Accepting request 646398 from home:pmonrealgonzalez:branches:Java:packages

- Security fix: [bsc#1103658, CVE-2018-8032]
  * Apache Axis 1.x up to and including 1.4 is vulnerable to a
    cross-site scripting (XSS) attack in the default
    servlet/services.
  * Added axis-CVE-2018-8032.patch

OBS-URL: https://build.opensuse.org/request/show/646398
OBS-URL: https://build.opensuse.org/package/show/Java:packages/axis?expand=0&rev=35
This commit is contained in:
Fridrich Strba 2018-11-05 22:18:38 +00:00 committed by Git OBS Bridge
parent 9c4e0e3960
commit 5647a93463
3 changed files with 202 additions and 3 deletions

187
axis-CVE-2018-8032.patch Normal file
View File

@ -0,0 +1,187 @@
From e7ce8a92bc02be54da102efb64c99aeee21a2106 Mon Sep 17 00:00:00 2001
From: Andreas Veithen <veithen@apache.org>
Date: Sun, 20 May 2018 20:10:32 +0000
Subject: [PATCH] Correctly escape namespace URIs in namespace declarations.
git-svn-id: https://svn.apache.org/repos/asf/axis/axis1/java/trunk@1831943 13f79535-47bb-0310-9956-ffa450edef68
---
.../axis/encoding/SerializationContext.java | 11 ++--
axis-war/pom.xml | 13 +++++
.../test/java/org/apache/axis/war/Utils.java | 33 +++++++++++
.../java/org/apache/axis/war/XssTest.java | 57 +++++++++++++++++++
.../java/test/httpunit/HttpUnitTestBase.java | 5 +-
.../org/apache/axis/war/getVersion-xss.xml | 9 +++
pom.xml | 5 ++
7 files changed, 125 insertions(+), 8 deletions(-)
create mode 100644 axis-war/src/test/java/org/apache/axis/war/Utils.java
create mode 100644 axis-war/src/test/java/org/apache/axis/war/XssTest.java
create mode 100644 axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml
diff --git a/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java b/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java
index 0cf0ac907..f33ec28df 100644
--- a/src/org/apache/axis/encoding/SerializationContext.java
+++ b/src/org/apache/axis/encoding/SerializationContext.java
@@ -1181,12 +1181,13 @@ public void startElement(QName qName, Attributes attributes)
sb.append(':');
sb.append(map.getPrefix());
}
- if ((vecQNames==null) || (vecQNames.indexOf(sb.toString())==-1)) {
+ String qname = sb.toString();
+ if ((vecQNames==null) || (vecQNames.indexOf(qname)==-1)) {
writer.write(' ');
- sb.append("=\"");
- sb.append(map.getNamespaceURI());
- sb.append('"');
- writer.write(sb.toString());
+ writer.write(qname);
+ writer.write("=\"");
+ getEncoder().writeEncoded(writer, map.getNamespaceURI());
+ writer.write('"');
}
}
}
diff --git a/axis-war/src/test/java/org/apache/axis/war/Utils.java b/axis-war/src/test/java/org/apache/axis/war/Utils.java
new file mode 100644
index 000000000..77d03ee25
--- /dev/null
+++ b/org/apache/axis/war/Utils.java
@@ -0,0 +1,33 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.axis.war;
+
+import static org.junit.Assert.assertNotNull;
+
+public final class Utils {
+ private static String URL_PROPERTY = "test.functional.webapp.url";
+
+ private Utils() {}
+
+ public static String getWebappUrl() {
+ String url = System.getProperty(URL_PROPERTY);
+ assertNotNull(URL_PROPERTY + " not set", url);
+ return url;
+ }
+}
diff --git a/axis-war/src/test/java/org/apache/axis/war/XssTest.java b/axis-war/src/test/java/org/apache/axis/war/XssTest.java
new file mode 100644
index 000000000..0504e1a8c
--- /dev/null
+++ b/org/apache/axis/war/XssTest.java
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.axis.war;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+import org.apache.commons.io.IOUtils;
+import org.junit.Test;
+
+public class XssTest {
+ /**
+ * Tests for potential XSS vulnerability in the Version service.
+ * <p>
+ * The Version service returns a body with whatever namespace URI was used in the request. If
+ * the namespace URI is not properly encoded in the response, then this creates a potential
+ * XSS vulnerability.
+ *
+ * @throws Exception
+ */
+ @Test
+ public void testGetVersion() throws Exception {
+ HttpURLConnection conn = (HttpURLConnection)new URL(Utils.getWebappUrl() + "/services/Version").openConnection();
+ conn.setDoInput(true);
+ conn.setDoOutput(true);
+ conn.setRequestProperty("SOAPAction", "");
+ conn.setRequestProperty("Content-Type", "text/xml;charset=UTF-8");
+ InputStream payload = XssTest.class.getResourceAsStream("getVersion-xss.xml");
+ OutputStream out = conn.getOutputStream();
+ IOUtils.copy(payload, out);
+ payload.close();
+ out.close();
+ assertThat(conn.getResponseCode()).isEqualTo(200);
+ InputStream in = conn.getInputStream();
+ assertThat(IOUtils.toString(in, "UTF-8")).doesNotContain("<script");
+ }
+}
diff --git a/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java b/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java
index 8ca191a8d..98a66b5c5 100644
--- a/test/httpunit/HttpUnitTestBase.java
+++ b/test/httpunit/HttpUnitTestBase.java
@@ -22,6 +22,7 @@
import java.io.*;
import java.net.MalformedURLException;
+import org.apache.axis.war.Utils;
import org.xml.sax.SAXException;
/**
@@ -38,14 +39,12 @@ public HttpUnitTestBase(String s) {
super(s);
}
- private static String URL_PROPERTY="test.functional.webapp.url";
/**
* The JUnit setup method
*
*/
public void setUp() throws Exception {
- url=System.getProperty(URL_PROPERTY);
- assertNotNull(URL_PROPERTY+" not set",url);
+ url = Utils.getWebappUrl();
HttpUnitOptions.setExceptionsThrownOnErrorStatus(true);
HttpUnitOptions.setMatchesIgnoreCase(true);
HttpUnitOptions.setParserWarningsEnabled(true);
diff --git a/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml b/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml
new file mode 100644
index 000000000..380009e16
--- /dev/null
+++ b/org/apache/axis/war/getVersion-xss.xml
@@ -0,0 +1,9 @@
+<soapenv:Envelope
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+ xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
+ xmlns:axis="http://axis.apache.org&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x22;&#x3e;&#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x20;&#x78;&#x6d;&#x6c;&#x6e;&#x73;&#x3d;&#x22;&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x77;&#x77;&#x77;&#x2e;&#x77;&#x33;&#x2e;&#x6f;&#x72;&#x67;&#x2f;&#x31;&#x39;&#x39;&#x39;&#x2f;&#x78;&#x68;&#x74;&#x6d;&#x6c;&#x22;&#x3e;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x48;&#x65;&#x6c;&#x6c;&#x6f;&#x27;&#x29;&#x3b;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x2f;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;">
+ <soapenv:Body>
+ <axis:getVersion soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
+ </soapenv:Body>
+</soapenv:Envelope>

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Mon Nov 5 11:43:14 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
- Security fix: [bsc#1103658, CVE-2018-8032]
* Apache Axis 1.x up to and including 1.4 is vulnerable to a
cross-site scripting (XSS) attack in the default
servlet/services.
* Added axis-CVE-2018-8032.patch
-------------------------------------------------------------------
Tue Jul 10 16:47:47 UTC 2018 - fstrba@suse.com

View File

@ -12,7 +12,7 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
@ -48,6 +48,8 @@ Patch4: axis-encoding.patch
Patch5: axis-compareto.patch
Patch6: axis-enum.patch
Patch7: axis-jdk11.patch
# PATCH-FIX-UPSTREAM bsc#1103658 CVE-2018-8032 cross-site scripting (XSS) attack in the default servlet/services
Patch8: axis-CVE-2018-8032.patch
BuildRequires: ant
BuildRequires: ant-jdepend
BuildRequires: antlr
@ -99,6 +101,7 @@ Manual for axis
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
# Remove provided binaries
find . -name "*.jar" -exec rm -f {} \;
@ -153,8 +156,8 @@ install -m 644 %{SOURCE6} %{buildroot}%{_mavenpomdir}/JPP.%{name}-jaxrpc.pom
%add_maven_depmap JPP.%{name}-jaxrpc.pom %{name}/jaxrpc.jar
install -m 644 %{SOURCE7} %{buildroot}%{_mavenpomdir}/JPP.%{name}-saaj.pom
%add_maven_depmap JPP.%{name}-saaj.pom %{name}/saaj.jar
#install -m 644 %{S:8} $RPM_BUILD_ROOT%{_mavenpomdir}/JPP.%{name}-axis-schema.pom
# % add_maven_depmap JPP.%{name}-axis-schema.pom %{name}/axis-schema.jar
#install -m 644 %{S:8} $RPM_BUILD_ROOT%%{_mavenpomdir}/JPP.%%{name}-axis-schema.pom
# % add_maven_depmap JPP.%%{name}-axis-schema.pom %%{name}/axis-schema.jar
%files
%doc LICENSE README release-notes.html changelog.html