Author: mageshbk(a)jboss.com
Date: 2009-01-07 06:25:21 -0500 (Wed, 07 Jan 2009)
New Revision: 8977
Added:
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP/ant-import-tests/build-jars-jaxws.xml
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java
Log:
[JBPAPP-1548] JBossWS - WSDL access url with resource suffix allows any arbitrary xml file
to be viewed
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP/ant-import-tests/build-jars-jaxws.xml
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP/ant-import-tests/build-jars-jaxws.xml 2009-01-07
09:06:02 UTC (rev 8976)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP/ant-import-tests/build-jars-jaxws.xml 2009-01-07
11:25:21 UTC (rev 8977)
@@ -568,8 +568,16 @@
<webinf
dir="${tests.output.dir}/resources/jaxws/jbws2319/WEB-INF">
<include name="jboss-web.xml"/>
</webinf>
- </war>
+ </war>
+ <!-- jaxws-jbws2437 -->
+ <jar destfile="${tests.output.dir}/libs/jaxws-jbws2437.jar">
+ <fileset dir="${tests.output.dir}/classes">
+ <include name="org/jboss/test/ws/jaxws/jbws2437/*.class"/>
+ <exclude
name="org/jboss/test/ws/jaxws/jbws2437/*TestCase.class"/>
+ </fileset>
+ </jar>
+
<!-- jaxws namespace -->
<war warfile="${tests.output.dir}/libs/jaxws-namespace.war"
webxml="${tests.output.dir}/resources/jaxws/namespace/WEB-INF/web.xml">
<classes dir="${tests.output.dir}/classes">
Modified:
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java 2009-01-07
09:06:02 UTC (rev 8976)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/main/java/org/jboss/ws/core/server/WSDLRequestHandler.java 2009-01-07
11:25:21 UTC (rev 8977)
@@ -30,8 +30,11 @@
import org.jboss.logging.Logger;
import org.jboss.ws.metadata.umdm.EndpointMetaData;
+import org.jboss.wsf.common.DOMUtils;
+import org.jboss.wsf.spi.SPIProvider;
+import org.jboss.wsf.spi.SPIProviderResolver;
import org.jboss.wsf.spi.management.ServerConfig;
-import org.jboss.wsf.common.DOMUtils;
+import org.jboss.wsf.spi.management.ServerConfigFactory;
import org.w3c.dom.Attr;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
@@ -88,11 +91,31 @@
// get some imported resource
else
{
- String impResourcePath = new File(wsdlLocation.getPath()).getParent() +
File.separatorChar + resPath;
+ File wsdlLocFile = new File(wsdlLocation.getPath());
+ String impResourcePath = wsdlLocFile.getParent() + File.separatorChar +
resPath;
File impResourceFile = new File(impResourcePath);
+ String wsdlPublishLoc =
epMetaData.getServiceMetaData().getWsdlPublishLocation();
- Element wsdlElement = DOMUtils.parse(impResourceFile.toURL().openStream());
- wsdlDoc = wsdlElement.getOwnerDocument();
+ log.debug("Importing resource file: " +
impResourceFile.getCanonicalPath());
+
+ String wsdlLocFilePath = wsdlLocFile.getParentFile().getCanonicalPath();
+ SPIProvider spiProvider = SPIProviderResolver.getInstance().getProvider();
+ ServerConfig serverConfig =
spiProvider.getSPI(ServerConfigFactory.class).getServerConfig();
+ String wsdlDataLoc = serverConfig.getServerDataDir().getCanonicalPath() +
File.separatorChar + "wsdl";
+
+ //allow wsdl file's parent or server's data/wsdl or overriden wsdl
publish directories only
+ if (impResourceFile.getCanonicalPath().indexOf(wsdlLocFilePath) >= 0
+ || impResourceFile.getCanonicalPath().indexOf(wsdlDataLoc) >= 0
+ || (wsdlPublishLoc != null
+ && impResourceFile.getCanonicalPath().indexOf(new File(new
URL(wsdlPublishLoc).getPath()).getCanonicalPath()) >= 0))
+ {
+ Element wsdlElement = DOMUtils.parse(impResourceFile.toURL().openStream());
+ wsdlDoc = wsdlElement.getOwnerDocument();
+ }
+ else
+ {
+ throw new IOException("Access to this resource is not allowed");
+ }
}
modifyAddressReferences(reqURL, wsdlHost, resPath, wsdlDoc.getDocumentElement());
Added:
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java
(rev 0)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java 2009-01-07
11:25:21 UTC (rev 8977)
@@ -0,0 +1,31 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+package org.jboss.test.ws.jaxws.jbws2437;
+
+import javax.jws.WebService;
+
+@WebService(name = "Hello", serviceName = "HelloService",
targetNamespace = "http://org.jboss.ws/jaxws/jbws2437")
+public interface Hello
+{
+
+ public String echo(String in0);
+}
Property changes on:
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ LF
Added:
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java
(rev 0)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java 2009-01-07
11:25:21 UTC (rev 8977)
@@ -0,0 +1,47 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+package org.jboss.test.ws.jaxws.jbws2437;
+
+import javax.ejb.Stateless;
+import javax.jws.WebMethod;
+import javax.jws.WebParam;
+import javax.jws.WebService;
+import javax.jws.soap.SOAPBinding;
+
+import org.jboss.logging.Logger;
+import org.jboss.wsf.spi.annotation.WebContext;
+
+@Stateless
+@WebService(name = "Hello", serviceName = "HelloService",
targetNamespace = "http://org.jboss.ws/jaxws/jbws2437")
+@SOAPBinding(style = SOAPBinding.Style.RPC)
+@WebContext(contextRoot="jaxws-jbws2437", urlPattern="/*")
+public class HelloJavaBean implements Hello
+{
+ private Logger log = Logger.getLogger(HelloJavaBean.class);
+
+ @WebMethod
+ public String echo(@WebParam(name = "user") String in0)
+ {
+ log.info(in0);
+ return in0;
+ }
+}
Property changes on:
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ LF
Added:
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java
===================================================================
---
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java
(rev 0)
+++
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java 2009-01-07
11:25:21 UTC (rev 8977)
@@ -0,0 +1,69 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+package org.jboss.test.ws.jaxws.jbws2437;
+
+import java.io.InputStream;
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+import junit.framework.Test;
+
+import org.jboss.wsf.test.JBossWSTest;
+import org.jboss.wsf.test.JBossWSTestSetup;
+
+
+/**
+ * Disallow access to directories other than "data/wsdl"
+ *
+ *
http://jira.jboss.org/jira/browse/JBWS-2437
+ *
+ * @author mageshbk(a)jboss.com
+ * @since 04-Jan-2009
+ */
+public class JBWS2437TestCase extends JBossWSTest
+{
+ public final String WSDL_LOCATION = "http://" + getServerHost() +
":8080/jaxws-jbws2437?wsdl";
+ public final String WSDL_RESOURCE = "&resource=../../ejb-deployer.xml";
+
+ public static Test suite() throws Exception
+ {
+ return new JBossWSTestSetup(JBWS2437TestCase.class,
"jaxws-jbws2437.jar");
+ }
+
+ public void testWSDLAccess() throws Exception
+ {
+ HttpURLConnection connection = (HttpURLConnection)new
URL(WSDL_LOCATION).openConnection();
+ InputStream in = connection.getInputStream();
+ int fileSize = in.available();
+ in.close();
+ assertTrue("WSDL cannot be accessed", fileSize > 0);
+ }
+
+ public void testOtherFileAccess() throws Exception
+ {
+ HttpURLConnection connection = (HttpURLConnection)new URL(WSDL_LOCATION +
WSDL_RESOURCE).openConnection();
+ InputStream in = connection.getInputStream();
+ int fileSize = in.available();
+ in.close();
+ assertTrue("Unrestricted access to xml files found", fileSize == 0);
+ }
+}
Property changes on:
stack/native/branches/jbossws-native-2.0.1.SP2_CP/src/test/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ LF