JBossWS SVN: r16563 - stack/cxf/tags/jbossws-cxf-3.1.2.SP12/modules/server/src/main/java/org/jboss/wsf/stack/cxf. - jbossws-commits

Monday, 30 July 2012


Author: alessio.soldano(a)jboss.com
Date: 2012-07-30 04:00:44 -0400 (Mon, 30 Jul 2012)
New Revision: 16563

Modified:
  
stack/cxf/tags/jbossws-cxf-3.1.2.SP12/modules/server/src/main/java/org/jboss/wsf/stack/cxf/DescriptorDeploymentAspect.java
Log:
svn merge -r 16561:16562


Modified:
stack/cxf/tags/jbossws-cxf-3.1.2.SP12/modules/server/src/main/java/org/jboss/wsf/stack/cxf/DescriptorDeploymentAspect.java
===================================================================
---
stack/cxf/tags/jbossws-cxf-3.1.2.SP12/modules/server/src/main/java/org/jboss/wsf/stack/cxf/DescriptorDeploymentAspect.java	2012-07-30
07:49:33 UTC (rev 16562)
+++
stack/cxf/tags/jbossws-cxf-3.1.2.SP12/modules/server/src/main/java/org/jboss/wsf/stack/cxf/DescriptorDeploymentAspect.java	2012-07-30
08:00:44 UTC (rev 16563)
@@ -79,7 +79,9 @@
 			cxfURL = generateCXFConfigFromDeployment(dep);
 		}
 		putCXFConfigToDeployment(dep, cxfURL);
-		checkCVE20122379(dep, cxfURL);
+		if (!DISABLE_CVE_2012_2379_CHECK) {
+		   checkCVE20122379(dep, cxfURL);
+		}
    }
 
    @Override
@@ -287,7 +289,9 @@
                {
                   if (StAXUtils.match(reader, NAMESPACES, ASSERTIONS))
                   {
-                     throw new RuntimeException("WS-Security Policy SupportingTokens
not allowed due to known security vulnerability! URL: " + url);
+                     throw new RuntimeException(
+                           "WS-Security Policy SupportingTokens are not allowed, due
to a known security vulnerability affecting them (CVE-2012-2379). URL: " + url
+                                 + "\nYou can turn this check off at your own risk
setting system property " + DISABLE_CVE_2012_2379_CHECK_PROP + " to
true");
                   }
                   else if (search && StAXUtils.match(reader, searchNS,
searchLocalName))
                   {
@@ -309,6 +313,7 @@
       return endpoints;
    }
    
+   private static final String DISABLE_CVE_2012_2379_CHECK_PROP =
"org.jboss.wsf.cxf.disableCVE20122379Check";
    private static final String SP_NS_11 =
"http://schemas.xmlsoap.org/ws/2005/02/securitypolicy";
    private static final String SP_NS_12 =
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
    private static final String SP_NS_13 =
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802";
@@ -320,9 +325,11 @@
    private static final String ENCRYPTED_SUPPORTING_TOKENS =
"EncryptedSupportingTokens";
    private static final String ENDORSING_ENCRYPTED_SUPPORTING_TOKENS =
"EndorsingEncryptedSupportingTokens";
    private static final String SIGNED_ENDORSING_ENCRYPTED_SUPPORTING_TOKENS =
"SignedEndorsingEncryptedSupportingTokens";
+   private static final boolean DISABLE_CVE_2012_2379_CHECK;
    private static String[] NAMESPACES = new String[3];
    private static String[] ASSERTIONS = new String[8];
    static {
+      DISABLE_CVE_2012_2379_CHECK =
Boolean.getBoolean(DISABLE_CVE_2012_2379_CHECK_PROP);
       NAMESPACES[0] = SP_NS_11;
       NAMESPACES[1] = SP_NS_12;
       NAMESPACES[2] = SP_NS_13;


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

JBossWS SVN: r16563 - stack/cxf/tags/jbossws-cxf-3.1.2.SP12/modules/server/src/main/java/org/jboss/wsf/stack/cxf.