[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16698621#comment-16698621
]
ASF GitHub Bot commented on MYFACES-4266:
-----------------------------------------
tandraschko closed pull request #27: MYFACES-4266: Ajax update fails due to
invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/impl/src/main/java/org/apache/myfaces/context/PartialResponseWriterImpl.java
b/impl/src/main/java/org/apache/myfaces/context/PartialResponseWriterImpl.java
index 0566f9998..a29529132 100644
---
a/impl/src/main/java/org/apache/myfaces/context/PartialResponseWriterImpl.java
+++
b/impl/src/main/java/org/apache/myfaces/context/PartialResponseWriterImpl.java
@@ -29,6 +29,7 @@
import javax.faces.context.ResponseWriter;
import org.apache.myfaces.util.CDataEndEscapeFilterWriter;
+import org.apache.myfaces.util.IllegalXmlCharacterFilterWriter;
/**
* <p>
@@ -110,7 +111,7 @@ public void setDoubleBuffer(Writer doubleBuffer)
public PartialResponseWriterImpl(ResponseWriter writer)
{
- super(writer);
+ super(writer.cloneWithWriter(new
IllegalXmlCharacterFilterWriter(writer)));
}
@Override
@@ -129,7 +130,7 @@ public void startCDATA() throws IOException
private void openDoubleBuffer()
{
- _doubleBuffer = new
CDataEndEscapeFilterWriter(_cdataDoubleBufferWriter == null ?
+ _doubleBuffer = new
CDataEndEscapeFilterWriter(_cdataDoubleBufferWriter == null ?
this.getWrapped() : _cdataDoubleBufferWriter );
_cdataDoubleBufferWriter = getWrapped().cloneWithWriter(_doubleBuffer);
diff --git
a/impl/src/main/java/org/apache/myfaces/util/IllegalXmlCharacterFilterWriter.java
b/impl/src/main/java/org/apache/myfaces/util/IllegalXmlCharacterFilterWriter.java
new file mode 100644
index 000000000..05830c82e
--- /dev/null
+++
b/impl/src/main/java/org/apache/myfaces/util/IllegalXmlCharacterFilterWriter.java
@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.myfaces.util;
+
+import java.io.FilterWriter;
+import java.io.IOException;
+import java.io.Writer;
+
+/**
+ * There are unicodes outside the ranges defined in the <a
href="https://www.w3.org/TR/REC-xml/#charsets";>XML 1.0 specification</a> that
break XML parsers
+ * and therefore must be filtered out when writing partial responses.
Otherwise this may lead to Denial of Service attacks.
+ * @see https://issues.apache.org/jira/browse/MYFACES-4266
+ */
+public class IllegalXmlCharacterFilterWriter extends FilterWriter
+{
+ public IllegalXmlCharacterFilterWriter(Writer out)
+ {
+ super(out);
+ }
+
+ @Override
+ public void write(int c) throws IOException
+ {
+ super.write(xmlEncode((char) c));
+ }
+
+ @Override
+ public void write(char[] cbuf, int off, int len) throws IOException
+ {
+ super.write(xmlEncode(cbuf), off, len);
+ }
+
+ @Override
+ public void write(String str, int off, int len) throws IOException
+ {
+ super.write(new String(xmlEncode(str.toCharArray())), off, len);
+ }
+
+ private char[] xmlEncode(char[] ca)
+ {
+ for (int i = 0; i < ca.length; i++)
+ {
+ ca[i] = xmlEncode(ca[i]);
+ }
+ return ca;
+ }
+
+ private char xmlEncode(char c)
+ {
+ if (Character.isSurrogate(c))
+ {
+ return ' ';
+ }
+ if (c == '\u0009' || c == '\n' || c == '\r')
+ {
+ return c;
+ }
+ if (c > '\u0020' && c < '\uD7FF')
+ {
+ return c;
+ }
+ if (c > '\uE000' && c < '\uFFFD')
+ {
+ return c;
+ }
+ return ' ';
+ }
+}
diff --git
a/impl/src/test/java/org/apache/myfaces/context/PartialResponseWriterImplTest.java
b/impl/src/test/java/org/apache/myfaces/context/PartialResponseWriterImplTest.java
index 4a1921976..8b021ca3f 100644
---
a/impl/src/test/java/org/apache/myfaces/context/PartialResponseWriterImplTest.java
+++
b/impl/src/test/java/org/apache/myfaces/context/PartialResponseWriterImplTest.java
@@ -286,8 +286,6 @@ public void testBrokenUserInput() {
}
}
-
-
public void testDelete() {
_writer = createTestProbe();
try {
@@ -298,8 +296,48 @@ public void testDelete() {
}
}
+ public void testWriteIllegalXmlUnicodeCharacters() {
+ _writer = createTestProbe();
+ try {
+ String illegalChars = "
\u0001\u0002\u0003\u0004\u0005\u0006\u000B\f\u000E\u000F\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017\u0018\u0019\u001A\u001B\u001C\u001D\u001E\u001F
\uD7FF\uDBFF\uDC00\uE000��";
+ String legalChars = "foo";
+ _writer.write(illegalChars + legalChars);
+ assertEquals("All illegal XML unicode characters should have been
replaced by spaces", legalChars, _contentCollector.toString().trim());
+
+ } catch (IOException e) {
+ fail(e.toString());
+ }
+ }
+
+ public void testWriteTextIllegalXmlUnicodeCharacters() {
+ _writer = createTestProbe();
+ try {
+ String illegalChars = "
\u0001\u0002\u0003\u0004\u0005\u0006\u000B\f\u000E\u000F\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017\u0018\u0019\u001A\u001B\u001C\u001D\u001E\u001F
\uD7FF\uDBFF\uDC00\uE000��";
+ String legalChars = "foo";
+ _writer.writeText(illegalChars + legalChars, null);
+ assertEquals("All illegal XML unicode characters should have been
replaced by spaces", legalChars, _contentCollector.toString().trim());
+
+ } catch (IOException e) {
+ fail(e.toString());
+ }
+ }
+ public void testWriteAttributeIllegalXmlUnicodeCharacters() {
+ _writer = createTestProbe();
+ try {
+ String illegalChars = "
\u0001\u0002\u0003\u0004\u0005\u0006\u000B\f\u000E\u000F\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017\u0018\u0019\u001A\u001B\u001C\u001D\u001E\u001F
\uD7FF\uDBFF\uDC00\uE000��";
+ String legalChars = "foo";
+ _writer.startElement(legalChars, null);
+ _writer.writeAttribute(legalChars, illegalChars + legalChars,
null);
+ _writer.endElement(legalChars);
+ assertTrue("All illegal XML unicode characters should have been
replaced by spaces",
+ _contentCollector.toString().matches("<:X: :X:=\"[
]+:X:\"></:X:>".replace(":X:", legalChars)));
+ } catch (IOException e) {
+ fail(e.toString());
+ }
+ }
+
/**
* creates a new test probe (aka response writer)
*
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Ajax update fails due to invalid characters in response XML (DoS)
> -----------------------------------------------------------------
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
> Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
> Reporter: cnsgithub
> Priority: Major
>
> I noticed that the {{<f:ajax />}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
