Author: veithen
Date: Sun Jun 5 09:32:51 2016
New Revision: 1746886
URL: http://svn.apache.org/viewvc?rev=1746886&view=rev
Log:
AXIS2-5683: Merge r1746880 to the 1.7 branch to fix a potential XSS
vulnerability in ListingAgent.
Modified:
axis/axis2/java/core/branches/1_7/ (props changed)
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
axis/axis2/java/core/branches/1_7/pom.xml
axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
Propchange: axis/axis2/java/core/branches/1_7/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sun Jun 5 09:32:51 2016
@@ -1,4 +1,4 @@
/axis/axis2/java/core/branches/1_6:1295540
/axis/axis2/java/core/branches/AXIOM-420:1334386-1336397
/axis/axis2/java/core/branches/AXIS2-4318:1230452,1295542,1324772,1327468,1329571,1332141,1335355,1335357,1340985
-/axis/axis2/java/core/trunk:1726494,1726509,1726513,1727171,1727174,1727177,1727180,1729891,1730095,1730139,1730180,1730186,1730195,1730197,1730222,1730300,1730308,1730310,1730317,1730322,1730335,1730369,1730427,1730618,1731425,1731441,1731446,1731448,1732354,1733137,1733663,1733713,1733766,1733770,1733773,1733850,1734176,1735331,1735795,1736512,1736543,1737030,1737567,1739001,1739186,1739343,1739346,1739348,1739493,1739592,1739594,1739815,1739826,1740693-1740694,1743824,1745826,1745860,1745869,1745875,1745912,1745924,1745929,1745941,1746001,1746028,1746109,1746782,1746784,1746787,1746813,1746842
+/axis/axis2/java/core/trunk:1726494,1726509,1726513,1727171,1727174,1727177,1727180,1729891,1730095,1730139,1730180,1730186,1730195,1730197,1730222,1730300,1730308,1730310,1730317,1730322,1730335,1730369,1730427,1730618,1731425,1731441,1731446,1731448,1732354,1733137,1733663,1733713,1733766,1733770,1733773,1733850,1734176,1735331,1735795,1736512,1736543,1737030,1737567,1739001,1739186,1739343,1739346,1739348,1739493,1739592,1739594,1739815,1739826,1740693-1740694,1743824,1745826,1745860,1745869,1745875,1745912,1745924,1745929,1745941,1746001,1746028,1746109,1746782,1746784,1746787,1746813,1746842,1746880
Modified:
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java?rev=1746886&r1=1746885&r2=1746886&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
(original)
+++
axis/axis2/java/core/branches/1_7/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
Sun Jun 5 09:32:51 2016
@@ -240,12 +240,7 @@ public class ListingAgent extends Abstra
}
} else {
-
- OutputStream out = res.getOutputStream();
- res.setContentType("text/html");
- String outStr = "<b>No policy found for id="
- + idParam + "</b>";
- out.write(outStr.getBytes());
+ res.sendError(HttpServletResponse.SC_NOT_FOUND);
}
} else {
@@ -276,12 +271,7 @@ public class ListingAgent extends Abstra
e);
}
} else {
-
- OutputStream out = res.getOutputStream();
- res.setContentType("text/html");
- String outStr = "<b>No effective policy for "
- + serviceName + " service</b>";
- out.write(outStr.getBytes());
+ res.sendError(HttpServletResponse.SC_NOT_FOUND);
}
}
}
Modified: axis/axis2/java/core/branches/1_7/pom.xml
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/pom.xml?rev=1746886&r1=1746885&r2=1746886&view=diff
==============================================================================
--- axis/axis2/java/core/branches/1_7/pom.xml (original)
+++ axis/axis2/java/core/branches/1_7/pom.xml Sun Jun 5 09:32:51 2016
@@ -1293,6 +1293,12 @@
</configuration>
</plugin>
<plugin>
+ <artifactId>maven-failsafe-plugin</artifactId>
+ <configuration>
+ <redirectTestOutputToFile>true</redirectTestOutputToFile>
+ </configuration>
+ </plugin>
+ <plugin>
<!-- Always build source JARs -->
<artifactId>maven-source-plugin</artifactId>
<executions>
Modified:
axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java?rev=1746886&r1=1746885&r2=1746886&view=diff
==============================================================================
---
axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
(original)
+++
axis/axis2/java/core/branches/1_7/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
Sun Jun 5 09:32:51 2016
@@ -31,4 +31,14 @@ public class AxisServletITCase {
tester.clickLinkWithExactText("Services");
tester.assertLinkPresentWithExactText("Version");
}
+
+ /**
+ * Regression test for AXIS2-5683.
+ */
+ @Test
+ public void testHandlePolicyRequestXSS() {
+ tester.setIgnoreFailingStatusCodes(true);
+ tester.beginAt("/services/Version?policy&id=<xss>");
+ tester.assertResponseCode(404);
+ }
}
