Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: ay@apache.org
To: commits@cxf.apache.org
Message-Id: <e3b9237ada00477e818233751e77b26e@git.apache.org>
Subject: git commit: [CXF-5805] Invalid SOAP Envelope names are accepted
Date: Mon, 16 Jun 2014 08:26:00 +0000 (UTC)

Repository: cxf
Updated Branches:
  refs/heads/2.7.x-fixes 5c3be52b1 -> 3a96429f6


[CXF-5805] Invalid SOAP Envelope names are accepted


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/3a96429f
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/3a96429f
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/3a96429f

Branch: refs/heads/2.7.x-fixes
Commit: 3a96429f6f7e51ec8f72492b8f2f3bb7a7045c43
Parents: 5c3be52
Author: Akitoshi Yoshida <ay@apache.org>
Authored: Mon Jun 16 10:23:02 2014 +0200
Committer: Akitoshi Yoshida <ay@apache.org>
Committed: Mon Jun 16 10:24:37 2014 +0200

----------------------------------------------------------------------
 .../soap/interceptor/Messages.properties        |  1 +
 .../interceptor/ReadHeadersInterceptor.java     | 14 +++++--
 .../binding/soap/ReadHeaderInterceptorTest.java | 18 ++++++++
 .../cxf/binding/soap/test-bad-envname.xml       | 43 ++++++++++++++++++++
 4 files changed, 72 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/3a96429f/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
----------------------------------------------------------------------
diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
index 4db3ded..416c89b 100644
--- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
+++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/Messages.properties
@@ -28,6 +28,7 @@ NO_OPERATION=No such operation: {0}
 ATTACHMENT_IO=Attachment IO Exception: {0}
 INVALID_VERSION="{0}", the namespace on the "{1}" element, is not a valid SOAP version.
 INVALID_11_VERSION=A SOAP 1.2 message is not valid when sent to a SOAP 1.1 only endpoint.
+INVALID_ENVELOPE=Invalid SOAP Envelope name
 INVALID_FAULT=Invalid SOAP fault content
 NO_NAMESPACE=No namespace on "{0}" element. You must send a SOAP request.
 BP_2211_RPCLIT_CANNOT_BE_NULL=Cannot write part {0}. RPC/Literal parts cannot be null. (WS-I BP R2211)

http://git-wip-us.apache.org/repos/asf/cxf/blob/3a96429f/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java
index 9d7862b..9145dd3 100644
--- a/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java
+++ b/rt/bindings/soap/src/main/java/org/apache/cxf/binding/soap/interceptor/ReadHeadersInterceptor.java
@@ -107,15 +107,21 @@ public class ReadHeadersInterceptor extends AbstractSoapInterceptor {
 
     public static SoapVersion readVersion(XMLStreamReader xmlReader, SoapMessage message) {
         String ns = xmlReader.getNamespaceURI();
+        String lcname = xmlReader.getLocalName();
         if (ns == null || "".equals(ns)) {
-            throw new SoapFault(new Message("NO_NAMESPACE", LOG, xmlReader.getLocalName()),
+            throw new SoapFault(new Message("NO_NAMESPACE", LOG, lcname),
                                 Soap11.getInstance().getVersionMismatch());
         }
-        
+
         SoapVersion soapVersion = SoapVersionFactory.getInstance().getSoapVersion(ns);
         if (soapVersion == null) {
-            throw new SoapFault(new Message("INVALID_VERSION", LOG, ns, xmlReader.getLocalName()),
-                                    Soap11.getInstance().getVersionMismatch());
+            throw new SoapFault(new Message("INVALID_VERSION", LOG, ns, lcname),
+                                Soap11.getInstance().getVersionMismatch());
+        }
+
+        if (!"Envelope".equals(lcname)) {
+            throw new SoapFault(new Message("INVALID_ENVELOPE", LOG, lcname),
+                                soapVersion.getSender());
         }
         message.setVersion(soapVersion);
         return soapVersion;

http://git-wip-us.apache.org/repos/asf/cxf/blob/3a96429f/rt/bindings/soap/src/test/java/org/apache/cxf/binding/soap/ReadHeaderInterceptorTest.java
----------------------------------------------------------------------
diff --git a/rt/bindings/soap/src/test/java/org/apache/cxf/binding/soap/ReadHeaderInterceptorTest.java b/rt/bindings/soap/src/test/java/org/apache/cxf/binding/soap/ReadHeaderInterceptorTest.java
index 15ce682..db03adf 100644
--- a/rt/bindings/soap/src/test/java/org/apache/cxf/binding/soap/ReadHeaderInterceptorTest.java
+++ b/rt/bindings/soap/src/test/java/org/apache/cxf/binding/soap/ReadHeaderInterceptorTest.java
@@ -96,6 +96,24 @@ public class ReadHeaderInterceptorTest extends TestBase {
         }
     }
 
+
+    @Test
+    public void testBadSOAPEnvelopeName() throws Exception {
+        soapMessage = TestUtil.createEmptySoapMessage(Soap12.getInstance(), chain);
+        InputStream in = getClass().getResourceAsStream("test-bad-envname.xml");
+        assertNotNull(in);
+        ByteArrayDataSource bads = new ByteArrayDataSource(in, "test/xml");
+        soapMessage.setContent(InputStream.class, bads.getInputStream());
+
+        ReadHeadersInterceptor r = new ReadHeadersInterceptor(BusFactory.getDefaultBus());
+        try {
+            r.handleMessage(soapMessage);
+            fail("Did not throw exception");
+        } catch (SoapFault f) {
+            assertEquals(Soap11.getInstance().getSender(), f.getFaultCode());
+        }
+    }
+
     @Test
     public void testNoClosingEnvTage() throws Exception {
         assertTrue(testNoClosingEnvTag(Boolean.TRUE));

http://git-wip-us.apache.org/repos/asf/cxf/blob/3a96429f/rt/bindings/soap/src/test/resources/org/apache/cxf/binding/soap/test-bad-envname.xml
----------------------------------------------------------------------
diff --git a/rt/bindings/soap/src/test/resources/org/apache/cxf/binding/soap/test-bad-envname.xml b/rt/bindings/soap/src/test/resources/org/apache/cxf/binding/soap/test-bad-envname.xml
new file mode 100644
index 0000000..da84745
--- /dev/null
+++ b/rt/bindings/soap/src/test/resources/org/apache/cxf/binding/soap/test-bad-envname.xml
@@ -0,0 +1,43 @@
+<?xml version="1.0"?>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one
+    or more contributor license agreements. See the NOTICE file
+    distributed with this work for additional information
+    regarding copyright ownership. The ASF licenses this file
+    to you under the Apache License, Version 2.0 (the
+    "License"); you may not use this file except in compliance
+    with the License. You may obtain a copy of the License at
+    
+    http://www.apache.org/licenses/LICENSE-2.0
+    
+    Unless required by applicable law or agreed to in writing,
+    software distributed under the License is distributed on an
+    "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+    KIND, either express or implied. See the License for the
+    specific language governing permissions and limitations
+    under the License.
+-->
+<env:ENVELOPE xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
+    <env:Body>
+        <!-- boyd test for processing comment here -->
+        <p:itinerary xmlns:p="http://travelcompany.example.org/reservation/travel">
+            <p:departure>
+                <p:departing>New York</p:departing>
+                <p:arriving>Los Angeles</p:arriving>
+                <p:departureDate>2001-12-14</p:departureDate>
+                <p:departureTime>late afternoon</p:departureTime>
+                <p:seatPreference>aisle</p:seatPreference>
+            </p:departure>
+            <p:return>
+                <p:departing>Los Angeles</p:departing>
+                <p:arriving>New York</p:arriving>
+                <p:departureDate>2001-12-20</p:departureDate>
+                <p:departureTime>mid-morning</p:departureTime>
+                <p:seatPreference/>
+            </p:return>
+        </p:itinerary>
+        <q:lodging xmlns:q="http://travelcompany.example.org/reservation/hotels">
+            <q:preference>none</q:preference>
+        </q:lodging>
+    </env:Body>
+</env:ENVELOPE>