<message>\n")
+ .append("------=_Part_34950_1098328613.1263781527359--\n");
+ });
+
+ msg = new MessageImpl();
+ msg.put(AttachmentDeserializer.ATTACHMENT_MAX_COUNT, "30");
+ msg.setContent(InputStream.class, new ByteArrayInputStream(sb.toString().getBytes(StandardCharsets.UTF_8)));
+ msg.put(Message.CONTENT_TYPE, "multipart/related");
+ AttachmentDeserializer ad = new AttachmentDeserializer(msg);
+ ad.initializeAttachments();
+
+ // Force it to load the attachments
+ try {
+ msg.getAttachments().size();
+ fail("Failure expected on too many attachments");
+ } catch (RuntimeException ex) {
+ // expected
+ }
+
+ // Now we'll allow it
+ msg = new MessageImpl();
+ msg.put(AttachmentDeserializer.ATTACHMENT_MAX_COUNT, "60");
+ msg.setContent(InputStream.class, new ByteArrayInputStream(sb.toString().getBytes(StandardCharsets.UTF_8)));
+ msg.put(Message.CONTENT_TYPE, "multipart/related");
+ ad = new AttachmentDeserializer(msg);
+ ad.initializeAttachments();
+
+ // Force it to load the attachments
+ assertEquals(40, msg.getAttachments().size());
+ }
+
}
[cxf] 02/02: Recording .gitmergeinfo Changes
Posted by co...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch 3.2.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 61e4c2e6683b6fe2fdab23293934ae471562749e
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Sep 3 16:59:50 2019 +0100
Recording .gitmergeinfo Changes
---
.gitmergeinfo | 1 +
1 file changed, 1 insertion(+)
diff --git a/.gitmergeinfo b/.gitmergeinfo
index bc1a570..bfff317 100644
--- a/.gitmergeinfo
+++ b/.gitmergeinfo
@@ -728,4 +728,5 @@ M efb2c3082fe8799a9d90a696e31239551b4f1823
M f09ae1ed3bbc88a6d7860697dd65821fd9958d99
M f7ae16dff9561db9bc16e1ad82ae75e93fdb735d
M fd2c5e310aab1e241e868600be9a7748279f0987
+M fd85803a73ad46f36816bcb55ed1c4f4b4c4312d
M ff9031f5e88750d2be6a68d4141b591ba11104f8