Author: gdaniels
Date: Tue Apr 20 11:38:02 2010
New Revision: 935878
URL: http://svn.apache.org/viewvc?rev=935878&view=rev
Log:
Protect against potential XSS by sanitizing outputted user data.
Modified:
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/util/Utils.java
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/EngageToServiceGroup.jsp
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingglobally.jsp
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingtoanoperation.jsp
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingtoaservice.jsp
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/listGroupService.jsp
Modified:
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/util/Utils.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/util/Utils.java?rev=935878&r1=935877&r2=935878&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/util/Utils.java
(original)
+++
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/util/Utils.java
Tue Apr 20 11:38:02 2010
@@ -373,6 +373,17 @@ public class Utils {
return moduleName;
}
+ private static final String ILLEGAL_CHARACTERS = "/\n\r\t\0\f`?*\\<>|\":";
+ public static boolean isValidModuleName(String moduleName) {
+ for (int i = 0; i < moduleName.length(); i++) {
+ char c = moduleName.charAt(i);
+ if ((c > 127) || (ILLEGAL_CHARACTERS.indexOf(c) >= 0)) {
+ return false;
+ }
+ }
+ return true;
+ }
+
/**
* - if he trying to engage the same module then method will returen false
* - else it will return true
@@ -653,6 +664,11 @@ public class Utils {
int index = uri.indexOf(':');
return index > 0 ? uri.substring(0, index) : null;
}
+
+ public static String sanitizeWebOutput(String text) {
+ text = text.replaceAll("<", "<");
+ return text;
+ }
/**
* Create a service object for a given service. The method first looks for
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/EngageToServiceGroup.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/EngageToServiceGroup.jsp?rev=935878&r1=935877&r2=935878&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/EngageToServiceGroup.jsp
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/EngageToServiceGroup.jsp
Tue Apr 20 11:38:02 2010
@@ -23,6 +23,7 @@
java.util.Collection" %>
<%@ page import="java.util.HashMap"%>
<%@ page import="java.util.Iterator"%>
+<%@ page import="org.apache.axis2.util.Utils" %>
<jsp:include page="include/adminheader.jsp"></jsp:include>
<%
String status =
(String)request.getSession().getAttribute(Constants.ENGAGE_STATUS);
@@ -124,7 +125,7 @@
style="display:none"
<%
} %>
- ><%=status%></textarea>
+ ><%=Utils.sanitizeWebOutput(status)%></textarea>
</td>
</tr>
</table>
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingglobally.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingglobally.jsp?rev=935878&r1=935877&r2=935878&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingglobally.jsp
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingglobally.jsp
Tue Apr 20 11:38:02 2010
@@ -22,6 +22,7 @@
java.util.Collection,
java.util.HashMap,
java.util.Iterator" %>
+<%@ page import="org.apache.axis2.util.Utils" %>
<html>
<jsp:include page="include/adminheader.jsp"/>
<%
@@ -40,13 +41,15 @@
<td width="75%" align="left">
<select name="modules">
<%
- HashMap moduels = (HashMap)
request.getSession().getAttribute(Constants.MODULE_MAP);
+ HashMap modules = (HashMap)
request.getSession().getAttribute(Constants.MODULE_MAP);
request.getSession().setAttribute(Constants.MODULE_MAP,null);
- Collection moduleCol = moduels.values();
+ Collection moduleCol = modules.values();
for (Iterator iterator = moduleCol.iterator();
iterator.hasNext();) {
AxisModule axisOperation = (AxisModule)
iterator.next();
String modulename = axisOperation.getName();
- %> <option align="left"
value="<%=modulename%>"><%=modulename%></option>
+ %>
+ <option align="left"
value="<%=modulename%>"><%=modulename%>
+ </option>
<%
}
%>
@@ -63,7 +66,7 @@
<%
if (status != null) {
%>
-<p><font color="blue"><%=status%></font></p>
+<p style="color:blue"><%=Utils.sanitizeWebOutput(status)%></p>
<%
} %>
<jsp:include page="include/adminfooter.inc"/>
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingtoanoperation.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingtoanoperation.jsp?rev=935878&r1=935877&r2=935878&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingtoanoperation.jsp
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingtoanoperation.jsp
Tue Apr 20 11:38:02 2010
@@ -20,6 +20,7 @@
<%@ page contentType="text/html; charset=iso-8859-1" language="java"
import="org.apache.axis2.Constants,
org.apache.axis2.description.AxisModule,
org.apache.axis2.description.AxisOperation,
+
org.apache.axis2.util.Utils,
java.util.Collection,
java.util.HashMap,
java.util.Iterator"%>
@@ -117,7 +118,7 @@
style="display:none"
<%
} %>
- ><%=status%></textarea>
+ ><%=Utils.sanitizeWebOutput(status)%></textarea>
</td>
</tr>
</table>
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingtoaservice.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingtoaservice.jsp?rev=935878&r1=935877&r2=935878&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingtoaservice.jsp
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingtoaservice.jsp
Tue Apr 20 11:38:02 2010
@@ -24,6 +24,7 @@
java.util.HashMap,
java.util.Iterator"
%>
+<%@ page import="org.apache.axis2.util.Utils" %>
<jsp:include page="include/adminheader.jsp"></jsp:include>
<%
String status = (String)
request.getSession().getAttribute(Constants.ENGAGE_STATUS);
@@ -133,7 +134,7 @@
style="display:none"
<%
} %>
- ><%=status%>
+ ><%=Utils.sanitizeWebOutput(status)%>
</textarea>
</td>
</tr>
Modified:
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/listGroupService.jsp
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/listGroupService.jsp?rev=935878&r1=935877&r2=935878&view=diff
==============================================================================
---
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/listGroupService.jsp
(original)
+++
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/listGroupService.jsp
Tue Apr 20 11:38:02 2010
@@ -36,23 +36,22 @@
<jsp:include page="include/adminheader.jsp"/>
<h1>Available services</h1>
<%
- String prifix = request.getAttribute("frontendHostUrl") +
(String)request.getSession().getAttribute(Constants.SERVICE_PATH) +"/";
+ String prefix = request.getAttribute("frontendHostUrl") +
(String)request.getSession().getAttribute(Constants.SERVICE_PATH) +"/";
%>
<%
- HashMap serviceMap = (HashMap)
request.getSession().getAttribute(Constants.SERVICE_MAP);
- request.getSession().setAttribute(Constants.SERVICE_MAP,null);
- String servicName = request.getParameter("serviceName");
- AxisService axisService = (AxisService) serviceMap.get(servicName);
- if (axisService != null) {
- Iterator operations;
- String serviceName;
- operations = axisService.getOperations();
- serviceName = axisService.getName();
+ HashMap serviceMap = (HashMap)
request.getSession().getAttribute(Constants.SERVICE_MAP);
+ request.getSession().setAttribute(Constants.SERVICE_MAP,null);
+ AxisService axisService = (AxisService)
serviceMap.get(request.getParameter("serviceName"));
+ if (axisService != null) {
+ Iterator operations;
+ String serviceName;
+ operations = axisService.getOperations();
+ serviceName = axisService.getName();
%><hr>
-<h2><font color="blue"><a href="<%=prifix +
axisService.getName()%>?wsdl"><%=serviceName%></a>
+<h2><font color="blue"><a href="<%=prefix +
axisService.getName()%>?wsdl"><%=serviceName%></a>
</font></h2>
-<font color="blue">Service EPR :</font><font color="black"><%=prifix +
axisService.getName()%></font>
+<font color="blue">Service EPR :</font><font color="black"><%=prefix +
axisService.getName()%></font>
<h4>Service Description : <font
color="black"><%=axisService.getServiceDescription()%></font></h4>
<i><font color="blue">Service Status : <%=axisService.isActive() ? "Active" :
"InActive"%></font></i><br/>
<%
