[jboss-cvs] JBossAS SVN: r114711 - in branches/JBPAPP_5/testsuite: imports/sections and 8 other directories.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Tue Feb 11 11:43:37 EST 2014


Author: istudens at redhat.com
Date: 2014-02-11 11:43:37 -0500 (Tue, 11 Feb 2014)
New Revision: 114711

Added:
   branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/servlets/SendFileServlet.java
   branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/test/SendFileUnitTestCase.java
   branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/
   branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/deploy/
   branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/deploy/jbossweb.sar/
   branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/deploy/jbossweb.sar/server.xml
   branches/JBPAPP_5/testsuite/src/resources/web/sendfile/
   branches/JBPAPP_5/testsuite/src/resources/web/sendfile/web.xml
Modified:
   branches/JBPAPP_5/testsuite/build.xml
   branches/JBPAPP_5/testsuite/imports/sections/web.xml
Log:
adding a test-case for JBPAPP-10023

Modified: branches/JBPAPP_5/testsuite/build.xml
===================================================================
--- branches/JBPAPP_5/testsuite/build.xml	2014-02-10 18:29:46 UTC (rev 114710)
+++ branches/JBPAPP_5/testsuite/build.xml	2014-02-11 16:43:37 UTC (rev 114711)
@@ -1377,6 +1377,7 @@
    <!-- A patternset that requires jboss to run with a security manager -->
    <patternset id="securitymgr.includes">
       <include name="**/test/securitymgr/test/*TestCase.class"/>
+      <include name="**/test/web/test/SendFileUnitTestCase.class"/>
    </patternset>
    <patternset id="securitymgr.excludes">
       <exclude name="**/test/securitymgr/test/*"/>

Modified: branches/JBPAPP_5/testsuite/imports/sections/web.xml
===================================================================
--- branches/JBPAPP_5/testsuite/imports/sections/web.xml	2014-02-10 18:29:46 UTC (rev 114710)
+++ branches/JBPAPP_5/testsuite/imports/sections/web.xml	2014-02-11 16:43:37 UTC (rev 114711)
@@ -988,6 +988,13 @@
          </fileset>
       </war>
 
+      <!-- JBPAPP-10023 -->
+      <war destfile="${build.lib}/sendfile.war"
+              webxml="${build.resources}/web/sendfile/web.xml">
+          <classes dir="${build.classes}">
+            <include name="org/jboss/test/web/servlets/SendFileServlet.class"/>
+          </classes>
+       </war>
 
    </target>
 </project>

Added: branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/servlets/SendFileServlet.java
===================================================================
--- branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/servlets/SendFileServlet.java	                        (rev 0)
+++ branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/servlets/SendFileServlet.java	2014-02-11 16:43:37 UTC (rev 114711)
@@ -0,0 +1,59 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2014, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.web.servlets;
+
+import org.jboss.logging.Logger;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.io.Writer;
+
+/**
+ * It is for testing the security of org.apache.tomcat.sendfile function.
+ * It tries to read /etc/passwd file.
+ *
+ * @author istudens at redhat.com
+ * @version $Revision: 81036 $
+ */
+public class SendFileServlet extends HttpServlet
+{
+    static Logger log = Logger.getLogger(SendFileServlet.class);
+
+    private static final long serialVersionUID = 1L;
+
+    @Override
+    public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+        doPost(request, response);
+    }
+
+    @Override
+    public void doPost(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {
+        Writer writer = response.getWriter();
+        request.setAttribute("org.apache.tomcat.sendfile.filename","/etc/passwd");
+        request.setAttribute("org.apache.tomcat.sendfile.start",Long.valueOf(0));
+        request.setAttribute("org.apache.tomcat.sendfile.end",Long.valueOf(99999999));
+        writer.write("CVE-2011-2526: You are not affected!");
+    }
+}

Added: branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/test/SendFileUnitTestCase.java
===================================================================
--- branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/test/SendFileUnitTestCase.java	                        (rev 0)
+++ branches/JBPAPP_5/testsuite/src/main/org/jboss/test/web/test/SendFileUnitTestCase.java	2014-02-11 16:43:37 UTC (rev 114711)
@@ -0,0 +1,79 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2014, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.test.web.test;
+
+import junit.framework.Test;
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.HttpMethodBase;
+import org.jboss.test.JBossTestCase;
+import org.jboss.test.util.web.HttpUtils;
+
+import java.net.HttpURLConnection;
+import java.net.URL;
+
+/**
+ * Tests the security of org.apache.tomcat.sendfile function.
+ *
+ * See https://issues.jboss.org/browse/JBPAPP-10023
+ *
+ * @author  istudens at redhat.com
+ * @version $Revision: 85945 $
+ */
+public class SendFileUnitTestCase extends JBossTestCase
+
+{
+	private String baseURL = HttpUtils.getBaseURL();
+
+    public static Test suite() throws Exception
+    {
+       return getDeploySetup(SendFileUnitTestCase.class, "sendfile.war");
+    }
+
+    public SendFileUnitTestCase(String name)
+    {
+       super(name);
+    }
+
+	public void testSendFile() throws Exception
+	{
+		log.info("++++++ testSendFile");
+		URL url = new URL(baseURL+"sendfile/sendfile");
+		HttpClient httpClient = new HttpClient();	      
+		HttpMethodBase request = HttpUtils.createMethod(url, HttpUtils.GET);
+
+		//sending a blank request
+        int responseCode = httpClient.executeMethod(request);
+        String responseBody = request.getResponseBodyAsString();
+
+        log.debug("response code: " + responseCode);
+        log.debug("response: " + responseBody);
+
+        if (responseCode == HttpURLConnection.HTTP_OK) {
+            assertTrue("sendfile is vulnerably open to any system file", responseBody.indexOf("You are not affected") > 0);
+        } else if (responseCode == HttpURLConnection.HTTP_INTERNAL_ERROR) {
+            assertTrue("java.io.FilePermission expected", responseBody.indexOf("java.io.FilePermission") > 0);
+        } else {
+            fail("unexpected response code " + responseCode);
+        }
+	}
+	
+}

Added: branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/deploy/jbossweb.sar/server.xml
===================================================================
--- branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/deploy/jbossweb.sar/server.xml	                        (rev 0)
+++ branches/JBPAPP_5/testsuite/src/resources/test-configs/secmgr/deploy/jbossweb.sar/server.xml	2014-02-11 16:43:37 UTC (rev 114711)
@@ -0,0 +1,168 @@
+<Server>
+
+   <!-- Optional listener which ensures correct init and shutdown of APR,
+        and provides information if it is not installed -->
+   <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
+   <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
+   <Listener className="org.apache.catalina.core.JasperListener" />
+
+   <Service name="jboss.web">
+
+      <!-- A HTTP/1.1 Connector on port 8080 -->
+      <Connector protocol="HTTP/1.1" port="8080" address="${jboss.bind.address}" 
+               connectionTimeout="20000" redirectPort="8443" useSendfile="true" />
+
+      <!-- Add this option to the connector to avoid problems with 
+          .NET clients that don't implement HTTP/1.1 correctly 
+         restrictedUserAgents="^.*MS Web Services Client Protocol 1.1.4322.*$"
+      -->
+
+      <!-- A AJP 1.3 Connector on port 8009 -->
+      <Connector protocol="AJP/1.3" port="8009" address="${jboss.bind.address}"
+         redirectPort="8443" />
+
+      <!-- SSL/TLS Connector configuration using the admin devl guide keystore
+      <Connector protocol="HTTP/1.1" SSLEnabled="true" 
+           port="8443" address="${jboss.bind.address}"
+           scheme="https" secure="true" clientAuth="false" 
+           keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
+           keystorePass="rmi+ssl" sslProtocol = "TLS" />
+      -->
+
+      <Engine name="jboss.web" defaultHost="localhost">
+
+         <!-- The JAAS based authentication and authorization realm implementation
+         that is compatible with the jboss 3.2.x realm implementation.
+         - certificatePrincipal : the class name of the
+         org.jboss.security.auth.certs.CertificatePrincipal impl
+         used for mapping X509[] cert chains to a Princpal.
+         - allRolesMode : how to handle an auth-constraint with a role-name=*,
+         one of strict, authOnly, strictAuthOnly
+           + strict = Use the strict servlet spec interpretation which requires
+           that the user have one of the web-app/security-role/role-name
+           + authOnly = Allow any authenticated user
+           + strictAuthOnly = Allow any authenticated user only if there are no
+           web-app/security-roles
+         -->
+         <Realm className="org.jboss.web.tomcat.security.JBossWebRealm"
+            certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
+            allRolesMode="authOnly"
+            />
+         <!-- A subclass of JBossSecurityMgrRealm that uses the authentication
+         behavior of JBossSecurityMgrRealm, but overrides the authorization
+         checks to use JACC permissions with the current java.security.Policy
+         to determine authorized access.
+         - allRolesMode : how to handle an auth-constraint with a role-name=*,
+         one of strict, authOnly, strictAuthOnly
+           + strict = Use the strict servlet spec interpretation which requires
+           that the user have one of the web-app/security-role/role-name
+           + authOnly = Allow any authenticated user
+           + strictAuthOnly = Allow any authenticated user only if there are no
+           web-app/security-roles
+         <Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm"
+            certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
+            allRolesMode="authOnly"
+            />
+         -->
+
+         <Host name="localhost"> 
+
+            <!-- Uncomment to enable request dumper. This Valve "logs interesting 
+                 contents from the specified Request (before processing) and the 
+                 corresponding Response (after processing). It is especially useful 
+                 in debugging problems related to headers and cookies."
+            -->
+            <!--
+            <Valve className="org.apache.catalina.valves.RequestDumperValve" />
+            -->
+ 
+            <!-- Access logger -->
+            <!--
+            <Valve className="org.apache.catalina.valves.AccessLogValve"
+                prefix="localhost_access_log." suffix=".log"
+                pattern="common" directory="${jboss.server.log.dir}" 
+                resolveHosts="false" />
+            -->
+
+            <!-- Uncomment to enable single sign-on across web apps
+                deployed to this host. Does not provide SSO across a cluster.     
+            
+                If this valve is used, do not use the JBoss ClusteredSingleSignOn 
+                valve shown below.
+                
+                A new configuration attribute is available beginning with
+                release 4.0.4:
+                
+                cookieDomain  configures the domain to which the SSO cookie
+                              will be scoped (i.e. the set of hosts to
+                              which the cookie will be presented).  By default
+                              the cookie is scoped to "/", meaning the host
+                              that presented it.  Set cookieDomain to a
+                              wider domain (e.g. "xyz.com") to allow an SSO
+                              to span more than one hostname.
+             -->
+            <!--
+            <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+            -->
+
+            <!-- Uncomment to enable single sign-on across web apps
+               deployed to this host AND to all other hosts in the cluster.
+            
+               If this valve is used, do not use the standard Tomcat SingleSignOn
+               valve shown above.
+            
+               Valve uses a JBossCache instance to support SSO credential 
+               caching and replication across the cluster.  The JBossCache 
+               instance must be configured separately.  See the 
+               "jboss-web-clusteredsso-beans.xml" file in the 
+               server/all/deploy directory for cache configuration details.
+            
+               Besides the attributes supported by the standard Tomcat
+               SingleSignOn valve (see the Tomcat docs), this version also 
+               supports the following attributes:
+            
+               cookieDomain   see non-clustered valve above
+               
+               cacheConfig    Name of the CacheManager service configuration
+                              to use for the clustered SSO cache. See
+                              deploy/cluster/jboss-cache-manager.sar/META-INF/jboss-cache-manager-jboss-beans.xml
+                              Default is "clustered-sso".
+               
+               treeCacheName  Deprecated. Use "cacheConfig". 
+                              JMX ObjectName of the JBoss Cache MBean used to 
+                              support credential caching and replication across
+                              the cluster. Only used if no cache can be located
+                              from the CacheManager service using the "cacheConfig"
+                              attribute (or its default value). If not set, the 
+                              default is "jboss.cache:service=TomcatClusteringCache"
+                              
+               maxEmptyLife   The maximum number of seconds an SSO with no 
+                              active sessions will be usable by a request
+                              
+               processExpiresInterval The minimum number of seconds between 
+                              efforts by the valve to find and invalidate 
+                              SSO's that have exceeded their 'maxEmptyLife'. 
+                              Does not imply effort will be spent on such
+                      			cleanup every 'processExpiresInterval'.
+            -->
+            <!--
+            <Valve className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn" />
+            -->
+         
+            <!-- Check for unclosed connections and transaction terminated checks
+                 in servlets/jsps.
+                 
+                 Important: The dependency on the CachedConnectionManager
+                 in META-INF/jboss-service.xml must be uncommented, too
+           -->
+
+            <Valve className="org.jboss.web.tomcat.service.jca.CachedConnectionValve"
+                cachedConnectionManagerObjectName="jboss.jca:service=CachedConnectionManager"
+                transactionManagerObjectName="jboss:service=TransactionManager" />
+                
+         </Host>
+      </Engine>
+
+   </Service>
+
+</Server>

Added: branches/JBPAPP_5/testsuite/src/resources/web/sendfile/web.xml
===================================================================
--- branches/JBPAPP_5/testsuite/src/resources/web/sendfile/web.xml	                        (rev 0)
+++ branches/JBPAPP_5/testsuite/src/resources/web/sendfile/web.xml	2014-02-11 16:43:37 UTC (rev 114711)
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app version="2.4"
+    xmlns="http://java.sun.com/xml/ns/j2ee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
+    http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
+    
+    <description>Test of org.apache.tomcat.sendfile</description>
+    
+    <servlet>
+        <servlet-name>SendFileServlet</servlet-name>
+        <servlet-class>org.jboss.test.web.servlets.SendFileServlet</servlet-class>
+    </servlet>
+    
+    <servlet-mapping>
+        <servlet-name>SendFileServlet</servlet-name>
+        <url-pattern>/sendfile</url-pattern>
+    </servlet-mapping>
+</web-app>


Property changes on: branches/JBPAPP_5/testsuite/src/resources/web/sendfile/web.xml
___________________________________________________________________
Added: svn:mime-type
   + text/plain



More information about the jboss-cvs-commits mailing list