Author: veithen
Date: Sun Apr 23 11:38:22 2017
New Revision: 1792353
URL: http://svn.apache.org/viewvc?rev=1792353&view=rev
Log:
AXIS2-5846: Fix a local file inclusion vulnerability in SimpleHTTPServer. This
occurs because axis2server.sh adds the root directory of the binary
distribution to the class path, and SimpleHTTPServer doesn't limit the search
for XSD/WSDL files to the service class loader. This means that axis2.xml is
accessible remotely via a specially crafted query string
(xsd=../conf/axis2.xml).
Although AxisServlet is not known to be vulnerable, this change also modifies
ListingAgent to limit the search to the service class loader.
Modified:
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/HTTPTransportUtils.java
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/HTTPWorker.java
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
Modified:
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/HTTPTransportUtils.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/HTTPTransportUtils.java?rev=1792353&r1=1792352&r2=1792353&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/HTTPTransportUtils.java
(original)
+++
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/HTTPTransportUtils.java
Sun Apr 23 11:38:22 2017
@@ -54,6 +54,8 @@ import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.SocketException;
+import java.net.URL;
+import java.net.URLClassLoader;
import java.util.Iterator;
import java.util.Map;
import java.util.zip.GZIPInputStream;
@@ -382,4 +384,20 @@ public class HTTPTransportUtils {
epr.append('/');
return new EndpointReference[]{new EndpointReference(epr.toString())};
}
+
+ static InputStream getMetaInfResourceAsStream(AxisService service, String
name) {
+ ClassLoader classLoader = service.getClassLoader();
+ if (classLoader instanceof URLClassLoader) {
+ // Only search the service class loader and skip searching the
ancestors to
+ // avoid local file inclusion vulnerabilities such as AXIS2-5846.
+ URL url = ((URLClassLoader)classLoader).findResource("META-INF/" +
name);
+ try {
+ return url == null ? null : url.openStream();
+ } catch (IOException ex) {
+ return null;
+ }
+ } else {
+ return null;
+ }
+ }
}
Modified:
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/HTTPWorker.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/HTTPWorker.java?rev=1792353&r1=1792352&r2=1792353&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/HTTPWorker.java
(original)
+++
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/HTTPWorker.java
Sun Apr 23 11:38:22 2017
@@ -22,7 +22,6 @@ package org.apache.axis2.transport.http;
import org.apache.axis2.Constants;
import org.apache.axis2.context.ConfigurationContext;
import org.apache.axis2.context.MessageContext;
-import org.apache.axis2.deployment.DeploymentConstants;
import org.apache.axis2.description.AxisService;
import org.apache.axis2.description.Parameter;
import org.apache.axis2.engine.Handler.InvocationResponse;
@@ -100,8 +99,7 @@ public class HTTPWorker implements Worke
Iterator i = services.values().iterator();
while (i.hasNext()) {
AxisService service = (AxisService) i.next();
- InputStream stream = service.getClassLoader().
- getResourceAsStream("META-INF/" + file);
+ InputStream stream =
HTTPTransportUtils.getMetaInfResourceAsStream(service, file);
if (stream != null) {
OutputStream out =
response.getOutputStream();
response.setContentType("text/xml");
@@ -205,8 +203,7 @@ public class HTTPWorker implements Worke
schema.write(response.getOutputStream());
return;
} else {
- InputStream instream = service.getClassLoader()
- .getResourceAsStream(DeploymentConstants.META_INF
+ "/" + schemaName);
+ InputStream instream =
HTTPTransportUtils.getMetaInfResourceAsStream(service, schemaName);
if (instream != null) {
response.setStatus(HttpStatus.SC_OK);
Modified:
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java?rev=1792353&r1=1792352&r2=1792353&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
(original)
+++
axis/axis2/java/core/trunk/modules/transport/http/src/org/apache/axis2/transport/http/ListingAgent.java
Sun Apr 23 11:38:22 2017
@@ -125,7 +125,7 @@ public class ListingAgent extends Abstra
Iterator<AxisService> i = services.values().iterator();
while (i.hasNext()) {
AxisService service = (AxisService) i.next();
- InputStream stream =
service.getClassLoader().getResourceAsStream("META-INF/" + schema);
+ InputStream stream =
HTTPTransportUtils.getMetaInfResourceAsStream(service, schema);
if (stream != null) {
OutputStream out = res.getOutputStream();
res.setContentType("text/xml");
