axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ga...@apache.org
Subject svn commit: r759323 - in /webservices/axis2/branches/java/1_5/modules/kernel/src/org/apache/axis2: description/AxisService.java util/IOUtils.java
Date Fri, 27 Mar 2009 19:52:37 GMT
Author: gawor
Date: Fri Mar 27 19:52:37 2009
New Revision: 759323

URL: http://svn.apache.org/viewvc?rev=759323&view=rev
Log:
merged fix for Local File Inclusion Vulnerability on parsing WSDL related XSD files (AXIS2-4279)

Added:
    webservices/axis2/branches/java/1_5/modules/kernel/src/org/apache/axis2/util/IOUtils.java
      - copied unchanged from r758006, webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/util/IOUtils.java
Modified:
    webservices/axis2/branches/java/1_5/modules/kernel/src/org/apache/axis2/description/AxisService.java

Modified: webservices/axis2/branches/java/1_5/modules/kernel/src/org/apache/axis2/description/AxisService.java
URL: http://svn.apache.org/viewvc/webservices/axis2/branches/java/1_5/modules/kernel/src/org/apache/axis2/description/AxisService.java?rev=759323&r1=759322&r2=759323&view=diff
==============================================================================
--- webservices/axis2/branches/java/1_5/modules/kernel/src/org/apache/axis2/description/AxisService.java
(original)
+++ webservices/axis2/branches/java/1_5/modules/kernel/src/org/apache/axis2/description/AxisService.java
Fri Mar 27 19:52:37 2009
@@ -19,7 +19,6 @@
 
 package org.apache.axis2.description;
 
-import org.apache.axiom.attachments.utils.IOUtils;
 import org.apache.axiom.om.OMElement;
 import org.apache.axis2.AxisFault;
 import org.apache.axis2.Constants;
@@ -1245,16 +1244,21 @@
 				out.flush();
 				out.close();
 			} else {
+                            // make sure we are only serving .xsd files and ignore requests
with
+                            // ".." in the name.
+                            if (xsd.endsWith(".xsd") && xsd.indexOf("..") == -1)
{
 				InputStream in = getClassLoader().getResourceAsStream(
 						DeploymentConstants.META_INF + "/" + xsd);
 				if (in != null) {
-					out.write(IOUtils.getStreamAsByteArray(in));
-					out.flush();
-					out.close();
+                                    IOUtils.copy(in, out, true);
 				} else {
-					// Can't find the schema
-					return -1;
+                                    // Can't find the schema
+                                    return -1;
 				}
+                            } else {
+                                // bad schema request
+                                return -1;
+                            }
 			}
 		} else if (schemas.size() > 1) {
 			// multiple schemas are present and the user specified
@@ -1569,6 +1573,44 @@
 		}
 	}
 
+    /**
+     * Produces a WSDL2 for this AxisService and prints it to the specified
+     * OutputStream.
+     * 
+     * @param out
+     *            destination stream.
+     * @param wsdl
+     *            wsdl name
+     * @return -1 implies not found, 0 implies redirect to root, 1 implies
+     *         found/printed wsdl
+     * @throws IOException
+     */
+    public int printWSDL2(OutputStream out, String requestIP, String wsdl) 
+        throws IOException, AxisFault {    
+        // a name is present - try to pump the requested wsdl file
+        if (!"".equals(wsdl)) {
+            // make sure we are only serving .wsdl files and ignore requests with
+            // ".." in the name.
+            if (wsdl.endsWith(".wsdl") && wsdl.indexOf("..") == -1) {
+                InputStream in = getClassLoader().getResourceAsStream(
+                                    DeploymentConstants.META_INF + "/" + wsdl);
+                if (in != null) {
+                    IOUtils.copy(in, out, true);
+                } else {
+                    // can't find the wsdl
+                    return -1;
+                }
+            } else {
+                // bad wsdl2 request
+                return -1;
+            }
+        } else {
+            printWSDL2(out, requestIP);
+        }
+        
+        return 1;
+    }
+    
 	/**
 	 * Gets the description about the service which is specified in
 	 * services.xml.



Mime
View raw message