Author: mageshbk(a)jboss.com
Date: 2009-01-07 04:06:02 -0500 (Wed, 07 Jan 2009)
New Revision: 8976
Added:
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java
Modified:
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-core/src/java/org/jboss/ws/core/server/WSDLRequestHandler.java
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/ant-import/build-jars-jaxws.xml
Log:
[JBPAPP-1548] JBossWS - WSDL access url with resource suffix allows any arbitrary xml file
to be viewed
Modified:
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-core/src/java/org/jboss/ws/core/server/WSDLRequestHandler.java
===================================================================
---
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-core/src/java/org/jboss/ws/core/server/WSDLRequestHandler.java 2009-01-06
22:39:26 UTC (rev 8975)
+++
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-core/src/java/org/jboss/ws/core/server/WSDLRequestHandler.java 2009-01-07
09:06:02 UTC (rev 8976)
@@ -71,10 +71,12 @@
public Document getDocumentForPath(URL reqURL, String wsdlHost, String resPath) throws
IOException
{
Document wsdlDoc;
-
+
// The WSDLFilePublisher should set the location to an URL
URL wsdlLocation = epMetaData.getServiceMetaData().getWsdlLocation();
-
+ if (wsdlLocation == null)
+ throw new IllegalStateException("Cannot obtain wsdl location");
+
// get the root wsdl
if (resPath == null)
{
@@ -85,11 +87,30 @@
// get some imported resource
else
{
- String impResourcePath = new File(wsdlLocation.getPath()).getParent() +
File.separatorChar + resPath;
+ File wsdlLocFile = new File(wsdlLocation.getPath());
+ String impResourcePath = wsdlLocFile.getParent() + File.separatorChar +
resPath;
File impResourceFile = new File(impResourcePath);
+ String wsdlPublishLoc =
epMetaData.getServiceMetaData().getWsdlPublishLocation();
- Element wsdlElement = DOMUtils.parse(impResourceFile.toURL().openStream());
- wsdlDoc = wsdlElement.getOwnerDocument();
+ log.debug("Importing resource file: " +
impResourceFile.getCanonicalPath());
+
+ String wsdlLocFilePath = wsdlLocFile.getParentFile().getCanonicalPath();
+ ServerConfig serverConfig =
ServerConfigFactory.getInstance().getServerConfig();
+ String wsdlDataLoc = serverConfig.getServerDataDir().getCanonicalPath() +
File.separatorChar + "wsdl";
+
+ //allow wsdl file's parent or server's data/wsdl or overriden wsdl
publish directories only
+ if (impResourceFile.getCanonicalPath().indexOf(wsdlLocFilePath) >= 0
+ || impResourceFile.getCanonicalPath().indexOf(wsdlDataLoc) >= 0
+ || (wsdlPublishLoc != null
+ && impResourceFile.getCanonicalPath().indexOf(new File(new
URL(wsdlPublishLoc).getPath()).getCanonicalPath()) >= 0))
+ {
+ Element wsdlElement = DOMUtils.parse(impResourceFile.toURL().openStream());
+ wsdlDoc = wsdlElement.getOwnerDocument();
+ }
+ else
+ {
+ throw new IOException("Access to this resource is not allowed");
+ }
}
modifyAddressReferences(reqURL, wsdlHost, resPath, wsdlDoc.getDocumentElement());
Modified:
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/ant-import/build-jars-jaxws.xml
===================================================================
---
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/ant-import/build-jars-jaxws.xml 2009-01-06
22:39:26 UTC (rev 8975)
+++
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/ant-import/build-jars-jaxws.xml 2009-01-07
09:06:02 UTC (rev 8976)
@@ -266,6 +266,14 @@
</metainf>
</jar>
+ <!-- jaxws-jbws2437 -->
+ <jar destfile="${tests.output.dir}/libs/jaxws-jbws2437.jar">
+ <fileset dir="${tests.output.dir}/classes">
+ <include name="org/jboss/test/ws/jaxws/jbws2437/*.class"/>
+ <exclude
name="org/jboss/test/ws/jaxws/jbws2437/*TestCase.class"/>
+ </fileset>
+ </jar>
+
<!-- jaxws metadata -->
<war warfile="${tests.output.dir}/libs/jaxws-metadata.war"
webxml="${tests.output.dir}/resources/jaxws/metadata/WEB-INF/web.xml">
<classes dir="${tests.output.dir}/classes">
Added:
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java
===================================================================
---
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java
(rev 0)
+++
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java 2009-01-07
09:06:02 UTC (rev 8976)
@@ -0,0 +1,31 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+package org.jboss.test.ws.jaxws.jbws2437;
+
+import javax.jws.WebService;
+
+@WebService(name = "Hello", serviceName = "HelloService",
targetNamespace = "http://org.jboss.ws/jaxws/jbws2437")
+public interface Hello
+{
+
+ public String echo(String in0);
+}
Property changes on:
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/Hello.java
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ LF
Added:
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java
===================================================================
---
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java
(rev 0)
+++
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java 2009-01-07
09:06:02 UTC (rev 8976)
@@ -0,0 +1,47 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+package org.jboss.test.ws.jaxws.jbws2437;
+
+import javax.ejb.Stateless;
+import javax.jws.WebMethod;
+import javax.jws.WebParam;
+import javax.jws.WebService;
+import javax.jws.soap.SOAPBinding;
+
+import org.jboss.logging.Logger;
+import org.jboss.ws.annotation.WebContext;
+
+@Stateless
+@WebService(name = "Hello", serviceName = "HelloService",
targetNamespace = "http://org.jboss.ws/jaxws/jbws2437")
+@SOAPBinding(style = SOAPBinding.Style.RPC)
+@WebContext(contextRoot="jaxws-jbws2437", urlPattern="/*")
+public class HelloJavaBean implements Hello
+{
+ private Logger log = Logger.getLogger(HelloJavaBean.class);
+
+ @WebMethod
+ public String echo(@WebParam(name = "user") String in0)
+ {
+ log.info(in0);
+ return in0;
+ }
+}
Property changes on:
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/HelloJavaBean.java
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ LF
Added:
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java
===================================================================
---
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java
(rev 0)
+++
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java 2009-01-07
09:06:02 UTC (rev 8976)
@@ -0,0 +1,83 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org.
+ */
+package org.jboss.test.ws.jaxws.jbws2437;
+
+import java.io.InputStream;
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+import junit.framework.Test;
+
+import org.jboss.test.ws.JBossWSTest;
+import org.jboss.test.ws.JBossWSTestSetup;
+
+
+/**
+ * Disallow access to directories other than "data/wsdl"
+ *
+ *
http://jira.jboss.org/jira/browse/JBWS-2437
+ *
+ * @author mageshbk(a)jboss.com
+ * @since 04-Jan-2009
+ */
+public class JBWS2437TestCase extends JBossWSTest
+{
+ public final String WSDL_LOCATION = "http://" + getServerHost() +
":8080/jaxws-jbws2437?wsdl";
+ public final String WSDL_RESOURCE = "&resource=../../ejb-deployer.xml";
+
+ public static Test suite() throws Exception
+ {
+ return JBossWSTestSetup.newTestSetup(JBWS2437TestCase.class,
"jaxws-jbws2437.jar");
+ }
+
+ public void testWSDLAccess() throws Exception
+ {
+ HttpURLConnection connection = (HttpURLConnection)new
URL(WSDL_LOCATION).openConnection();
+ InputStream in = connection.getInputStream();
+ int fileSize = in.available();
+ in.close();
+ assertTrue("WSDL cannot be accessed", fileSize > 0);
+ }
+
+ public void testOtherFileAccess() throws Exception
+ {
+ HttpURLConnection connection = (HttpURLConnection)new URL(WSDL_LOCATION +
WSDL_RESOURCE).openConnection();
+ if (connection.getResponseCode() == HttpURLConnection.HTTP_INTERNAL_ERROR)
+ {
+ InputStream in = connection.getErrorStream();
+ int fileSize = in.available();
+ byte[] output = new byte[fileSize];
+ in.read(output,0,fileSize);
+ String outputStr = new String(output);
+ in.close();
+ //if server throws a 500 error
+ assertTrue("Unrestricted access to xml files found",
outputStr.indexOf("Access to this resource is not allowed") >=0 );
+ }
+ else
+ {
+ InputStream in = connection.getInputStream();
+ int fileSize = in.available();
+ in.close();
+ assertTrue("Unrestricted access to xml files found", fileSize == 0);
+ }
+ }
+}
Property changes on:
legacy/branches/jbossws-1.2.1.GA_CP/jbossws-tests/src/java/org/jboss/test/ws/jaxws/jbws2437/JBWS2437TestCase.java
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ LF