5647a93463
- Security fix: [bsc#1103658, CVE-2018-8032] * Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services. * Added axis-CVE-2018-8032.patch OBS-URL: https://build.opensuse.org/request/show/646398 OBS-URL: https://build.opensuse.org/package/show/Java:packages/axis?expand=0&rev=35
188 lines
8.3 KiB
Diff
188 lines
8.3 KiB
Diff
From e7ce8a92bc02be54da102efb64c99aeee21a2106 Mon Sep 17 00:00:00 2001
|
|
From: Andreas Veithen <veithen@apache.org>
|
|
Date: Sun, 20 May 2018 20:10:32 +0000
|
|
Subject: [PATCH] Correctly escape namespace URIs in namespace declarations.
|
|
|
|
git-svn-id: https://svn.apache.org/repos/asf/axis/axis1/java/trunk@1831943 13f79535-47bb-0310-9956-ffa450edef68
|
|
---
|
|
.../axis/encoding/SerializationContext.java | 11 ++--
|
|
axis-war/pom.xml | 13 +++++
|
|
.../test/java/org/apache/axis/war/Utils.java | 33 +++++++++++
|
|
.../java/org/apache/axis/war/XssTest.java | 57 +++++++++++++++++++
|
|
.../java/test/httpunit/HttpUnitTestBase.java | 5 +-
|
|
.../org/apache/axis/war/getVersion-xss.xml | 9 +++
|
|
pom.xml | 5 ++
|
|
7 files changed, 125 insertions(+), 8 deletions(-)
|
|
create mode 100644 axis-war/src/test/java/org/apache/axis/war/Utils.java
|
|
create mode 100644 axis-war/src/test/java/org/apache/axis/war/XssTest.java
|
|
create mode 100644 axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml
|
|
|
|
diff --git a/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java b/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java
|
|
index 0cf0ac907..f33ec28df 100644
|
|
--- a/src/org/apache/axis/encoding/SerializationContext.java
|
|
+++ b/src/org/apache/axis/encoding/SerializationContext.java
|
|
@@ -1181,12 +1181,13 @@ public void startElement(QName qName, Attributes attributes)
|
|
sb.append(':');
|
|
sb.append(map.getPrefix());
|
|
}
|
|
- if ((vecQNames==null) || (vecQNames.indexOf(sb.toString())==-1)) {
|
|
+ String qname = sb.toString();
|
|
+ if ((vecQNames==null) || (vecQNames.indexOf(qname)==-1)) {
|
|
writer.write(' ');
|
|
- sb.append("=\"");
|
|
- sb.append(map.getNamespaceURI());
|
|
- sb.append('"');
|
|
- writer.write(sb.toString());
|
|
+ writer.write(qname);
|
|
+ writer.write("=\"");
|
|
+ getEncoder().writeEncoded(writer, map.getNamespaceURI());
|
|
+ writer.write('"');
|
|
}
|
|
}
|
|
}
|
|
diff --git a/axis-war/src/test/java/org/apache/axis/war/Utils.java b/axis-war/src/test/java/org/apache/axis/war/Utils.java
|
|
new file mode 100644
|
|
index 000000000..77d03ee25
|
|
--- /dev/null
|
|
+++ b/org/apache/axis/war/Utils.java
|
|
@@ -0,0 +1,33 @@
|
|
+/*
|
|
+ * Licensed to the Apache Software Foundation (ASF) under one
|
|
+ * or more contributor license agreements. See the NOTICE file
|
|
+ * distributed with this work for additional information
|
|
+ * regarding copyright ownership. The ASF licenses this file
|
|
+ * to you under the Apache License, Version 2.0 (the
|
|
+ * "License"); you may not use this file except in compliance
|
|
+ * with the License. You may obtain a copy of the License at
|
|
+ *
|
|
+ * http://www.apache.org/licenses/LICENSE-2.0
|
|
+ *
|
|
+ * Unless required by applicable law or agreed to in writing,
|
|
+ * software distributed under the License is distributed on an
|
|
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
+ * KIND, either express or implied. See the License for the
|
|
+ * specific language governing permissions and limitations
|
|
+ * under the License.
|
|
+ */
|
|
+package org.apache.axis.war;
|
|
+
|
|
+import static org.junit.Assert.assertNotNull;
|
|
+
|
|
+public final class Utils {
|
|
+ private static String URL_PROPERTY = "test.functional.webapp.url";
|
|
+
|
|
+ private Utils() {}
|
|
+
|
|
+ public static String getWebappUrl() {
|
|
+ String url = System.getProperty(URL_PROPERTY);
|
|
+ assertNotNull(URL_PROPERTY + " not set", url);
|
|
+ return url;
|
|
+ }
|
|
+}
|
|
diff --git a/axis-war/src/test/java/org/apache/axis/war/XssTest.java b/axis-war/src/test/java/org/apache/axis/war/XssTest.java
|
|
new file mode 100644
|
|
index 000000000..0504e1a8c
|
|
--- /dev/null
|
|
+++ b/org/apache/axis/war/XssTest.java
|
|
@@ -0,0 +1,57 @@
|
|
+/*
|
|
+ * Licensed to the Apache Software Foundation (ASF) under one
|
|
+ * or more contributor license agreements. See the NOTICE file
|
|
+ * distributed with this work for additional information
|
|
+ * regarding copyright ownership. The ASF licenses this file
|
|
+ * to you under the Apache License, Version 2.0 (the
|
|
+ * "License"); you may not use this file except in compliance
|
|
+ * with the License. You may obtain a copy of the License at
|
|
+ *
|
|
+ * http://www.apache.org/licenses/LICENSE-2.0
|
|
+ *
|
|
+ * Unless required by applicable law or agreed to in writing,
|
|
+ * software distributed under the License is distributed on an
|
|
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
+ * KIND, either express or implied. See the License for the
|
|
+ * specific language governing permissions and limitations
|
|
+ * under the License.
|
|
+ */
|
|
+package org.apache.axis.war;
|
|
+
|
|
+import static com.google.common.truth.Truth.assertThat;
|
|
+
|
|
+import java.io.InputStream;
|
|
+import java.io.OutputStream;
|
|
+import java.net.HttpURLConnection;
|
|
+import java.net.URL;
|
|
+
|
|
+import org.apache.commons.io.IOUtils;
|
|
+import org.junit.Test;
|
|
+
|
|
+public class XssTest {
|
|
+ /**
|
|
+ * Tests for potential XSS vulnerability in the Version service.
|
|
+ * <p>
|
|
+ * The Version service returns a body with whatever namespace URI was used in the request. If
|
|
+ * the namespace URI is not properly encoded in the response, then this creates a potential
|
|
+ * XSS vulnerability.
|
|
+ *
|
|
+ * @throws Exception
|
|
+ */
|
|
+ @Test
|
|
+ public void testGetVersion() throws Exception {
|
|
+ HttpURLConnection conn = (HttpURLConnection)new URL(Utils.getWebappUrl() + "/services/Version").openConnection();
|
|
+ conn.setDoInput(true);
|
|
+ conn.setDoOutput(true);
|
|
+ conn.setRequestProperty("SOAPAction", "");
|
|
+ conn.setRequestProperty("Content-Type", "text/xml;charset=UTF-8");
|
|
+ InputStream payload = XssTest.class.getResourceAsStream("getVersion-xss.xml");
|
|
+ OutputStream out = conn.getOutputStream();
|
|
+ IOUtils.copy(payload, out);
|
|
+ payload.close();
|
|
+ out.close();
|
|
+ assertThat(conn.getResponseCode()).isEqualTo(200);
|
|
+ InputStream in = conn.getInputStream();
|
|
+ assertThat(IOUtils.toString(in, "UTF-8")).doesNotContain("<script");
|
|
+ }
|
|
+}
|
|
diff --git a/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java b/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java
|
|
index 8ca191a8d..98a66b5c5 100644
|
|
--- a/test/httpunit/HttpUnitTestBase.java
|
|
+++ b/test/httpunit/HttpUnitTestBase.java
|
|
@@ -22,6 +22,7 @@
|
|
import java.io.*;
|
|
import java.net.MalformedURLException;
|
|
|
|
+import org.apache.axis.war.Utils;
|
|
import org.xml.sax.SAXException;
|
|
|
|
/**
|
|
@@ -38,14 +39,12 @@ public HttpUnitTestBase(String s) {
|
|
super(s);
|
|
}
|
|
|
|
- private static String URL_PROPERTY="test.functional.webapp.url";
|
|
/**
|
|
* The JUnit setup method
|
|
*
|
|
*/
|
|
public void setUp() throws Exception {
|
|
- url=System.getProperty(URL_PROPERTY);
|
|
- assertNotNull(URL_PROPERTY+" not set",url);
|
|
+ url = Utils.getWebappUrl();
|
|
HttpUnitOptions.setExceptionsThrownOnErrorStatus(true);
|
|
HttpUnitOptions.setMatchesIgnoreCase(true);
|
|
HttpUnitOptions.setParserWarningsEnabled(true);
|
|
diff --git a/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml b/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml
|
|
new file mode 100644
|
|
index 000000000..380009e16
|
|
--- /dev/null
|
|
+++ b/org/apache/axis/war/getVersion-xss.xml
|
|
@@ -0,0 +1,9 @@
|
|
+<soapenv:Envelope
|
|
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
|
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
|
|
+ xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
|
|
+ xmlns:axis="http://axis.apache.org        "><script xmlns="http://www.w3.org/1999/xhtml">
            alert('Hello');
        </script>">
|
|
+ <soapenv:Body>
|
|
+ <axis:getVersion soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
|
|
+ </soapenv:Body>
|
|
+</soapenv:Envelope>
|