ws-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject svn commit: r1333376 - in /webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token: Timestamp.java UsernameToken.java
Date Thu, 03 May 2012 09:15:58 GMT
Author: coheigea
Date: Thu May  3 09:15:57 2012
New Revision: 1333376

URL: http://svn.apache.org/viewvc?rev=1333376&view=rev
Log:
[WSS-389] - WSS4J TimeToLive value has a maximum of 25 days

Modified:
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/Timestamp.java
    webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/UsernameToken.java

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/Timestamp.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/Timestamp.java?rev=1333376&r1=1333375&r2=1333376&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/Timestamp.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/Timestamp.java
Thu May  3 09:15:57 2012
@@ -201,7 +201,7 @@ public class Timestamp {
         element.appendChild(elementCreated);
         if (ttl != 0) {
             expiresDate = new Date();
-            expiresDate.setTime(createdDate.getTime() + (ttl * 1000));
+            expiresDate.setTime(createdDate.getTime() + ((long)ttl * 1000L));
 
             Element elementExpires =
                 doc.createElementNS(
@@ -316,7 +316,7 @@ public class Timestamp {
         Date validCreation = new Date();
         long currentTime = validCreation.getTime();
         if (futureTimeToLive > 0) {
-            validCreation.setTime(currentTime + futureTimeToLive * 1000);
+            validCreation.setTime(currentTime + ((long)futureTimeToLive * 1000L));
         }
         // Check to see if the created time is in the future
         if (createdDate != null && createdDate.after(validCreation)) {
@@ -327,7 +327,7 @@ public class Timestamp {
         }
         
         // Calculate the time that is allowed for the message to travel
-        currentTime -= timeToLive * 1000;
+        currentTime -= ((long)timeToLive * 1000L);
         validCreation.setTime(currentTime);
 
         // Validate the time it took the message to travel

Modified: webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/UsernameToken.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/UsernameToken.java?rev=1333376&r1=1333375&r2=1333376&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/UsernameToken.java
(original)
+++ webservices/wss4j/trunk/src/main/java/org/apache/ws/security/message/token/UsernameToken.java
Thu May  3 09:15:57 2012
@@ -170,6 +170,20 @@ public class UsernameToken {
             return;
         }
         
+        // Guard against a malicious user sending a bogus iteration value
+        if (elementIteration != null) {
+            String iter = nodeString(elementIteration);
+            if (iter != null) {
+                int iterInt = Integer.parseInt(iter);
+                if (iterInt < 0 || iterInt > 10000) {
+                    throw new WSSecurityException(
+                        WSSecurityException.INVALID_SECURITY_TOKEN,
+                        "badUsernameToken"
+                    );
+                }
+            }
+        }
+        
         if (elementPassword != null) {
             if (elementPassword.hasAttribute(WSConstants.PASSWORD_TYPE_ATTR)) {
                 passwordType = elementPassword.getAttribute(WSConstants.PASSWORD_TYPE_ATTR);



Mime
View raw message