Accepting request 646398 from home:pmonrealgonzalez:branches:Java:packages
- Security fix: [bsc#1103658, CVE-2018-8032] * Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services. * Added axis-CVE-2018-8032.patch OBS-URL: https://build.opensuse.org/request/show/646398 OBS-URL: https://build.opensuse.org/package/show/Java:packages/axis?expand=0&rev=35
This commit is contained in:
parent
086d3c537a
commit
824142e377
187
axis-CVE-2018-8032.patch
Normal file
187
axis-CVE-2018-8032.patch
Normal file
@ -0,0 +1,187 @@
|
|||||||
|
From e7ce8a92bc02be54da102efb64c99aeee21a2106 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andreas Veithen <veithen@apache.org>
|
||||||
|
Date: Sun, 20 May 2018 20:10:32 +0000
|
||||||
|
Subject: [PATCH] Correctly escape namespace URIs in namespace declarations.
|
||||||
|
|
||||||
|
git-svn-id: https://svn.apache.org/repos/asf/axis/axis1/java/trunk@1831943 13f79535-47bb-0310-9956-ffa450edef68
|
||||||
|
---
|
||||||
|
.../axis/encoding/SerializationContext.java | 11 ++--
|
||||||
|
axis-war/pom.xml | 13 +++++
|
||||||
|
.../test/java/org/apache/axis/war/Utils.java | 33 +++++++++++
|
||||||
|
.../java/org/apache/axis/war/XssTest.java | 57 +++++++++++++++++++
|
||||||
|
.../java/test/httpunit/HttpUnitTestBase.java | 5 +-
|
||||||
|
.../org/apache/axis/war/getVersion-xss.xml | 9 +++
|
||||||
|
pom.xml | 5 ++
|
||||||
|
7 files changed, 125 insertions(+), 8 deletions(-)
|
||||||
|
create mode 100644 axis-war/src/test/java/org/apache/axis/war/Utils.java
|
||||||
|
create mode 100644 axis-war/src/test/java/org/apache/axis/war/XssTest.java
|
||||||
|
create mode 100644 axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml
|
||||||
|
|
||||||
|
diff --git a/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java b/axis-rt-core/src/main/java/org/apache/axis/encoding/SerializationContext.java
|
||||||
|
index 0cf0ac907..f33ec28df 100644
|
||||||
|
--- a/src/org/apache/axis/encoding/SerializationContext.java
|
||||||
|
+++ b/src/org/apache/axis/encoding/SerializationContext.java
|
||||||
|
@@ -1181,12 +1181,13 @@ public void startElement(QName qName, Attributes attributes)
|
||||||
|
sb.append(':');
|
||||||
|
sb.append(map.getPrefix());
|
||||||
|
}
|
||||||
|
- if ((vecQNames==null) || (vecQNames.indexOf(sb.toString())==-1)) {
|
||||||
|
+ String qname = sb.toString();
|
||||||
|
+ if ((vecQNames==null) || (vecQNames.indexOf(qname)==-1)) {
|
||||||
|
writer.write(' ');
|
||||||
|
- sb.append("=\"");
|
||||||
|
- sb.append(map.getNamespaceURI());
|
||||||
|
- sb.append('"');
|
||||||
|
- writer.write(sb.toString());
|
||||||
|
+ writer.write(qname);
|
||||||
|
+ writer.write("=\"");
|
||||||
|
+ getEncoder().writeEncoded(writer, map.getNamespaceURI());
|
||||||
|
+ writer.write('"');
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/axis-war/src/test/java/org/apache/axis/war/Utils.java b/axis-war/src/test/java/org/apache/axis/war/Utils.java
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..77d03ee25
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/org/apache/axis/war/Utils.java
|
||||||
|
@@ -0,0 +1,33 @@
|
||||||
|
+/*
|
||||||
|
+ * Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
+ * or more contributor license agreements. See the NOTICE file
|
||||||
|
+ * distributed with this work for additional information
|
||||||
|
+ * regarding copyright ownership. The ASF licenses this file
|
||||||
|
+ * to you under the Apache License, Version 2.0 (the
|
||||||
|
+ * "License"); you may not use this file except in compliance
|
||||||
|
+ * with the License. You may obtain a copy of the License at
|
||||||
|
+ *
|
||||||
|
+ * http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
+ *
|
||||||
|
+ * Unless required by applicable law or agreed to in writing,
|
||||||
|
+ * software distributed under the License is distributed on an
|
||||||
|
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
+ * KIND, either express or implied. See the License for the
|
||||||
|
+ * specific language governing permissions and limitations
|
||||||
|
+ * under the License.
|
||||||
|
+ */
|
||||||
|
+package org.apache.axis.war;
|
||||||
|
+
|
||||||
|
+import static org.junit.Assert.assertNotNull;
|
||||||
|
+
|
||||||
|
+public final class Utils {
|
||||||
|
+ private static String URL_PROPERTY = "test.functional.webapp.url";
|
||||||
|
+
|
||||||
|
+ private Utils() {}
|
||||||
|
+
|
||||||
|
+ public static String getWebappUrl() {
|
||||||
|
+ String url = System.getProperty(URL_PROPERTY);
|
||||||
|
+ assertNotNull(URL_PROPERTY + " not set", url);
|
||||||
|
+ return url;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
diff --git a/axis-war/src/test/java/org/apache/axis/war/XssTest.java b/axis-war/src/test/java/org/apache/axis/war/XssTest.java
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..0504e1a8c
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/org/apache/axis/war/XssTest.java
|
||||||
|
@@ -0,0 +1,57 @@
|
||||||
|
+/*
|
||||||
|
+ * Licensed to the Apache Software Foundation (ASF) under one
|
||||||
|
+ * or more contributor license agreements. See the NOTICE file
|
||||||
|
+ * distributed with this work for additional information
|
||||||
|
+ * regarding copyright ownership. The ASF licenses this file
|
||||||
|
+ * to you under the Apache License, Version 2.0 (the
|
||||||
|
+ * "License"); you may not use this file except in compliance
|
||||||
|
+ * with the License. You may obtain a copy of the License at
|
||||||
|
+ *
|
||||||
|
+ * http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
+ *
|
||||||
|
+ * Unless required by applicable law or agreed to in writing,
|
||||||
|
+ * software distributed under the License is distributed on an
|
||||||
|
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||||
|
+ * KIND, either express or implied. See the License for the
|
||||||
|
+ * specific language governing permissions and limitations
|
||||||
|
+ * under the License.
|
||||||
|
+ */
|
||||||
|
+package org.apache.axis.war;
|
||||||
|
+
|
||||||
|
+import static com.google.common.truth.Truth.assertThat;
|
||||||
|
+
|
||||||
|
+import java.io.InputStream;
|
||||||
|
+import java.io.OutputStream;
|
||||||
|
+import java.net.HttpURLConnection;
|
||||||
|
+import java.net.URL;
|
||||||
|
+
|
||||||
|
+import org.apache.commons.io.IOUtils;
|
||||||
|
+import org.junit.Test;
|
||||||
|
+
|
||||||
|
+public class XssTest {
|
||||||
|
+ /**
|
||||||
|
+ * Tests for potential XSS vulnerability in the Version service.
|
||||||
|
+ * <p>
|
||||||
|
+ * The Version service returns a body with whatever namespace URI was used in the request. If
|
||||||
|
+ * the namespace URI is not properly encoded in the response, then this creates a potential
|
||||||
|
+ * XSS vulnerability.
|
||||||
|
+ *
|
||||||
|
+ * @throws Exception
|
||||||
|
+ */
|
||||||
|
+ @Test
|
||||||
|
+ public void testGetVersion() throws Exception {
|
||||||
|
+ HttpURLConnection conn = (HttpURLConnection)new URL(Utils.getWebappUrl() + "/services/Version").openConnection();
|
||||||
|
+ conn.setDoInput(true);
|
||||||
|
+ conn.setDoOutput(true);
|
||||||
|
+ conn.setRequestProperty("SOAPAction", "");
|
||||||
|
+ conn.setRequestProperty("Content-Type", "text/xml;charset=UTF-8");
|
||||||
|
+ InputStream payload = XssTest.class.getResourceAsStream("getVersion-xss.xml");
|
||||||
|
+ OutputStream out = conn.getOutputStream();
|
||||||
|
+ IOUtils.copy(payload, out);
|
||||||
|
+ payload.close();
|
||||||
|
+ out.close();
|
||||||
|
+ assertThat(conn.getResponseCode()).isEqualTo(200);
|
||||||
|
+ InputStream in = conn.getInputStream();
|
||||||
|
+ assertThat(IOUtils.toString(in, "UTF-8")).doesNotContain("<script");
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
diff --git a/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java b/axis-war/src/test/java/test/httpunit/HttpUnitTestBase.java
|
||||||
|
index 8ca191a8d..98a66b5c5 100644
|
||||||
|
--- a/test/httpunit/HttpUnitTestBase.java
|
||||||
|
+++ b/test/httpunit/HttpUnitTestBase.java
|
||||||
|
@@ -22,6 +22,7 @@
|
||||||
|
import java.io.*;
|
||||||
|
import java.net.MalformedURLException;
|
||||||
|
|
||||||
|
+import org.apache.axis.war.Utils;
|
||||||
|
import org.xml.sax.SAXException;
|
||||||
|
|
||||||
|
/**
|
||||||
|
@@ -38,14 +39,12 @@ public HttpUnitTestBase(String s) {
|
||||||
|
super(s);
|
||||||
|
}
|
||||||
|
|
||||||
|
- private static String URL_PROPERTY="test.functional.webapp.url";
|
||||||
|
/**
|
||||||
|
* The JUnit setup method
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
public void setUp() throws Exception {
|
||||||
|
- url=System.getProperty(URL_PROPERTY);
|
||||||
|
- assertNotNull(URL_PROPERTY+" not set",url);
|
||||||
|
+ url = Utils.getWebappUrl();
|
||||||
|
HttpUnitOptions.setExceptionsThrownOnErrorStatus(true);
|
||||||
|
HttpUnitOptions.setMatchesIgnoreCase(true);
|
||||||
|
HttpUnitOptions.setParserWarningsEnabled(true);
|
||||||
|
diff --git a/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml b/axis-war/src/test/resources/org/apache/axis/war/getVersion-xss.xml
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..380009e16
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/org/apache/axis/war/getVersion-xss.xml
|
||||||
|
@@ -0,0 +1,9 @@
|
||||||
|
+<soapenv:Envelope
|
||||||
|
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||||
|
+ xmlns:xsd="http://www.w3.org/2001/XMLSchema"
|
||||||
|
+ xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
|
||||||
|
+ xmlns:axis="http://axis.apache.org        "><script xmlns="http://www.w3.org/1999/xhtml">
            alert('Hello');
        </script>">
|
||||||
|
+ <soapenv:Body>
|
||||||
|
+ <axis:getVersion soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"/>
|
||||||
|
+ </soapenv:Body>
|
||||||
|
+</soapenv:Envelope>
|
@ -1,3 +1,12 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Nov 5 11:43:14 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com>
|
||||||
|
|
||||||
|
- Security fix: [bsc#1103658, CVE-2018-8032]
|
||||||
|
* Apache Axis 1.x up to and including 1.4 is vulnerable to a
|
||||||
|
cross-site scripting (XSS) attack in the default
|
||||||
|
servlet/services.
|
||||||
|
* Added axis-CVE-2018-8032.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Tue Jul 10 16:47:47 UTC 2018 - fstrba@suse.com
|
Tue Jul 10 16:47:47 UTC 2018 - fstrba@suse.com
|
||||||
|
|
||||||
|
@ -12,7 +12,7 @@
|
|||||||
# license that conforms to the Open Source Definition (Version 1.9)
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
# published by the Open Source Initiative.
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
# Please submit bugfixes or comments via http://bugs.opensuse.org/
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
#
|
#
|
||||||
|
|
||||||
|
|
||||||
@ -48,6 +48,8 @@ Patch4: axis-encoding.patch
|
|||||||
Patch5: axis-compareto.patch
|
Patch5: axis-compareto.patch
|
||||||
Patch6: axis-enum.patch
|
Patch6: axis-enum.patch
|
||||||
Patch7: axis-jdk11.patch
|
Patch7: axis-jdk11.patch
|
||||||
|
# PATCH-FIX-UPSTREAM bsc#1103658 CVE-2018-8032 cross-site scripting (XSS) attack in the default servlet/services
|
||||||
|
Patch8: axis-CVE-2018-8032.patch
|
||||||
BuildRequires: ant
|
BuildRequires: ant
|
||||||
BuildRequires: ant-jdepend
|
BuildRequires: ant-jdepend
|
||||||
BuildRequires: antlr
|
BuildRequires: antlr
|
||||||
@ -99,6 +101,7 @@ Manual for axis
|
|||||||
%patch5 -p1
|
%patch5 -p1
|
||||||
%patch6 -p1
|
%patch6 -p1
|
||||||
%patch7 -p1
|
%patch7 -p1
|
||||||
|
%patch8 -p1
|
||||||
|
|
||||||
# Remove provided binaries
|
# Remove provided binaries
|
||||||
find . -name "*.jar" -exec rm -f {} \;
|
find . -name "*.jar" -exec rm -f {} \;
|
||||||
@ -153,8 +156,8 @@ install -m 644 %{SOURCE6} %{buildroot}%{_mavenpomdir}/JPP.%{name}-jaxrpc.pom
|
|||||||
%add_maven_depmap JPP.%{name}-jaxrpc.pom %{name}/jaxrpc.jar
|
%add_maven_depmap JPP.%{name}-jaxrpc.pom %{name}/jaxrpc.jar
|
||||||
install -m 644 %{SOURCE7} %{buildroot}%{_mavenpomdir}/JPP.%{name}-saaj.pom
|
install -m 644 %{SOURCE7} %{buildroot}%{_mavenpomdir}/JPP.%{name}-saaj.pom
|
||||||
%add_maven_depmap JPP.%{name}-saaj.pom %{name}/saaj.jar
|
%add_maven_depmap JPP.%{name}-saaj.pom %{name}/saaj.jar
|
||||||
#install -m 644 %{S:8} $RPM_BUILD_ROOT%{_mavenpomdir}/JPP.%{name}-axis-schema.pom
|
#install -m 644 %{S:8} $RPM_BUILD_ROOT%%{_mavenpomdir}/JPP.%%{name}-axis-schema.pom
|
||||||
# % add_maven_depmap JPP.%{name}-axis-schema.pom %{name}/axis-schema.jar
|
# % add_maven_depmap JPP.%%{name}-axis-schema.pom %%{name}/axis-schema.jar
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%doc LICENSE README release-notes.html changelog.html
|
%doc LICENSE README release-notes.html changelog.html
|
||||||
|
Loading…
Reference in New Issue
Block a user