Repository: cxf Updated Branches: refs/heads/2.6.x-fixes f6e1f67c2 -> d9b159fbb
[CXF-5805] Invalid SOAP Envelope names are accepted Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d9b159fb Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d9b159fb Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d9b159fb Branch: refs/heads/2.6.x-fixes Commit: d9b159fbb74aaacecd4377c01a94bf3d70983d7f Parents: f6e1f67 Author: Akitoshi Yoshida <a...@apache.org> Authored: Mon Jun 16 10:23:02 2014 +0200 Committer: Akitoshi Yoshida <a...@apache.org> Committed: Mon Jun 16 10:26:34 2014 +0200 ---------------------------------------------------------------------- .../soap/interceptor/Messages.properties | 1 + .../interceptor/ReadHeadersInterceptor.java | 14 +++++-- .../binding/soap/ReadHeaderInterceptorTest.java | 18 ++++++++ .../cxf/binding/soap/test-bad-envname.xml | 43 ++++++++++++++++++++ 4 files changed, 72 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/d9b159fb/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties ---------------------------------------------------------------------- diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties index 4db3ded..416c89b 100644 --- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties +++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties @@ -28,6 +28,7 @@ NO_OPERATION=No such operation: {0} ATTACHMENT_IO=Attachment IO Exception: {0} INVALID_VERSION="{0}", the namespace on the "{1}" element, is not a valid SOAP version. INVALID_11_VERSION=A SOAP 1.2 message is not valid when sent to a SOAP 1.1 only endpoint. +INVALID_ENVELOPE=Invalid SOAP Envelope name INVALID_FAULT=Invalid SOAP fault content NO_NAMESPACE=No namespace on "{0}" element. You must send a SOAP request. BP_2211_RPCLIT_CANNOT_BE_NULL=Cannot write part {0}. RPC/Literal parts cannot be null. (WS-I BP R2211) http://git-wip-us.apache.org/repos/asf/cxf/blob/d9b159fb/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java index 9d7862b..9145dd3 100644 --- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java +++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java @@ -107,15 +107,21 @@ public class ReadHeadersInterceptor extends AbstractSoapInterceptor { public static SoapVersion readVersion(XMLStreamReader xmlReader, SoapMessage message) { String ns = xmlReader.getNamespaceURI(); + String lcname = xmlReader.getLocalName(); if (ns == null || "".equals(ns)) { - throw new SoapFault(new Message("NO_NAMESPACE", LOG, xmlReader.getLocalName()), + throw new SoapFault(new Message("NO_NAMESPACE", LOG, lcname), Soap11.getInstance().getVersionMismatch()); } - + SoapVersion soapVersion = SoapVersionFactory.getInstance().getSoapVersion(ns); if (soapVersion == null) { - throw new SoapFault(new Message("INVALID_VERSION", LOG, ns, xmlReader.getLocalName()), - Soap11.getInstance().getVersionMismatch()); + throw new SoapFault(new Message("INVALID_VERSION", LOG, ns, lcname), + Soap11.getInstance().getVersionMismatch()); + } + + if (!"Envelope".equals(lcname)) { + throw new SoapFault(new Message("INVALID_ENVELOPE", LOG, lcname), + soapVersion.getSender()); } message.setVersion(soapVersion); return soapVersion; http://git-wip-us.apache.org/repos/asf/cxf/blob/d9b159fb/rt/bindings/soap/src/test/java/org/apache/cxf/binding/soap/ReadHeaderInterceptorTest.java ---------------------------------------------------------------------- diff --git a/rt/bindings/soap/src/test/java/org/apache/cxf/binding/soap/ReadHeaderInterceptorTest.java b/rt/bindings/soap/src/test/java/org/apache/cxf/binding/soap/ReadHeaderInterceptorTest.java index 15ce682..db03adf 100644 --- a/rt/bindings/soap/src/test/java/org/apache/cxf/binding/soap/ReadHeaderInterceptorTest.java +++ b/rt/bindings/soap/src/test/java/org/apache/cxf/binding/soap/ReadHeaderInterceptorTest.java @@ -96,6 +96,24 @@ public class ReadHeaderInterceptorTest extends TestBase { } } + + @Test + public void testBadSOAPEnvelopeName() throws Exception { + soapMessage = TestUtil.createEmptySoapMessage(Soap12.getInstance(), chain); + InputStream in = getClass().getResourceAsStream("test-bad-envname.xml"); + assertNotNull(in); + ByteArrayDataSource bads = new ByteArrayDataSource(in, "test/xml"); + soapMessage.setContent(InputStream.class, bads.getInputStream()); + + ReadHeadersInterceptor r = new ReadHeadersInterceptor(BusFactory.getDefaultBus()); + try { + r.handleMessage(soapMessage); + fail("Did not throw exception"); + } catch (SoapFault f) { + assertEquals(Soap11.getInstance().getSender(), f.getFaultCode()); + } + } + @Test public void testNoClosingEnvTage() throws Exception { assertTrue(testNoClosingEnvTag(Boolean.TRUE)); http://git-wip-us.apache.org/repos/asf/cxf/blob/d9b159fb/rt/bindings/soap/src/test/resources/org/apache/cxf/binding/soap/test-bad-envname.xml ---------------------------------------------------------------------- diff --git a/rt/bindings/soap/src/test/resources/org/apache/cxf/binding/soap/test-bad-envname.xml b/rt/bindings/soap/src/test/resources/org/apache/cxf/binding/soap/test-bad-envname.xml new file mode 100644 index 0000000..da84745 --- /dev/null +++ b/rt/bindings/soap/src/test/resources/org/apache/cxf/binding/soap/test-bad-envname.xml @@ -0,0 +1,43 @@ +<?xml version="1.0"?> +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> +<env:ENVELOPE xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> + <env:Body> + <!-- boyd test for processing comment here --> + <p:itinerary xmlns:p="http://travelcompany.example.org/reservation/travel"> + <p:departure> + <p:departing>New York</p:departing> + <p:arriving>Los Angeles</p:arriving> + <p:departureDate>2001-12-14</p:departureDate> + <p:departureTime>late afternoon</p:departureTime> + <p:seatPreference>aisle</p:seatPreference> + </p:departure> + <p:return> + <p:departing>Los Angeles</p:departing> + <p:arriving>New York</p:arriving> + <p:departureDate>2001-12-20</p:departureDate> + <p:departureTime>mid-morning</p:departureTime> + <p:seatPreference/> + </p:return> + </p:itinerary> + <q:lodging xmlns:q="http://travelcompany.example.org/reservation/hotels"> + <q:preference>none</q:preference> + </q:lodging> + </env:Body> +</env:ENVELOPE>