From 824142e37768d68fe1740c444247620d7251501df0b54643d399a8683bc23be2 Mon Sep 17 00:00:00 2001
From: Fridrich Strba <fstrba@suse.com>
Date: Mon, 5 Nov 2018 22:18:38 +0000
Subject: [PATCH] Accepting request 646398 from
 home:pmonrealgonzalez:branches:Java:packages

- Security fix: [bsc#1103658, CVE-2018-8032]
  * Apache Axis 1.x up to and including 1.4 is vulnerable to a
    cross-site scripting (XSS) attack in the default
    servlet/services.
  * Added axis-CVE-2018-8032.patch

OBS-URL: https://build.opensuse.org/request/show/646398
OBS-URL: https://build.opensuse.org/package/show/Java:packages/axis?expand=0&rev=35
---
 axis-CVE-2018-8032.patch | 187 +++++++++++++++++++++++++++++++++++++++
 axis.changes             |   9 ++
 axis.spec                |   9 +-
 3 files changed, 202 insertions(+), 3 deletions(-)
 create mode 100644 axis-CVE-2018-8032.patch

diff --git a/axis-CVE-2018-8032.patch b/axis-CVE-2018-8032.patch
new file mode 100644
index 0000000..9b6e2cd
--- /dev/null
+++ b/axis-CVE-2018-8032.patch
@@ -0,0 +1,187 @@
+From e7ce8a92bc02be54da102efb64c99aeee21a2106 Mon Sep 17 00:00:00 2001
+From: Andreas Veithen <veithen@apache.org>
+Date: Sun, 20 May 2018 20:10:32 +0000
+Subject: [PATCH] Correctly escape namespace URIs in namespace declarations.
+
+git-svn-id: https://svn.apache.org/repos/asf/axis/axis1/java/trunk@1831943 13f79535-47bb-0310-9956-ffa450edef68
+---
+ .../axis/encoding/SerializationContext.java   | 11 ++--
+ axis-war/pom.xml                              | 13 +++++
+ .../test/java/org/apache/axis/war/Utils.java  | 33 +++++++++++
+ .../java/org/apache/axis/war/XssTest.java     | 57 +++++++++++++++++++
+ .../java/test/httpunit/HttpUnitTestBase.java  |  5 +-
+ .../org/apache/axis/war/getVersion-xss.xml    |  9 +++
+ pom.xml                                       |  5 ++
+ 7 files changed, 125 insertions(+), 8 deletions(-)
+ create mode 100644 axis-war/src/test/java/org/apache/axis/war/Utils.java
+ create mode 100644 axis-war/src/test/java/org/apache/axis/war/XssTest.java
+ create mode 100644 axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml
+
+diff --git a/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java b/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java
+index 0cf0ac907..f33ec28df 100644
+--- a/src/org/apache/axis/encoding/SerializationContext.java
++++ b/src/org/apache/axis/encoding/SerializationContext.java
+@@ -1181,12 +1181,13 @@ public void startElement(QName qName, Attributes attributes)
+                         sb.append(':');
+                         sb.append(map.getPrefix());
+                     }
+-                    if ((vecQNames==null) || (vecQNames.indexOf(sb.toString())==-1)) {
++                    String qname = sb.toString();
++                    if ((vecQNames==null) || (vecQNames.indexOf(qname)==-1)) {
+                         writer.write(' ');
+-                        sb.append("=\"");
+-                        sb.append(map.getNamespaceURI());
+-                        sb.append('"');
+-                        writer.write(sb.toString());
++                        writer.write(qname);
++                        writer.write("=\"");
++                        getEncoder().writeEncoded(writer, map.getNamespaceURI());
++                        writer.write('"');
+                     }
+                 }
+             }
+diff --git a/axis-war/src/test/java/org/apache/axis/war/Utils.java b/axis-war/src/test/java/org/apache/axis/war/Utils.java
+new file mode 100644
+index 000000000..77d03ee25
+--- /dev/null
++++ b/org/apache/axis/war/Utils.java
+@@ -0,0 +1,33 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one
++ * or more contributor license agreements. See the NOTICE file
++ * distributed with this work for additional information
++ * regarding copyright ownership. The ASF licenses this file
++ * to you under the Apache License, Version 2.0 (the
++ * "License"); you may not use this file except in compliance
++ * with the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing,
++ * software distributed under the License is distributed on an
++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
++ * KIND, either express or implied. See the License for the
++ * specific language governing permissions and limitations
++ * under the License.
++ */
++package org.apache.axis.war;
++
++import static org.junit.Assert.assertNotNull;
++
++public final class Utils {
++    private static String URL_PROPERTY = "test.functional.webapp.url";
++
++    private Utils() {}
++
++    public static String getWebappUrl() {
++        String url = System.getProperty(URL_PROPERTY);
++        assertNotNull(URL_PROPERTY + " not set", url);
++        return url;
++    }
++}
+diff --git a/axis-war/src/test/java/org/apache/axis/war/XssTest.java b/axis-war/src/test/java/org/apache/axis/war/XssTest.java
+new file mode 100644
+index 000000000..0504e1a8c
+--- /dev/null
++++ b/org/apache/axis/war/XssTest.java
+@@ -0,0 +1,57 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one
++ * or more contributor license agreements. See the NOTICE file
++ * distributed with this work for additional information
++ * regarding copyright ownership. The ASF licenses this file
++ * to you under the Apache License, Version 2.0 (the
++ * "License"); you may not use this file except in compliance
++ * with the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing,
++ * software distributed under the License is distributed on an
++ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
++ * KIND, either express or implied. See the License for the
++ * specific language governing permissions and limitations
++ * under the License.
++ */
++package org.apache.axis.war;
++
++import static com.google.common.truth.Truth.assertThat;
++
++import java.io.InputStream;
++import java.io.OutputStream;
++import java.net.HttpURLConnection;
++import java.net.URL;
++
++import org.apache.commons.io.IOUtils;
++import org.junit.Test;
++
++public class XssTest {
++    /**
++     * Tests for potential XSS vulnerability in the Version service.
++     * <p>
++     * The Version service returns a body with whatever namespace URI was used in the request. If
++     * the namespace URI is not properly encoded in the response, then this creates a potential
++     * XSS vulnerability.
++     * 
++     * @throws Exception
++     */
++    @Test
++    public void testGetVersion() throws Exception {
++        HttpURLConnection conn = (HttpURLConnection)new URL(Utils.getWebappUrl() + "/services/Version").openConnection();
++        conn.setDoInput(true);
++        conn.setDoOutput(true);
++        conn.setRequestProperty("SOAPAction", "");
++        conn.setRequestProperty("Content-Type", "text/xml;charset=UTF-8");
++        InputStream payload = XssTest.class.getResourceAsStream("getVersion-xss.xml");
++        OutputStream out = conn.getOutputStream();
++        IOUtils.copy(payload, out);
++        payload.close();
++        out.close();
++        assertThat(conn.getResponseCode()).isEqualTo(200);
++        InputStream in = conn.getInputStream();
++        assertThat(IOUtils.toString(in, "UTF-8")).doesNotContain("<script");
++    }
++}
+diff --git a/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java b/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java
+index 8ca191a8d..98a66b5c5 100644
+--- a/test/httpunit/HttpUnitTestBase.java
++++ b/test/httpunit/HttpUnitTestBase.java
+@@ -22,6 +22,7 @@
+ import java.io.*;
+ import java.net.MalformedURLException;
+ 
++import org.apache.axis.war.Utils;
+ import org.xml.sax.SAXException;
+ 
+ /**
+@@ -38,14 +39,12 @@ public HttpUnitTestBase(String s) {
+         super(s);
+     }
+ 
+-    private static String URL_PROPERTY="test.functional.webapp.url";
+     /**
+      *  The JUnit setup method
+      *
+      */
+     public void setUp() throws Exception {
+-        url=System.getProperty(URL_PROPERTY);
+-        assertNotNull(URL_PROPERTY+" not set",url);
++        url = Utils.getWebappUrl();
+         HttpUnitOptions.setExceptionsThrownOnErrorStatus(true);
+         HttpUnitOptions.setMatchesIgnoreCase(true);
+         HttpUnitOptions.setParserWarningsEnabled(true);
+diff --git a/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml b/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml
+new file mode 100644
+index 000000000..380009e16
+--- /dev/null
++++ b/org/apache/axis/war/getVersion-xss.xml
+@@ -0,0 +1,9 @@
++<soapenv:Envelope
++    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
++    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
++    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
++    xmlns:axis="http://axis.apache.org&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x22;&#x3e;&#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x20;&#x78;&#x6d;&#x6c;&#x6e;&#x73;&#x3d;&#x22;&#x68;&#x74;&#x74;&#x70;&#x3a;&#x2f;&#x2f;&#x77;&#x77;&#x77;&#x2e;&#x77;&#x33;&#x2e;&#x6f;&#x72;&#x67;&#x2f;&#x31;&#x39;&#x39;&#x39;&#x2f;&#x78;&#x68;&#x74;&#x6d;&#x6c;&#x22;&#x3e;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x61;&#x6c;&#x65;&#x72;&#x74;&#x28;&#x27;&#x48;&#x65;&#x6c;&#x6c;&#x6f;&#x27;&#x29;&#x3b;&#x0a;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x20;&#x3c;&#x2f;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;">
++  <soapenv:Body>
++    <axis:getVersion soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
++  </soapenv:Body>
++</soapenv:Envelope>
diff --git a/axis.changes b/axis.changes
index 4c0964a..a9af549 100644
--- a/axis.changes
+++ b/axis.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Mon Nov  5 11:43:14 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
+
+- Security fix: [bsc#1103658, CVE-2018-8032]
+  * Apache Axis 1.x up to and including 1.4 is vulnerable to a
+    cross-site scripting (XSS) attack in the default
+    servlet/services.
+  * Added axis-CVE-2018-8032.patch
+
 -------------------------------------------------------------------
 Tue Jul 10 16:47:47 UTC 2018 - fstrba@suse.com
 
diff --git a/axis.spec b/axis.spec
index 636a16d..c09bfe4 100644
--- a/axis.spec
+++ b/axis.spec
@@ -12,7 +12,7 @@
 # license that conforms to the Open Source Definition (Version 1.9)
 # published by the Open Source Initiative.
 
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
 #
 
 
@@ -48,6 +48,8 @@ Patch4:         axis-encoding.patch
 Patch5:         axis-compareto.patch
 Patch6:         axis-enum.patch
 Patch7:         axis-jdk11.patch
+# PATCH-FIX-UPSTREAM bsc#1103658 CVE-2018-8032 cross-site scripting (XSS) attack in the default servlet/services
+Patch8:         axis-CVE-2018-8032.patch
 BuildRequires:  ant
 BuildRequires:  ant-jdepend
 BuildRequires:  antlr
@@ -99,6 +101,7 @@ Manual for axis
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 
 # Remove provided binaries
 find . -name "*.jar" -exec rm -f {} \;
@@ -153,8 +156,8 @@ install -m 644 %{SOURCE6} %{buildroot}%{_mavenpomdir}/JPP.%{name}-jaxrpc.pom
 %add_maven_depmap JPP.%{name}-jaxrpc.pom %{name}/jaxrpc.jar
 install -m 644 %{SOURCE7} %{buildroot}%{_mavenpomdir}/JPP.%{name}-saaj.pom
 %add_maven_depmap JPP.%{name}-saaj.pom %{name}/saaj.jar
-#install -m 644 %{S:8} $RPM_BUILD_ROOT%{_mavenpomdir}/JPP.%{name}-axis-schema.pom
-# % add_maven_depmap JPP.%{name}-axis-schema.pom %{name}/axis-schema.jar
+#install -m 644 %{S:8} $RPM_BUILD_ROOT%%{_mavenpomdir}/JPP.%%{name}-axis-schema.pom
+# % add_maven_depmap JPP.%%{name}-axis-schema.pom %%{name}/axis-schema.jar
 
 %files
 %doc LICENSE README release-notes.html changelog.html