[
https://issues.apache.org/jira/browse/CXF-5724?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Modestas Vainius updated CXF-5724:
----------------------------------
Attachment: 0001-Do-not-leak-characters-and-comments-past-the-end-of-.patch
Proposed patch + test for StaxUtils.copy() when *fragment*=true
> Extra text and comments after </soapenv:Body> are treated as part of SOAP
> body by CXF
> -------------------------------------------------------------------------------------
>
> Key: CXF-5724
> URL: https://issues.apache.org/jira/browse/CXF-5724
> Project: CXF
> Issue Type: Bug
> Components: Soap Binding
> Affects Versions: 2.7.9, 2.7.10, 2.7.11
> Reporter: Modestas Vainius
> Attachments:
> 0001-Do-not-leak-characters-and-comments-past-the-end-of-.patch
>
>
> Hello,
> it appears that since
> https://github.com/apache/cxf/commit/eb70d1008b8ffd32c90c990122b08d10ffcda933
> extra characters and comments after </soapenv:Body> get "leaked" into CXF
> view of SOAP body. This is not a big problem unless SOAP body is signed with
> WSS Security. Obviously, then any characters (in particular new lines or
> whitespaces) after </soapenv:Body> will cause signature validation to fail
> due to checksum mismatch.
> This is due to switch from StaxUtils.readDocElements() to StaxUtils.copy().
> Now I'm not sure if StaxUtils.copy() is either buggy or misused there. If
> called with *fragment*=false, it would probably extract body as expected but
> then again I'm not sure what's the point of *fragment* flag. So, I attach the
> patch which fixes the "leak" problem in StaxUtils.copy() when *fragment*=true.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
