[cxf] branch 3.4.x-fixes updated: Fixing issue with multiple forward slashes in services listing stylesheetPath

Fri, 18 Dec 2020 00:47:36 -0800 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/3.4.x-fixes by this push:
     new 4e962fb  Fixing issue with multiple forward slashes in services 
listing stylesheetPath
4e962fb is described below

commit 4e962fb13866650f65bcb8b71aade7e611e9496c
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Fri Dec 18 06:58:23 2020 +0000

    Fixing issue with multiple forward slashes in services listing 
stylesheetPath
    
    (cherry picked from commit 1cf50e500c9f0d2ccbfc16f2a6b49de1bd9e7445)
---
 .../servicelist/FormattedServiceListWriter.java    |  2 +
 .../FormattedServiceListWriterTest.java            | 65 ++++++++++++++++++++++
 2 files changed, 67 insertions(+)

diff --git 
a/rt/transports/http/src/main/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriter.java
 
b/rt/transports/http/src/main/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriter.java
index 9cc2cb4..1084ce2 100644
--- 
a/rt/transports/http/src/main/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriter.java
+++ 
b/rt/transports/http/src/main/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriter.java
@@ -43,6 +43,8 @@ public class FormattedServiceListWriter implements 
ServiceListWriter {
                                       boolean showForeignContexts,
                                       Bus bus) {
         this.styleSheetPath = StringEscapeUtils.escapeHtml4(styleSheetPath);
+        // Strip multiple forward slashes from the start of the styleSheePath 
to prevent CSS injection attacks
+        this.styleSheetPath = this.styleSheetPath.replaceFirst("(/)+", "/");
         this.title = title;
         this.showForeignContexts = showForeignContexts;
         this.bus = bus;
diff --git 
a/rt/transports/http/src/test/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriterTest.java
 
b/rt/transports/http/src/test/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriterTest.java
new file mode 100644
index 0000000..1f9b7f2
--- /dev/null
+++ 
b/rt/transports/http/src/test/java/org/apache/cxf/transport/servlet/servicelist/FormattedServiceListWriterTest.java
@@ -0,0 +1,65 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.transport.servlet.servicelist;
+
+import java.io.PrintWriter;
+import java.io.StringWriter;
+
+import org.apache.cxf.Bus;
+import org.apache.cxf.BusFactory;
+import org.apache.cxf.transport.AbstractDestination;
+
+import org.junit.Test;
+
+import static org.junit.Assert.assertTrue;
+
+public class FormattedServiceListWriterTest {
+
+    @Test
+    public void testWriteServiceList() throws Exception {
+        Bus bus = BusFactory.getDefaultBus(true);
+        String styleSheetPath = "/app/services/?stylesheet=1";
+        FormattedServiceListWriter writer =
+                new FormattedServiceListWriter(styleSheetPath,
+                        "CXF services", false, bus);
+
+        StringWriter sw = new StringWriter();
+        writer.writeServiceList(new PrintWriter(sw), "/path", new 
AbstractDestination[0], new AbstractDestination[0]);
+
+        assertTrue(sw.toString().contains("href=\"" + styleSheetPath + "\""));
+        bus.shutdown(false);
+    }
+
+    @Test
+    public void testStripMultipleForwardSlashes() throws Exception {
+        Bus bus = BusFactory.getDefaultBus(true);
+        String styleSheetPath = "////app/services/?stylesheet=1";
+        FormattedServiceListWriter writer =
+                new FormattedServiceListWriter(styleSheetPath,
+                        "CXF services", false, bus);
+
+        StringWriter sw = new StringWriter();
+        writer.writeServiceList(new PrintWriter(sw), "/path", new 
AbstractDestination[0], new AbstractDestination[0]);
+
+        String desiredStyleSheetPath = "/app/services/?stylesheet=1";
+        assertTrue(sw.toString().contains("href=\"" + desiredStyleSheetPath + 
"\""));
+        bus.shutdown(false);
+    }
+
+}

Reply via email to