cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glen Mazza <glen.ma...@verizon.net>
Subject Re: svn commit: r582385 - in /incubator/cxf/trunk: common/common/src/main/java/org/apache/cxf/helpers/ rt/core/src/main/java/org/apache/cxf/transport/http/ systests/src/test/java/org/apache/cxf/systest/http_jetty/ systests/src/test/java/org/apache/cxf/syst...
Date Fri, 05 Oct 2007 23:01:35 GMT
Am Freitag, den 05.10.2007, 20:57 +0000 schrieb dkulp@apache.org:

> Author: dkulp
> Date: Fri Oct  5 13:57:29 2007
> New Revision: 582385
> 
> Modified: incubator/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxws/OASISCatalogTest.java
> URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxws/OASISCatalogTest.java?rev=582385&r1=582384&r2=582385&view=diff
> ==============================================================================
> --- incubator/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxws/OASISCatalogTest.java
(original)
> +++ incubator/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxws/OASISCatalogTest.java
Fri Oct  5 13:57:29 2007
> @@ -19,20 +19,24 @@
>  
>  
> +    @Test
> +    public void testWSDLPublishWithCatalogs() throws Exception {
> +        Endpoint ep = Endpoint.publish(null, new GreeterImpl());
> +        try {
> +            URL url = new URL("http://localhost:9000/SoapContext/SoapPort?"
> +                              + "xsd=testutils/hello_world_schema2.xsd");
> +            assertNotNull(url.getContent());
> +            
> +            
> +            url = new URL("http://localhost:9000/SoapContext/SoapPort"
> +                          + "?xsd=testutils/hello_world_schema.xsd");

I'm not sure what the code is doing here--but could this be a security
bug?  Are you saying, just by typing in a network path
("testutils/..."), the user can download any xsd file from the server?
Certain directories, such as within the WEB-INF directory of a WAR file,
are not supposed to be directly callable externally.  I don't know how
relevant that concern might be here though.

> +            String result = IOUtils.toString((InputStream)url.getContent());
> +            assertTrue(result.contains("xsd=testutils/hello_world_schema2.xsd"));

testutils/hello_world_schema.xsd?  (unsure what is happening here)

> +
> +            url = new
> URL("http://localhost:9000/SoapContext/SoapPort"
> +                          +
> "?wsdl=testutils/hello_world_messages_catalog.wsdl");
> +            result = IOUtils.toString((InputStream)url.getContent());
> +
> +assertTrue(result.contains("xsd=testutils/hello_world_schema.xsd"));

testutils/hello_world_messages_catalog.wsdl?


> Added: incubator/cxf/trunk/testutils/src/main/resources/wsdl/hello_world_wsdl_import_catalog.wsdl
> URL: http://svn.apache.org/viewvc/incubator/cxf/trunk/testutils/src/main/resources/wsdl/hello_world_wsdl_import_catalog.wsdl?rev=582385&view=auto
> ==============================================================================
> --- incubator/cxf/trunk/testutils/src/main/resources/wsdl/hello_world_wsdl_import_catalog.wsdl
(added)
> +++ incubator/cxf/trunk/testutils/src/main/resources/wsdl/hello_world_wsdl_import_catalog.wsdl
Fri Oct  5 13:57:29 2007
> @@ -0,0 +1,50 @@
> +<?xml version="1.0" encoding="UTF-8"?>
> +<!--
> +-->
> +<wsdl:definitions name="HelloWorldImport"
> +    xmlns="http://schemas.xmlsoap.org/wsdl/"
> +    xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
> +    xmlns:tns="http://apache.org/hello_world"
> +    xmlns:x1="http://apache.org/hello_world/messages"
> +    xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> +    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> +    targetNamespace="http://apache.org/hello_world">
> +
> +    <wsdl:import
> +        namespace="http://apache.org/hello_world/messages"
> +        location="testutils/hello_world_messages_catalog.wsdl"/>
> +
> +    <wsdl:portType name="Greeter">
> +        <wsdl:operation name="sayHi">
> +            <wsdl:input message="x1:sayHiRequest" name="sayHiRequest"/>
> +            <wsdl:output message="x1:sayHiResponse" name="sayHiResponse"/>
> +        </wsdl:operation>
> +
> +        <wsdl:operation name="greetMe">
> +            <wsdl:input message="x1:greetMeRequest" name="greetMeRequest"/>
> +            <wsdl:output message="x1:greetMeResponse" name="greetMeResponse"/>
> +        </wsdl:operation>
> +
> +        <wsdl:operation name="pingMe">
> +            <wsdl:input name="pingMeRequest" message="x1:pingMeRequest"/>
> +            <wsdl:output name="pingMeResponse" message="x1:pingMeResponse"/>
> +            <wsdl:fault name="pingMeFault" message="x1:pingMeFault"/>
> +        </wsdl:operation>

I'm not sure why we need to have the "name" attribute added to the
wsdl:input and wsdl:output of these operations.  Since you're just
restating their default values[1] anyway, it seems distracting to be
including them here.  Apparently only the wsdl:faults need an explicit
name.

[1] http://www.w3.org/TR/wsdl#_names

Regards,
Glen




Mime
View raw message