diff options
| author | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-06-22 14:26:15 +0200 |
|---|---|---|
| committer | Thomas Lenz <thomas.lenz@egiz.gv.at> | 2017-06-22 14:26:15 +0200 |
| commit | 345a8534ff39cc9550cbacabe2b3fffe20293508 (patch) | |
| tree | 67c2deb3c10d00ecb758a162c4ff88221b7e3741 /bkucommon/src | |
| parent | f31c5c8e557b611ff4f5e43443975fb08a202863 (diff) | |
| download | mocca-345a8534ff39cc9550cbacabe2b3fffe20293508.tar.gz mocca-345a8534ff39cc9550cbacabe2b3fffe20293508.tar.bz2 mocca-345a8534ff39cc9550cbacabe2b3fffe20293508.zip | |
implement a workaround to fix XXE and SSRF problems in an old XMLStreamParser implementation of a third party library
Diffstat (limited to 'bkucommon/src')
| -rw-r--r-- | bkucommon/src/main/java/at/gv/egiz/bku/binding/HTTPBindingProcessorImpl.java | 3 | ||||
| -rw-r--r-- | bkucommon/src/test/java/at/gv/egiz/bku/slcommands/SLCommandFactoryTest.java | 5 |
2 files changed, 5 insertions, 3 deletions
diff --git a/bkucommon/src/main/java/at/gv/egiz/bku/binding/HTTPBindingProcessorImpl.java b/bkucommon/src/main/java/at/gv/egiz/bku/binding/HTTPBindingProcessorImpl.java index 8891cce7..0c637d72 100644 --- a/bkucommon/src/main/java/at/gv/egiz/bku/binding/HTTPBindingProcessorImpl.java +++ b/bkucommon/src/main/java/at/gv/egiz/bku/binding/HTTPBindingProcessorImpl.java @@ -26,6 +26,7 @@ package at.gv.egiz.bku.binding; import iaik.utils.Base64InputStream; +import java.io.BufferedInputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; @@ -737,7 +738,7 @@ public class HTTPBindingProcessorImpl extends AbstractBindingProcessor implement protected void assignXMLRequest(InputStream is, String charset) throws IOException, SLException { - Reader r = new InputStreamReader(is, charset); + Reader r = new InputStreamReader(new BufferedInputStream(is), charset); StreamSource source = new StreamSource(r); slCommand = slCommandFactory.createSLCommand(source); log.info("XMLRequest={}. Created new command: {}.", diff --git a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/SLCommandFactoryTest.java b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/SLCommandFactoryTest.java index eda3e4e8..cfe5a130 100644 --- a/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/SLCommandFactoryTest.java +++ b/bkucommon/src/test/java/at/gv/egiz/bku/slcommands/SLCommandFactoryTest.java @@ -26,6 +26,7 @@ package at.gv.egiz.bku.slcommands; import static org.junit.Assert.assertTrue; +import java.io.BufferedReader; import java.io.Reader; import java.io.StringReader; @@ -83,10 +84,10 @@ public class SLCommandFactoryTest { @Test(expected=SLRequestException.class) public void createMalformedCommand() throws SLCommandException, SLRuntimeException, SLRequestException, SLVersionException { - Reader requestReader = new StringReader( + Reader requestReader = new BufferedReader(new StringReader( "<NullOperationRequest xmlns=\"http://www.buergerkarte.at/namespaces/securitylayer/1.2#\">" + "missplacedContent" + - "</NullOperationRequest>"); + "</NullOperationRequest>")); StreamSource source = new StreamSource(requestReader); factory.createSLCommand(source); |