You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by ta...@apache.org on 2018/07/18 06:30:16 UTC
svn commit: r1836141 -
/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java
Author: taher
Date: Wed Jul 18 06:30:15 2018
New Revision: 1836141
URL: http://svn.apache.org/viewvc?rev=1836141&view=rev
Log:
Improved: sanitized the output of XML-RPC when errors are reported.
(OFBIZ-10848)
This is implemented by overriding the parent "execute" method with a more
sanitized output for clarity and enhanced security.
Modified:
ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java
Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java?rev=1836141&r1=1836140&r2=1836141&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java Wed Jul 18 06:30:15 2018
@@ -22,6 +22,7 @@ package org.apache.ofbiz.webapp.event;
import static org.apache.ofbiz.base.util.UtilGenerics.checkMap;
import java.io.BufferedReader;
+import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
@@ -54,6 +55,7 @@ import org.apache.xmlrpc.XmlRpcRequest;
import org.apache.xmlrpc.common.ServerStreamConnection;
import org.apache.xmlrpc.common.XmlRpcHttpRequestConfig;
import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl;
+import org.apache.xmlrpc.common.XmlRpcStreamRequestConfig;
import org.apache.xmlrpc.server.AbstractReflectiveHandlerMapping;
import org.apache.xmlrpc.server.XmlRpcHttpServer;
import org.apache.xmlrpc.server.XmlRpcHttpServerConfig;
@@ -209,6 +211,60 @@ public class XmlRpcEventHandler extends
}
}
+ @Override
+ public void execute(XmlRpcStreamRequestConfig pConfig,
+ ServerStreamConnection pConnection) throws XmlRpcException {
+ try {
+ Object result = null;
+ boolean foundError = false;
+
+ try (InputStream istream = getInputStream(pConfig, pConnection)) {
+ XmlRpcRequest request = getRequest(pConfig, istream);
+ result = execute(request);
+ } catch (Exception e) {
+ Debug.logError(e, module);
+ foundError = true;
+ }
+
+ ByteArrayOutputStream baos;
+ OutputStream initialStream;
+ if (isContentLengthRequired(pConfig)) {
+ baos = new ByteArrayOutputStream();
+ initialStream = baos;
+ } else {
+ baos = null;
+ initialStream = pConnection.newOutputStream();
+ }
+
+ try (OutputStream ostream = getOutputStream(pConnection, pConfig, initialStream)) {
+ if (!foundError) {
+ writeResponse(pConfig, ostream, result);
+ } else {
+ writeError(pConfig, ostream, new Exception("Failed to read XML-RPC request. Please check logs for more information"));
+ }
+ }
+
+ if (baos != null) {
+ try (OutputStream dest = getOutputStream(pConfig, pConnection, baos.size())) {
+ baos.writeTo(dest);
+ }
+ }
+
+ pConnection.close();
+ pConnection = null;
+ } catch (IOException e) {
+ throw new XmlRpcException("I/O error while processing request: " + e.getMessage(), e);
+ } finally {
+ if (pConnection != null) {
+ try {
+ pConnection.close();
+ } catch (IOException e) {
+ Debug.logError(e, "Unable to close stream connection");
+ }
+ }
+ }
+ }
+
class ServiceRpcHandler extends AbstractReflectiveHandlerMapping implements XmlRpcHandler {
public ServiceRpcHandler() {
Re: svn commit: r1836141 -
/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Taher,
It's actually OFBIZ-10484 ;)
Jacques
Le 18/07/2018 à 08:30, taher@apache.org a écrit :
> Author: taher
> Date: Wed Jul 18 06:30:15 2018
> New Revision: 1836141
>
> URL: http://svn.apache.org/viewvc?rev=1836141&view=rev
> Log:
> Improved: sanitized the output of XML-RPC when errors are reported.
> (OFBIZ-10848)
>
> This is implemented by overriding the parent "execute" method with a more
> sanitized output for clarity and enhanced security.
>
> Modified:
> ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java
>
> Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java
> URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java?rev=1836141&r1=1836140&r2=1836141&view=diff
> ==============================================================================
> --- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java (original)
> +++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java Wed Jul 18 06:30:15 2018
> @@ -22,6 +22,7 @@ package org.apache.ofbiz.webapp.event;
> import static org.apache.ofbiz.base.util.UtilGenerics.checkMap;
>
> import java.io.BufferedReader;
> +import java.io.ByteArrayOutputStream;
> import java.io.IOException;
> import java.io.InputStream;
> import java.io.InputStreamReader;
> @@ -54,6 +55,7 @@ import org.apache.xmlrpc.XmlRpcRequest;
> import org.apache.xmlrpc.common.ServerStreamConnection;
> import org.apache.xmlrpc.common.XmlRpcHttpRequestConfig;
> import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl;
> +import org.apache.xmlrpc.common.XmlRpcStreamRequestConfig;
> import org.apache.xmlrpc.server.AbstractReflectiveHandlerMapping;
> import org.apache.xmlrpc.server.XmlRpcHttpServer;
> import org.apache.xmlrpc.server.XmlRpcHttpServerConfig;
> @@ -209,6 +211,60 @@ public class XmlRpcEventHandler extends
> }
> }
>
> + @Override
> + public void execute(XmlRpcStreamRequestConfig pConfig,
> + ServerStreamConnection pConnection) throws XmlRpcException {
> + try {
> + Object result = null;
> + boolean foundError = false;
> +
> + try (InputStream istream = getInputStream(pConfig, pConnection)) {
> + XmlRpcRequest request = getRequest(pConfig, istream);
> + result = execute(request);
> + } catch (Exception e) {
> + Debug.logError(e, module);
> + foundError = true;
> + }
> +
> + ByteArrayOutputStream baos;
> + OutputStream initialStream;
> + if (isContentLengthRequired(pConfig)) {
> + baos = new ByteArrayOutputStream();
> + initialStream = baos;
> + } else {
> + baos = null;
> + initialStream = pConnection.newOutputStream();
> + }
> +
> + try (OutputStream ostream = getOutputStream(pConnection, pConfig, initialStream)) {
> + if (!foundError) {
> + writeResponse(pConfig, ostream, result);
> + } else {
> + writeError(pConfig, ostream, new Exception("Failed to read XML-RPC request. Please check logs for more information"));
> + }
> + }
> +
> + if (baos != null) {
> + try (OutputStream dest = getOutputStream(pConfig, pConnection, baos.size())) {
> + baos.writeTo(dest);
> + }
> + }
> +
> + pConnection.close();
> + pConnection = null;
> + } catch (IOException e) {
> + throw new XmlRpcException("I/O error while processing request: " + e.getMessage(), e);
> + } finally {
> + if (pConnection != null) {
> + try {
> + pConnection.close();
> + } catch (IOException e) {
> + Debug.logError(e, "Unable to close stream connection");
> + }
> + }
> + }
> + }
> +
> class ServiceRpcHandler extends AbstractReflectiveHandlerMapping implements XmlRpcHandler {
>
> public ServiceRpcHandler() {
>
>
>