aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorkstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>2011-08-31 14:45:52 +0000
committerkstranacher <kstranacher@d688527b-c9ab-4aba-bd8d-4036d912da1d>2011-08-31 14:45:52 +0000
commit9b0b76abd6bdd88383e465117086d65268c25562 (patch)
tree2f53d26ff63352dbe0dcfe077cb2add2e2c375d6
parent09cc9a356b945822ba5d8e939c30ca104967d278 (diff)
downloadmoa-id-spss-9b0b76abd6bdd88383e465117086d65268c25562.tar.gz
moa-id-spss-9b0b76abd6bdd88383e465117086d65268c25562.tar.bz2
moa-id-spss-9b0b76abd6bdd88383e465117086d65268c25562.zip
Update Axis-Lib von 1.0 auf 1.1 aufgrund XXE (Xml eXternal Entity) Injection
git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1214 d688527b-c9ab-4aba-bd8d-4036d912da1d
-rw-r--r--common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java12
-rw-r--r--id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java2
-rw-r--r--pom.xml2
-rw-r--r--spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java1
4 files changed, 15 insertions, 2 deletions
diff --git a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
index 936423724..5fa31336b 100644
--- a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
+++ b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java
@@ -200,6 +200,13 @@ public class DOMUtils {
DOMParser parser;
+// class MyEntityResolver implements EntityResolver {
+//
+// public InputSource resolveEntity(String publicId, String systemId)
+// throws SAXException, IOException {
+// return new InputSource(new ByteArrayInputStream(new byte[0]));
+// }
+// }
//if Debug is enabled make a copy of inputStream to enable debug output in case of SAXException
@@ -218,7 +225,7 @@ public class DOMUtils {
} else {
parser = new DOMParser();
}
-
+
// set parser features and properties
try {
parser.setFeature(NAMESPACES_FEATURE, true);
@@ -227,6 +234,8 @@ public class DOMUtils {
parser.setFeature(NORMALIZED_VALUE_FEATURE, false);
parser.setFeature(INCLUDE_IGNORABLE_WHITESPACE_FEATURE, true);
parser.setFeature(CREATE_ENTITY_REF_NODES_FEATURE, false);
+ //parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ //parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
if (validating) {
if (externalSchemaLocations != null) {
@@ -495,6 +504,7 @@ public class DOMUtils {
parser.setFeature(NAMESPACES_FEATURE, true);
parser.setFeature(VALIDATION_FEATURE, true);
parser.setFeature(SCHEMA_VALIDATION_FEATURE, true);
+
if (externalSchemaLocations != null) {
parser.setProperty(
EXTERNAL_SCHEMA_LOCATION_PROPERTY,
diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
index e0ebcbab3..ba3020958 100644
--- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
+++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java
@@ -461,6 +461,8 @@ public class AuthenticationServer implements MOAIDAuthConstants {
String xmlInfoboxReadResponse = (String)infoboxReadResponseParameters.get(PARAM_XMLRESPONSE);
+ System.out.println("PB: " + xmlInfoboxReadResponse);
+
if (isEmpty(xmlInfoboxReadResponse))
throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_IDENTITY_LINK, PARAM_XMLRESPONSE});
diff --git a/pom.xml b/pom.xml
index c0df961d2..db87afac7 100644
--- a/pom.xml
+++ b/pom.xml
@@ -97,7 +97,7 @@
<dependency>
<groupId>axis</groupId>
<artifactId>axis</artifactId>
- <version>1.0</version>
+ <version>1.1</version>
<scope>compile</scope>
</dependency>
<dependency>
diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java
index cfe8d327a..8a48cc755 100644
--- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java
+++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java
@@ -140,6 +140,7 @@ public class AxisHandler extends BasicHandler {
ConfigurationProvider.getInstance();
Element xmlRequest = null;
+ //log.info(soapMessage.getSOAPPartAsString());
Element soapPart = DOMUtils.parseDocument(new ByteArrayInputStream(soapMessage.getSOAPPartAsBytes()), false, null, null).getDocumentElement();
if (soapPart!=null) {
//TODO: check if DOM Version is intolerant when white spaces are between tags (preceding normalization would be necessary)