Update Axis-Lib von 1.0 auf 1.1 aufgrund XXE (Xml eXternal Entity) Injection

git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1214 d688527b-c9ab-4aba-bd8d-4036d912da1d
author: kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d> 2011-08-31 14:45:52 +0000
committer: kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d> 2011-08-31 14:45:52 +0000
commit: 9b0b76abd6bdd88383e465117086d65268c25562 (patch)
tree: 2f53d26ff63352dbe0dcfe077cb2add2e2c375d6
parent: 09cc9a356b945822ba5d8e939c30ca104967d278 (diff)
download: moa-id-spss-9b0b76abd6bdd88383e465117086d65268c25562.tar.gz
moa-id-spss-9b0b76abd6bdd88383e465117086d65268c25562.tar.bz2
moa-id-spss-9b0b76abd6bdd88383e465117086d65268c25562.zip
4 files changed, 15 insertions, 2 deletions
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
index 936423724..5fa31336b 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
@@ -200,6 +200,13 @@ public class DOMUtils {
 
     DOMParser parser;
 
+//    class MyEntityResolver implements EntityResolver {
+//
+//		public InputSource resolveEntity(String publicId, String systemId)
+//				throws SAXException, IOException {
+//		    return new InputSource(new ByteArrayInputStream(new byte[0]));
+//		}
+//    }
 
 
 		//if Debug is enabled make a copy of inputStream to enable debug output in case of SAXException
@@ -218,7 +225,7 @@ public class DOMUtils {
     } else {
       parser = new DOMParser();
     }
-
+    
     // set parser features and properties
     try {
 	    parser.setFeature(NAMESPACES_FEATURE, true);
@@ -227,6 +234,8 @@ public class DOMUtils {
 	    parser.setFeature(NORMALIZED_VALUE_FEATURE, false);
 	    parser.setFeature(INCLUDE_IGNORABLE_WHITESPACE_FEATURE, true);
 	    parser.setFeature(CREATE_ENTITY_REF_NODES_FEATURE, false);
+	    //parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
+	    //parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
 	
 	    if (validating) {
 	      if (externalSchemaLocations != null) {
@@ -495,6 +504,7 @@ public class DOMUtils {
     parser.setFeature(NAMESPACES_FEATURE, true);
     parser.setFeature(VALIDATION_FEATURE, true);
     parser.setFeature(SCHEMA_VALIDATION_FEATURE, true);
+    
     if (externalSchemaLocations != null) {
       parser.setProperty(
         EXTERNAL_SCHEMA_LOCATION_PROPERTY,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index e0ebcbab3..ba3020958 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -461,6 +461,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {
        
     String xmlInfoboxReadResponse = (String)infoboxReadResponseParameters.get(PARAM_XMLRESPONSE);
    
+    System.out.println("PB: " + xmlInfoboxReadResponse);
+    
     if (isEmpty(xmlInfoboxReadResponse))
       throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_IDENTITY_LINK, PARAM_XMLRESPONSE});
     
diff --git a/pom.xml b/pom.xml
index c0df961d2..db87afac7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -97,7 +97,7 @@
             <dependency>
                 <groupId>axis</groupId>
                 <artifactId>axis</artifactId>
-                <version>1.0</version>
+                <version>1.1</version>
                 <scope>compile</scope>
             </dependency>
             <dependency>
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java
index cfe8d327a..8a48cc755 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java
@@ -140,6 +140,7 @@ public class AxisHandler extends BasicHandler {
         ConfigurationProvider.getInstance();
 
       Element xmlRequest = null;
+      //log.info(soapMessage.getSOAPPartAsString());
       Element soapPart = DOMUtils.parseDocument(new ByteArrayInputStream(soapMessage.getSOAPPartAsBytes()), false, null, null).getDocumentElement();
       if (soapPart!=null) {
         //TODO: check  if DOM Version is intolerant when white spaces are between tags (preceding normalization would be necessary)
author	kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>	2011-08-31 14:45:52 +0000
committer	kstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>	2011-08-31 14:45:52 +0000
commit	9b0b76abd6bdd88383e465117086d65268c25562 (patch)
tree	2f53d26ff63352dbe0dcfe077cb2add2e2c375d6
parent	09cc9a356b945822ba5d8e939c30ca104967d278 (diff)
download	moa-id-spss-9b0b76abd6bdd88383e465117086d65268c25562.tar.gz moa-id-spss-9b0b76abd6bdd88383e465117086d65268c25562.tar.bz2 moa-id-spss-9b0b76abd6bdd88383e465117086d65268c25562.zip