axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gdani...@apache.org
Subject cvs commit: xml-axis/java/src/org/apache/axis/transport/http AxisServlet.java
Date Fri, 05 Oct 2001 15:04:06 GMT
gdaniels    01/10/05 08:04:06

  Modified:    java/src/org/apache/axis/transport/http AxisServlet.java
  Log:
  Close security hole - disallow "?list" queries by default, but allow them
  to be turned on via a system property.
  
  Also clean up a couple of error messages.
  
  Revision  Changes    Path
  1.51      +25 -6     xml-axis/java/src/org/apache/axis/transport/http/AxisServlet.java
  
  Index: AxisServlet.java
  ===================================================================
  RCS file: /home/cvs/xml-axis/java/src/org/apache/axis/transport/http/AxisServlet.java,v
  retrieving revision 1.50
  retrieving revision 1.51
  diff -u -r1.50 -r1.51
  --- AxisServlet.java	2001/10/04 14:36:50	1.50
  +++ AxisServlet.java	2001/10/05 15:04:05	1.51
  @@ -93,6 +93,13 @@
       private AxisEngine engine = null;
       private ServletSecurityProvider securityProvider = null;
   
  +    /**
  +     * Should we enable the "?list" functionality on GETs?  (off by
  +     * default because deployment information is a potential security
  +     * hole)
  +     */
  +    private boolean enableList = false;
  +
       private static final String AXIS_ENGINE = "AxisEngine" ;
   
       public void init() {
  @@ -108,6 +115,11 @@
           if ((param != null) && (param.equalsIgnoreCase("true"))) {
               securityProvider = new ServletSecurityProvider();
           }
  +
  +        param = System.getProperty("axis.enableListQuery");
  +        if (!(param == null) && (param.equalsIgnoreCase("true"))) {
  +            enableList = true;
  +        }
       }
   
       public AxisServer getEngine() {
  @@ -178,17 +190,23 @@
                       } else {
                           res.setContentType("text/html");
                           writer.println("<h2>Axis Error</h2>");
  -                        writer.println("<p>No WSDL can be found!</p>");
  +                        writer.println("<p>Couldn't generate WSDL!</p>");
                       }
                   } else if (listRequested) {
  -                    Document doc = Admin.listConfig(engine);
  -                    if (doc != null) {
  -                        res.setContentType("text/xml");
  -                        XMLUtils.DocumentToWriter(doc, writer);
  +                    if (enableList) {
  +                        Document doc = Admin.listConfig(engine);
  +                        if (doc != null) {
  +                            res.setContentType("text/xml");
  +                            XMLUtils.DocumentToWriter(doc, writer);
  +                        } else {
  +                            res.setContentType("text/html");
  +                            writer.println("<h2>Axis Error</h2>");
  +                            writer.println("<p>Couldn't generate deployment list!</p>");
  +                        }
                       } else {
                           res.setContentType("text/html");
                           writer.println("<h2>Axis Error</h2>");
  -                        writer.println("<p>No Configuration list can be found!</p>");
  +                        writer.println("<p><i>?list</i> functionality
disabled.</p>");
                       }
                   } else if (req.getParameterNames().hasMoreElements()) {
                       res.setContentType("text/html");
  @@ -206,6 +224,7 @@
                           }
                       }
                       if (method == null) {
  +                        writer.println("<h2>Axis Error : invoking via GET</h2>");
                           writer.println("<p>No method!</p>");
                           return;
                       }
  
  
  

Mime
View raw message