[jboss-cvs] JBossAS SVN: r114711 - in branches/JBPAPP_5/testsuite: imports/sections and 8 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Feb 11 11:43:37 EST 2014
Author: istudens at redhat.com
Date: 2014-02-11 11:43:37 -0500 (Tue, 11 Feb 2014)
New Revision: 114711
Added:
branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/servlets/SendFileServlet.java
branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/test/SendFileUnitTestCase.java
branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/
branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/deploy/
branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/deploy/jbossweb.sar/
branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/deploy/jbossweb.sar/server.xml
branches/JBPAPP_5/testsuite/src/resources/web/sendfile/
branches/JBPAPP_5/testsuite/src/resources/web/sendfile/web.xml
Modified:
branches/JBPAPP_5/testsuite/build.xml
branches/JBPAPP_5/testsuite/imports/sections/web.xml
Log:
adding a test-case for JBPAPP-10023
Modified: branches/JBPAPP_5/testsuite/build.xml
===================================================================
--- branches/JBPAPP_5/testsuite/build.xml 2014-02-10 18:29:46 UTC (rev 114710)
+++ branches/JBPAPP_5/testsuite/build.xml 2014-02-11 16:43:37 UTC (rev 114711)
@@ -1377,6 +1377,7 @@
<!-- A patternset that requires jboss to run with a security manager -->
<patternset id="securitymgr.includes">
<include name="**/test/securitymgr/test/*TestCase.class"/>
+ <include name="**/test/web/test/SendFileUnitTestCase.class"/>
</patternset>
<patternset id="securitymgr.excludes">
<exclude name="**/test/securitymgr/test/*"/>
Modified: branches/JBPAPP_5/testsuite/imports/sections/web.xml
===================================================================
--- branches/JBPAPP_5/testsuite/imports/sections/web.xml 2014-02-10 18:29:46 UTC (rev 114710)
+++ branches/JBPAPP_5/testsuite/imports/sections/web.xml 2014-02-11 16:43:37 UTC (rev 114711)
@@ -988,6 +988,13 @@
</fileset>
</war>
+ <!-- JBPAPP-10023 -->
+ <war destfile="${build.lib}/sendfile.war"
+ webxml="${build.resources}/web/sendfile/web.xml">
+ <classes dir="${build.classes}">
+ <include name="org/jboss/test/web/servlets/SendFileServlet.class"/>
+ </classes>
+ </war>
</target>
</project>
Added: branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/servlets/SendFileServlet.java
===================================================================
--- branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/servlets/SendFileServlet.java (rev 0)
+++ branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/servlets/SendFileServlet.java 2014-02-11 16:43:37 UTC (rev 114711)
@@ -0,0 +1,59 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2014, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.web.servlets;
+
+import org.jboss.logging.Logger;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.Writer;
+
+/**
+ * It is for testing the security of org.apache.tomcat.sendfile function.
+ * It tries to read /etc/passwd file.
+ *
+ * @author istudens at redhat.com
+ * @version $Revision: 81036 $
+ */
+public class SendFileServlet extends HttpServlet
+{
+ static Logger log = Logger.getLogger(SendFileServlet.class);
+
+ private static final long serialVersionUID = 1L;
+
+ @Override
+ public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+ doPost(request, response);
+ }
+
+ @Override
+ public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+ Writer writer = response.getWriter();
+ request.setAttribute("org.apache.tomcat.sendfile.filename","/etc/passwd");
+ request.setAttribute("org.apache.tomcat.sendfile.start",Long.valueOf(0));
+ request.setAttribute("org.apache.tomcat.sendfile.end",Long.valueOf(99999999));
+ writer.write("CVE-2011-2526: You are not affected!");
+ }
+}
Added: branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/test/SendFileUnitTestCase.java
===================================================================
--- branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/test/SendFileUnitTestCase.java (rev 0)
+++ branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/test/SendFileUnitTestCase.java 2014-02-11 16:43:37 UTC (rev 114711)
@@ -0,0 +1,79 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2014, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.web.test;
+
+import junit.framework.Test;
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.HttpMethodBase;
+import org.jboss.test.JBossTestCase;
+import org.jboss.test.util.web.HttpUtils;
+
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+/**
+ * Tests the security of org.apache.tomcat.sendfile function.
+ *
+ * See https://issues.jboss.org/browse/JBPAPP-10023
+ *
+ * @author istudens at redhat.com
+ * @version $Revision: 85945 $
+ */
+public class SendFileUnitTestCase extends JBossTestCase
+
+{
+ private String baseURL = HttpUtils.getBaseURL();
+
+ public static Test suite() throws Exception
+ {
+ return getDeploySetup(SendFileUnitTestCase.class, "sendfile.war");
+ }
+
+ public SendFileUnitTestCase(String name)
+ {
+ super(name);
+ }
+
+ public void testSendFile() throws Exception
+ {
+ log.info("++++++ testSendFile");
+ URL url = new URL(baseURL+"sendfile/sendfile");
+ HttpClient httpClient = new HttpClient();
+ HttpMethodBase request = HttpUtils.createMethod(url, HttpUtils.GET);
+
+ //sending a blank request
+ int responseCode = httpClient.executeMethod(request);
+ String responseBody = request.getResponseBodyAsString();
+
+ log.debug("response code: " + responseCode);
+ log.debug("response: " + responseBody);
+
+ if (responseCode == HttpURLConnection.HTTP_OK) {
+ assertTrue("sendfile is vulnerably open to any system file", responseBody.indexOf("You are not affected") > 0);
+ } else if (responseCode == HttpURLConnection.HTTP_INTERNAL_ERROR) {
+ assertTrue("java.io.FilePermission expected", responseBody.indexOf("java.io.FilePermission") > 0);
+ } else {
+ fail("unexpected response code " + responseCode);
+ }
+ }
+
+}
Added: branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/deploy/jbossweb.sar/server.xml
===================================================================
--- branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/deploy/jbossweb.sar/server.xml (rev 0)
+++ branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/deploy/jbossweb.sar/server.xml 2014-02-11 16:43:37 UTC (rev 114711)
@@ -0,0 +1,168 @@
+<Server>
+
+ <!-- Optional listener which ensures correct init and shutdown of APR,
+ and provides information if it is not installed -->
+ <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+ <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
+ <Listener className="org.apache.catalina.core.JasperListener" />
+
+ <Service name="jboss.web">
+
+ <!-- A HTTP/1.1 Connector on port 8080 -->
+ <Connector protocol="HTTP/1.1" port="8080" address="${jboss.bind.address}"
+ connectionTimeout="20000" redirectPort="8443" useSendfile="true" />
+
+ <!-- Add this option to the connector to avoid problems with
+ .NET clients that don't implement HTTP/1.1 correctly
+ restrictedUserAgents="^.*MS Web Services Client Protocol 1.1.4322.*$"
+ -->
+
+ <!-- A AJP 1.3 Connector on port 8009 -->
+ <Connector protocol="AJP/1.3" port="8009" address="${jboss.bind.address}"
+ redirectPort="8443" />
+
+ <!-- SSL/TLS Connector configuration using the admin devl guide keystore
+ <Connector protocol="HTTP/1.1" SSLEnabled="true"
+ port="8443" address="${jboss.bind.address}"
+ scheme="https" secure="true" clientAuth="false"
+ keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
+ keystorePass="rmi+ssl" sslProtocol = "TLS" />
+ -->
+
+ <Engine name="jboss.web" defaultHost="localhost">
+
+ <!-- The JAAS based authentication and authorization realm implementation
+ that is compatible with the jboss 3.2.x realm implementation.
+ - certificatePrincipal : the class name of the
+ org.jboss.security.auth.certs.CertificatePrincipal impl
+ used for mapping X509[] cert chains to a Princpal.
+ - allRolesMode : how to handle an auth-constraint with a role-name=*,
+ one of strict, authOnly, strictAuthOnly
+ + strict = Use the strict servlet spec interpretation which requires
+ that the user have one of the web-app/security-role/role-name
+ + authOnly = Allow any authenticated user
+ + strictAuthOnly = Allow any authenticated user only if there are no
+ web-app/security-roles
+ -->
+ <Realm className="org.jboss.web.tomcat.security.JBossWebRealm"
+ certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
+ allRolesMode="authOnly"
+ />
+ <!-- A subclass of JBossSecurityMgrRealm that uses the authentication
+ behavior of JBossSecurityMgrRealm, but overrides the authorization
+ checks to use JACC permissions with the current java.security.Policy
+ to determine authorized access.
+ - allRolesMode : how to handle an auth-constraint with a role-name=*,
+ one of strict, authOnly, strictAuthOnly
+ + strict = Use the strict servlet spec interpretation which requires
+ that the user have one of the web-app/security-role/role-name
+ + authOnly = Allow any authenticated user
+ + strictAuthOnly = Allow any authenticated user only if there are no
+ web-app/security-roles
+ <Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm"
+ certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
+ allRolesMode="authOnly"
+ />
+ -->
+
+ <Host name="localhost">
+
+ <!-- Uncomment to enable request dumper. This Valve "logs interesting
+ contents from the specified Request (before processing) and the
+ corresponding Response (after processing). It is especially useful
+ in debugging problems related to headers and cookies."
+ -->
+ <!--
+ <Valve className="org.apache.catalina.valves.RequestDumperValve" />
+ -->
+
+ <!-- Access logger -->
+ <!--
+ <Valve className="org.apache.catalina.valves.AccessLogValve"
+ prefix="localhost_access_log." suffix=".log"
+ pattern="common" directory="${jboss.server.log.dir}"
+ resolveHosts="false" />
+ -->
+
+ <!-- Uncomment to enable single sign-on across web apps
+ deployed to this host. Does not provide SSO across a cluster.
+
+ If this valve is used, do not use the JBoss ClusteredSingleSignOn
+ valve shown below.
+
+ A new configuration attribute is available beginning with
+ release 4.0.4:
+
+ cookieDomain configures the domain to which the SSO cookie
+ will be scoped (i.e. the set of hosts to
+ which the cookie will be presented). By default
+ the cookie is scoped to "/", meaning the host
+ that presented it. Set cookieDomain to a
+ wider domain (e.g. "xyz.com") to allow an SSO
+ to span more than one hostname.
+ -->
+ <!--
+ <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+ -->
+
+ <!-- Uncomment to enable single sign-on across web apps
+ deployed to this host AND to all other hosts in the cluster.
+
+ If this valve is used, do not use the standard Tomcat SingleSignOn
+ valve shown above.
+
+ Valve uses a JBossCache instance to support SSO credential
+ caching and replication across the cluster. The JBossCache
+ instance must be configured separately. See the
+ "jboss-web-clusteredsso-beans.xml" file in the
+ server/all/deploy directory for cache configuration details.
+
+ Besides the attributes supported by the standard Tomcat
+ SingleSignOn valve (see the Tomcat docs), this version also
+ supports the following attributes:
+
+ cookieDomain see non-clustered valve above
+
+ cacheConfig Name of the CacheManager service configuration
+ to use for the clustered SSO cache. See
+ deploy/cluster/jboss-cache-manager.sar/META-INF/jboss-cache-manager-jboss-beans.xml
+ Default is "clustered-sso".
+
+ treeCacheName Deprecated. Use "cacheConfig".
+ JMX ObjectName of the JBoss Cache MBean used to
+ support credential caching and replication across
+ the cluster. Only used if no cache can be located
+ from the CacheManager service using the "cacheConfig"
+ attribute (or its default value). If not set, the
+ default is "jboss.cache:service=TomcatClusteringCache"
+
+ maxEmptyLife The maximum number of seconds an SSO with no
+ active sessions will be usable by a request
+
+ processExpiresInterval The minimum number of seconds between
+ efforts by the valve to find and invalidate
+ SSO's that have exceeded their 'maxEmptyLife'.
+ Does not imply effort will be spent on such
+ cleanup every 'processExpiresInterval'.
+ -->
+ <!--
+ <Valve className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn" />
+ -->
+
+ <!-- Check for unclosed connections and transaction terminated checks
+ in servlets/jsps.
+
+ Important: The dependency on the CachedConnectionManager
+ in META-INF/jboss-service.xml must be uncommented, too
+ -->
+
+ <Valve className="org.jboss.web.tomcat.service.jca.CachedConnectionValve"
+ cachedConnectionManagerObjectName="jboss.jca:service=CachedConnectionManager"
+ transactionManagerObjectName="jboss:service=TransactionManager" />
+
+ </Host>
+ </Engine>
+
+ </Service>
+
+</Server>
Added: branches/JBPAPP_5/testsuite/src/resources/web/sendfile/web.xml
===================================================================
--- branches/JBPAPP_5/testsuite/src/resources/web/sendfile/web.xml (rev 0)
+++ branches/JBPAPP_5/testsuite/src/resources/web/sendfile/web.xml 2014-02-11 16:43:37 UTC (rev 114711)
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app version="2.4"
+ xmlns="http://java.sun.com/xml/ns/j2ee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
+ http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
+
+ <description>Test of org.apache.tomcat.sendfile</description>
+
+ <servlet>
+ <servlet-name>SendFileServlet</servlet-name>
+ <servlet-class>org.jboss.test.web.servlets.SendFileServlet</servlet-class>
+ </servlet>
+
+ <servlet-mapping>
+ <servlet-name>SendFileServlet</servlet-name>
+ <url-pattern>/sendfile</url-pattern>
+ </servlet-mapping>
+</web-app>
Property changes on: branches/JBPAPP_5/testsuite/src/resources/web/sendfile/web.xml
___________________________________________________________________
Added: svn:mime-type
+ text/plain
More information about the jboss-cvs-commits
mailing list