svn commit: r1746880 - in /axis/axis2/java/core/trunk: modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java pom.xml systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java

Sun, 05 Jun 2016 01:46:26 -0700 

Author: veithen
Date: Sun Jun  5 08:46:01 2016
New Revision: 1746880

URL: http://svn.apache.org/viewvc?rev=1746880&view=rev
Log:
AXIS2-5683: Fix a potential XSS vulnerability in ListingAgent.

Modified:
    
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
    axis/axis2/java/core/trunk/pom.xml
    
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java

Modified: 
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java?rev=1746880&r1=1746879&r2=1746880&view=diff
==============================================================================
--- 
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
 (original)
+++ 
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
 Sun Jun  5 08:46:01 2016
@@ -240,12 +240,7 @@ public class ListingAgent extends Abstra
                 }
 
             } else {
-
-                OutputStream out = res.getOutputStream();
-                res.setContentType("text/html");
-                String outStr = "<b>No policy found for id="
-                                + idParam + "</b>";
-                out.write(outStr.getBytes());
+                res.sendError(HttpServletResponse.SC_NOT_FOUND);
             }
 
         } else {
@@ -276,12 +271,7 @@ public class ListingAgent extends Abstra
                             e);
                 }
             } else {
-
-                OutputStream out = res.getOutputStream();
-                res.setContentType("text/html");
-                String outStr = "<b>No effective policy for "
-                                + serviceName + " service</b>";
-                out.write(outStr.getBytes());
+                res.sendError(HttpServletResponse.SC_NOT_FOUND);
             }
         }
     }

Modified: axis/axis2/java/core/trunk/pom.xml
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/pom.xml?rev=1746880&r1=1746879&r2=1746880&view=diff
==============================================================================
--- axis/axis2/java/core/trunk/pom.xml (original)
+++ axis/axis2/java/core/trunk/pom.xml Sun Jun  5 08:46:01 2016
@@ -1314,6 +1314,12 @@
                 </configuration>
             </plugin>
             <plugin>
+                <artifactId>maven-failsafe-plugin</artifactId>
+                <configuration>
+                    <redirectTestOutputToFile>true</redirectTestOutputToFile>
+                </configuration>
+            </plugin>
+            <plugin>
                 <!-- Always build source JARs -->
                 <artifactId>maven-source-plugin</artifactId>
                 <executions>

Modified: 
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java?rev=1746880&r1=1746879&r2=1746880&view=diff
==============================================================================
--- 
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
 (original)
+++ 
axis/axis2/java/core/trunk/systests/webapp-tests/src/test/java/org/apache/axis2/webapp/AxisServletITCase.java
 Sun Jun  5 08:46:01 2016
@@ -31,4 +31,14 @@ public class AxisServletITCase {
         tester.clickLinkWithExactText("Services");
         tester.assertLinkPresentWithExactText("Version");
     }
+
+    /**
+     * Regression test for AXIS2-5683.
+     */
+    @Test
+    public void testHandlePolicyRequestXSS() {
+        tester.setIgnoreFailingStatusCodes(true);
+        tester.beginAt("/services/Version?policy&id=<xss>");
+        tester.assertResponseCode(404);
+    }
 }

Reply via email to