Accepting request 646398 from home:pmonrealgonzalez:branches:Java:packages
- Security fix: [bsc#1103658, CVE-2018-8032] * Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services. * Added axis-CVE-2018-8032.patch OBS-URL: https://build.opensuse.org/request/show/646398 OBS-URL: https://build.opensuse.org/package/show/Java:packages/axis?expand=0&rev=35
This commit is contained in:
parent
9c4e0e3960
commit
5647a93463
187
axis-CVE-2018-8032.patch
Normal file
187
axis-CVE-2018-8032.patch
Normal file
@ -0,0 +1,187 @@
|
||||
From e7ce8a92bc02be54da102efb64c99aeee21a2106 Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Veithen <veithen@apache.org>
|
||||
Date: Sun, 20 May 2018 20:10:32 +0000
|
||||
Subject: [PATCH] Correctly escape namespace URIs in namespace declarations.
|
||||
|
||||
git-svn-id: https://svn.apache.org/repos/asf/axis/axis1/java/trunk@1831943 13f79535-47bb-0310-9956-ffa450edef68
|
||||
---
|
||||
.../axis/encoding/SerializationContext.java | 11 ++--
|
||||
axis-war/pom.xml | 13 +++++
|
||||
.../test/java/org/apache/axis/war/Utils.java | 33 +++++++++++
|
||||
.../java/org/apache/axis/war/XssTest.java | 57 +++++++++++++++++++
|
||||
.../java/test/httpunit/HttpUnitTestBase.java | 5 +-
|
||||
.../org/apache/axis/war/getVersion-xss.xml | 9 +++
|
||||
pom.xml | 5 ++
|
||||
7 files changed, 125 insertions(+), 8 deletions(-)
|
||||
create mode 100644 axis-war/src/test/java/org/apache/axis/war/Utils.java
|
||||
create mode 100644 axis-war/src/test/java/org/apache/axis/war/XssTest.java
|
||||
create mode 100644 axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml
|
||||
|
||||
diff --git a/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java b/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java
|
||||
index 0cf0ac907..f33ec28df 100644
|
||||
--- a/src/org/apache/axis/encoding/SerializationContext.java
|
||||
+++ b/src/org/apache/axis/encoding/SerializationContext.java
|
||||
@@ -1181,12 +1181,13 @@ public void startElement(QName qName, Attributes attributes)
|
||||
sb.append(':');
|
||||
sb.append(map.getPrefix());
|
||||
}
|
||||
- if ((vecQNames==null) || (vecQNames.indexOf(sb.toString())==-1)) {
|
||||
+ String qname = sb.toString();
|
||||
+ if ((vecQNames==null) || (vecQNames.indexOf(qname)==-1)) {
|
||||
writer.write(' ');
|
||||
- sb.append("=\"");
|
||||
- sb.append(map.getNamespaceURI());
|
||||
- sb.append('"');
|
||||
- writer.write(sb.toString());
|
||||
+ writer.write(qname);
|
||||
+ writer.write("=\"");
|
||||
+ getEncoder().writeEncoded(writer, map.getNamespaceURI());
|
||||
+ writer.write('"');
|
||||
}
|
||||
}
|
||||
}
|
||||
diff --git a/axis-war/src/test/java/org/apache/axis/war/Utils.java b/axis-war/src/test/java/org/apache/axis/war/Utils.java
|
||||
new file mode 100644
|
||||
index 000000000..77d03ee25
|
||||
--- /dev/null
|
||||
+++ b/org/apache/axis/war/Utils.java
|
||||
@@ -0,0 +1,33 @@
|
||||
+/*
|
||||
+ * Licensed to the Apache Software Foundation (ASF) under one
|
||||
+ * or more contributor license agreements. See the NOTICE file
|
||||
+ * distributed with this work for additional information
|
||||
+ * regarding copyright ownership. The ASF licenses this file
|
||||
+ * to you under the Apache License, Version 2.0 (the
|
||||
+ * "License"); you may not use this file except in compliance
|
||||
+ * with the License. You may obtain a copy of the License at
|
||||
+ *
|
||||
+ * http://www.apache.org/licenses/LICENSE-2.0
|
||||
+ *
|
||||
+ * Unless required by applicable law or agreed to in writing,
|
||||
+ * software distributed under the License is distributed on an
|
||||
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
+ * KIND, either express or implied. See the License for the
|
||||
+ * specific language governing permissions and limitations
|
||||
+ * under the License.
|
||||
+ */
|
||||
+package org.apache.axis.war;
|
||||
+
|
||||
+import static org.junit.Assert.assertNotNull;
|
||||
+
|
||||
+public final class Utils {
|
||||
+ private static String URL_PROPERTY = "test.functional.webapp.url";
|
||||
+
|
||||
+ private Utils() {}
|
||||
+
|
||||
+ public static String getWebappUrl() {
|
||||
+ String url = System.getProperty(URL_PROPERTY);
|
||||
+ assertNotNull(URL_PROPERTY + " not set", url);
|
||||
+ return url;
|
||||
+ }
|
||||
+}
|
||||
diff --git a/axis-war/src/test/java/org/apache/axis/war/XssTest.java b/axis-war/src/test/java/org/apache/axis/war/XssTest.java
|
||||
new file mode 100644
|
||||
index 000000000..0504e1a8c
|
||||
--- /dev/null
|
||||
+++ b/org/apache/axis/war/XssTest.java
|
||||
@@ -0,0 +1,57 @@
|
||||
+/*
|
||||
+ * Licensed to the Apache Software Foundation (ASF) under one
|
||||
+ * or more contributor license agreements. See the NOTICE file
|
||||
+ * distributed with this work for additional information
|
||||
+ * regarding copyright ownership. The ASF licenses this file
|
||||
+ * to you under the Apache License, Version 2.0 (the
|
||||
+ * "License"); you may not use this file except in compliance
|
||||
+ * with the License. You may obtain a copy of the License at
|
||||
+ *
|
||||
+ * http://www.apache.org/licenses/LICENSE-2.0
|
||||
+ *
|
||||
+ * Unless required by applicable law or agreed to in writing,
|
||||
+ * software distributed under the License is distributed on an
|
||||
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
+ * KIND, either express or implied. See the License for the
|
||||
+ * specific language governing permissions and limitations
|
||||
+ * under the License.
|
||||
+ */
|
||||
+package org.apache.axis.war;
|
||||
+
|
||||
+import static com.google.common.truth.Truth.assertThat;
|
||||
+
|
||||
+import java.io.InputStream;
|
||||
+import java.io.OutputStream;
|
||||
+import java.net.HttpURLConnection;
|
||||
+import java.net.URL;
|
||||
+
|
||||
+import org.apache.commons.io.IOUtils;
|
||||
+import org.junit.Test;
|
||||
+
|
||||
+public class XssTest {
|
||||
+ /**
|
||||
+ * Tests for potential XSS vulnerability in the Version service.
|
||||
+ * <p>
|
||||
+ * The Version service returns a body with whatever namespace URI was used in the request. If
|
||||
+ * the namespace URI is not properly encoded in the response, then this creates a potential
|
||||
+ * XSS vulnerability.
|
||||
+ *
|
||||
+ * @throws Exception
|
||||
+ */
|
||||
+ @Test
|
||||
+ public void testGetVersion() throws Exception {
|
||||
+ HttpURLConnection conn = (HttpURLConnection)new URL(Utils.getWebappUrl() + "/services/Version").openConnection();
|
||||
+ conn.setDoInput(true);
|
||||
+ conn.setDoOutput(true);
|
||||
+ conn.setRequestProperty("SOAPAction", "");
|
||||
+ conn.setRequestProperty("Content-Type", "text/xml;charset=UTF-8");
|
||||
+ InputStream payload = XssTest.class.getResourceAsStream("getVersion-xss.xml");
|
||||
+ OutputStream out = conn.getOutputStream();
|
||||
+ IOUtils.copy(payload, out);
|
||||
+ payload.close();
|
||||
+ out.close();
|
||||
+ assertThat(conn.getResponseCode()).isEqualTo(200);
|
||||
+ InputStream in = conn.getInputStream();
|
||||
+ assertThat(IOUtils.toString(in, "UTF-8")).doesNotContain("<script");
|
||||
+ }
|
||||
+}
|
||||
diff --git a/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java b/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java
|
||||
index 8ca191a8d..98a66b5c5 100644
|
||||
--- a/test/httpunit/HttpUnitTestBase.java
|
||||
+++ b/test/httpunit/HttpUnitTestBase.java
|
||||
@@ -22,6 +22,7 @@
|
||||
import java.io.*;
|
||||
import java.net.MalformedURLException;
|
||||
|
||||
+import org.apache.axis.war.Utils;
|
||||
import org.xml.sax.SAXException;
|
||||
|
||||
/**
|
||||
@@ -38,14 +39,12 @@ public HttpUnitTestBase(String s) {
|
||||
super(s);
|
||||
}
|
||||
|
||||
- private static String URL_PROPERTY="test.functional.webapp.url";
|
||||
/**
|
||||
* The JUnit setup method
|
||||
*
|
||||
*/
|
||||
public void setUp() throws Exception {
|
||||
- url=System.getProperty(URL_PROPERTY);
|
||||
- assertNotNull(URL_PROPERTY+" not set",url);
|
||||
+ url = Utils.getWebappUrl();
|
||||
HttpUnitOptions.setExceptionsThrownOnErrorStatus(true);
|
||||
HttpUnitOptions.setMatchesIgnoreCase(true);
|
||||
HttpUnitOptions.setParserWarningsEnabled(true);
|
||||
diff --git a/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml b/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml
|
||||
new file mode 100644
|
||||
index 000000000..380009e16
|
||||
--- /dev/null
|
||||
+++ b/org/apache/axis/war/getVersion-xss.xml
|
||||
@@ -0,0 +1,9 @@
|
||||
+<soapenv:Envelope
|
||||
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
|
||||
+ xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
|
||||
+ xmlns:axis="http://axis.apache.org        "><script xmlns="http://www.w3.org/1999/xhtml">
            alert('Hello');
        </script>">
|
||||
+ <soapenv:Body>
|
||||
+ <axis:getVersion soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
|
||||
+ </soapenv:Body>
|
||||
+</soapenv:Envelope>
|
@ -1,3 +1,12 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 5 11:43:14 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||
|
||||
- Security fix: [bsc#1103658, CVE-2018-8032]
|
||||
* Apache Axis 1.x up to and including 1.4 is vulnerable to a
|
||||
cross-site scripting (XSS) attack in the default
|
||||
servlet/services.
|
||||
* Added axis-CVE-2018-8032.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Jul 10 16:47:47 UTC 2018 - fstrba@suse.com
|
||||
|
||||
|
@ -12,7 +12,7 @@
|
||||
# license that conforms to the Open Source Definition (Version 1.9)
|
||||
# published by the Open Source Initiative.
|
||||
|
||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
||||
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||
#
|
||||
|
||||
|
||||
@ -48,6 +48,8 @@ Patch4: axis-encoding.patch
|
||||
Patch5: axis-compareto.patch
|
||||
Patch6: axis-enum.patch
|
||||
Patch7: axis-jdk11.patch
|
||||
# PATCH-FIX-UPSTREAM bsc#1103658 CVE-2018-8032 cross-site scripting (XSS) attack in the default servlet/services
|
||||
Patch8: axis-CVE-2018-8032.patch
|
||||
BuildRequires: ant
|
||||
BuildRequires: ant-jdepend
|
||||
BuildRequires: antlr
|
||||
@ -99,6 +101,7 @@ Manual for axis
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
|
||||
# Remove provided binaries
|
||||
find . -name "*.jar" -exec rm -f {} \;
|
||||
@ -153,8 +156,8 @@ install -m 644 %{SOURCE6} %{buildroot}%{_mavenpomdir}/JPP.%{name}-jaxrpc.pom
|
||||
%add_maven_depmap JPP.%{name}-jaxrpc.pom %{name}/jaxrpc.jar
|
||||
install -m 644 %{SOURCE7} %{buildroot}%{_mavenpomdir}/JPP.%{name}-saaj.pom
|
||||
%add_maven_depmap JPP.%{name}-saaj.pom %{name}/saaj.jar
|
||||
#install -m 644 %{S:8} $RPM_BUILD_ROOT%{_mavenpomdir}/JPP.%{name}-axis-schema.pom
|
||||
# % add_maven_depmap JPP.%{name}-axis-schema.pom %{name}/axis-schema.jar
|
||||
#install -m 644 %{S:8} $RPM_BUILD_ROOT%%{_mavenpomdir}/JPP.%%{name}-axis-schema.pom
|
||||
# % add_maven_depmap JPP.%%{name}-axis-schema.pom %%{name}/axis-schema.jar
|
||||
|
||||
%files
|
||||
%doc LICENSE README release-notes.html changelog.html
|
||||
|
Loading…
Reference in New Issue
Block a user