From 9b0b76abd6bdd88383e465117086d65268c25562 Mon Sep 17 00:00:00 2001 From: kstranacher Date: Wed, 31 Aug 2011 14:45:52 +0000 Subject: Update Axis-Lib von 1.0 auf 1.1 aufgrund XXE (Xml eXternal Entity) Injection git-svn-id: https://joinup.ec.europa.eu/svn/moa-idspss/trunk@1214 d688527b-c9ab-4aba-bd8d-4036d912da1d --- .../src/main/java/at/gv/egovernment/moa/util/DOMUtils.java | 12 +++++++++++- .../at/gv/egovernment/moa/id/auth/AuthenticationServer.java | 2 ++ pom.xml | 2 +- .../gv/egovernment/moa/spss/server/service/AxisHandler.java | 1 + 4 files changed, 15 insertions(+), 2 deletions(-) diff --git a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java index 936423724..5fa31336b 100644 --- a/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java +++ b/common/src/main/java/at/gv/egovernment/moa/util/DOMUtils.java @@ -200,6 +200,13 @@ public class DOMUtils { DOMParser parser; +// class MyEntityResolver implements EntityResolver { +// +// public InputSource resolveEntity(String publicId, String systemId) +// throws SAXException, IOException { +// return new InputSource(new ByteArrayInputStream(new byte[0])); +// } +// } //if Debug is enabled make a copy of inputStream to enable debug output in case of SAXException @@ -218,7 +225,7 @@ public class DOMUtils { } else { parser = new DOMParser(); } - + // set parser features and properties try { parser.setFeature(NAMESPACES_FEATURE, true); @@ -227,6 +234,8 @@ public class DOMUtils { parser.setFeature(NORMALIZED_VALUE_FEATURE, false); parser.setFeature(INCLUDE_IGNORABLE_WHITESPACE_FEATURE, true); parser.setFeature(CREATE_ENTITY_REF_NODES_FEATURE, false); + //parser.setFeature("http://xml.org/sax/features/external-general-entities", false); + //parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false); if (validating) { if (externalSchemaLocations != null) { @@ -495,6 +504,7 @@ public class DOMUtils { parser.setFeature(NAMESPACES_FEATURE, true); parser.setFeature(VALIDATION_FEATURE, true); parser.setFeature(SCHEMA_VALIDATION_FEATURE, true); + if (externalSchemaLocations != null) { parser.setProperty( EXTERNAL_SCHEMA_LOCATION_PROPERTY, diff --git a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java index e0ebcbab3..ba3020958 100644 --- a/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java +++ b/id/server/idserverlib/src/main/java/at/gv/egovernment/moa/id/auth/AuthenticationServer.java @@ -461,6 +461,8 @@ public class AuthenticationServer implements MOAIDAuthConstants { String xmlInfoboxReadResponse = (String)infoboxReadResponseParameters.get(PARAM_XMLRESPONSE); + System.out.println("PB: " + xmlInfoboxReadResponse); + if (isEmpty(xmlInfoboxReadResponse)) throw new AuthenticationException("auth.10", new Object[] { REQ_VERIFY_IDENTITY_LINK, PARAM_XMLRESPONSE}); diff --git a/pom.xml b/pom.xml index c0df961d2..db87afac7 100644 --- a/pom.xml +++ b/pom.xml @@ -97,7 +97,7 @@ axis axis - 1.0 + 1.1 compile diff --git a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java index cfe8d327a..8a48cc755 100644 --- a/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java +++ b/spss/server/serverlib/src/main/java/at/gv/egovernment/moa/spss/server/service/AxisHandler.java @@ -140,6 +140,7 @@ public class AxisHandler extends BasicHandler { ConfigurationProvider.getInstance(); Element xmlRequest = null; + //log.info(soapMessage.getSOAPPartAsString()); Element soapPart = DOMUtils.parseDocument(new ByteArrayInputStream(soapMessage.getSOAPPartAsBytes()), false, null, null).getDocumentElement(); if (soapPart!=null) { //TODO: check if DOM Version is intolerant when white spaces are between tags (preceding normalization would be necessary) -- cgit v1.2.3