axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gdani...@apache.org
Subject svn commit: r812238 - in /webservices/axis/trunk/java/src/org/apache/axis: i18n/resource.properties transport/http/AxisServletBase.java
Date Mon, 07 Sep 2009 17:58:11 GMT
Author: gdaniels
Date: Mon Sep  7 17:58:10 2009
New Revision: 812238

URL: http://svn.apache.org/viewvc?rev=812238&view=rev
Log:
Fix potential XSS vulnerability, plus a couple of duplicate tags in the resource.properties
file.

Modified:
    webservices/axis/trunk/java/src/org/apache/axis/i18n/resource.properties
    webservices/axis/trunk/java/src/org/apache/axis/transport/http/AxisServletBase.java

Modified: webservices/axis/trunk/java/src/org/apache/axis/i18n/resource.properties
URL: http://svn.apache.org/viewvc/webservices/axis/trunk/java/src/org/apache/axis/i18n/resource.properties?rev=812238&r1=812237&r2=812238&view=diff
==============================================================================
--- webservices/axis/trunk/java/src/org/apache/axis/i18n/resource.properties (original)
+++ webservices/axis/trunk/java/src/org/apache/axis/i18n/resource.properties Mon Sep  7 17:58:10
2009
@@ -60,7 +60,6 @@
 badNCNameType00=Invalid NCName
 badnegInt00=Invalid negativeInteger
 badNmtoken00=Invalid Nmtoken
-badNonNegInt00=Invalid nonNegativeInteger
 badNonPosInt00=Invalid nonPositiveInteger
 badOffset00=Malformed offset attribute ''{0}''.
 badpackage00=Error: --NStoPKG and --package switch can''t be used together
@@ -826,7 +825,6 @@
 attach.readLengthError=Received \"{0}\" bytes to read.
 attach.readOffsetError=Received \"{0}\" as an offset.
 attach.readArrayNullError=Array to read is null
-attach.readArrayNullError=Array to read is null
 attach.readArraySizeError=Array size of {0} to read {1} at offset {2} is too small.
 attach.DimeStreamError0=End of physical stream detected when more DIME chunks expected.
 attach.DimeStreamError1=End of physical stream detected when {0} more bytes expected.
@@ -1088,6 +1086,7 @@
 failedToGetDelimitedAttachmentStream=Exception occured when asking the delimited stream for
the next stream.
 markNotSupported=Mark and reset features are not supported by this InputStream.
 concurrentModificationOfStream=The attachments stream can only be accessed once; either by
using the IncomingAttachmentStreams class or by getting a collection of AttachmentPart objects.
 They cannot both be called within the life time of the same service request.
+xssAttack=Cross-site scripting attack detected in Host header! Orig header was ''{0}'', from
IP address {1}
 #                                                                    #
 # In-use keys                                                        #
 ######################################################################

Modified: webservices/axis/trunk/java/src/org/apache/axis/transport/http/AxisServletBase.java
URL: http://svn.apache.org/viewvc/webservices/axis/trunk/java/src/org/apache/axis/transport/http/AxisServletBase.java?rev=812238&r1=812237&r2=812238&view=diff
==============================================================================
--- webservices/axis/trunk/java/src/org/apache/axis/transport/http/AxisServletBase.java (original)
+++ webservices/axis/trunk/java/src/org/apache/axis/transport/http/AxisServletBase.java Mon
Sep  7 17:58:10 2009
@@ -22,6 +22,8 @@
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.regex.Pattern;
+import java.util.regex.Matcher;
 
 import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
@@ -33,6 +35,7 @@
 import org.apache.axis.AxisFault;
 import org.apache.axis.AxisProperties;
 import org.apache.axis.EngineConfiguration;
+import org.apache.axis.i18n.Messages;
 import org.apache.axis.components.logger.LogFactory;
 import org.apache.axis.configuration.EngineConfigurationFactoryFinder;
 import org.apache.axis.server.AxisServer;
@@ -197,7 +200,7 @@
 
     /**
      * put the engine back in to the context.
-     * @param context servlet context to use
+     * @param servlet the servlet to use
      * @param engine reference to the engine. If null, the engine is removed
      */
     private static void storeEngine(HttpServlet servlet, AxisServer engine) {
@@ -341,7 +344,20 @@
         StringBuffer baseURL=new StringBuffer(128);
         baseURL.append(request.getScheme());
         baseURL.append("://");
-        baseURL.append(request.getServerName());
+
+        // Sanitize the passed server name to protect against XSS attacks.
+        StringBuffer sb = new StringBuffer();
+        Pattern pat = Pattern.compile("((\\%3C)|<)[^\\n]+((\\%3E)|>)");
+        String origServerName = request.getServerName();
+        Matcher m = pat.matcher(origServerName);
+        if (m.find()) {
+            // Cross site scripting attack found!  Get rid of it and log.
+            m.appendReplacement(sb, "");
+            log.error(Messages.getMessage("xssAttack", origServerName, request.getRemoteAddr()));
+        }
+        m.appendTail(sb);
+        baseURL.append(sb);
+
         if(request.getServerPort()!=80) {
             baseURL.append(":");
             baseURL.append(request.getServerPort());



Mime
View raw message