svn commit: r935846 - /axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/description/java2wsdl/DefaultSchemaGenerator.java

2010-04-20 Thread amilas 
Author: amilas
Date: Tue Apr 20 09:37:51 2010
New Revision: 935846

URL: http://svn.apache.org/viewvc?rev=935846&view=rev
Log:
if the package name is started with java.util then  index of it returns 0 and 
hence the condition won't evaluate to false. It is enough to
check index of < 0. 

Modified:

axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/description/java2wsdl/DefaultSchemaGenerator.java

Modified: 
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/description/java2wsdl/DefaultSchemaGenerator.java
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/description/java2wsdl/DefaultSchemaGenerator.java?rev=935846&r1=935845&r2=935846&view=diff
==
--- 
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/description/java2wsdl/DefaultSchemaGenerator.java
 (original)
+++ 
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/description/java2wsdl/DefaultSchemaGenerator.java
 Tue Apr 20 09:37:51 2010
@@ -511,9 +511,9 @@ public class DefaultSchemaGenerator impl
 eltOuter.setQName(schemaTypeName);
 
 Class sup = javaType.getSuperclass();
-if ((sup != null) && !("java.lang.Object".compareTo(sup.getName()) 
== 0) &&
-
!(getQualifiedName(sup.getPackage()).indexOf("org.apache.axis2") > 0)
-&& 
!(getQualifiedName(sup.getPackage()).indexOf("java.util") > 0))
+if ((sup != null) && ("java.lang.Object".compareTo(sup.getName()) 
!= 0) &&
+
(getQualifiedName(sup.getPackage()).indexOf("org.apache.axis2") < 0)
+&& 
(getQualifiedName(sup.getPackage()).indexOf("java.util") < 0))
 {
 String superClassName = sup.getName();
 String superclassname = getSimpleClassName(sup);

svn commit: r935878 - in /axis/axis2/java/core/trunk/modules: kernel/src/org/apache/axis2/util/ webapp/src/main/webapp/axis2-web/

2010-04-20 Thread gdaniels 
Author: gdaniels
Date: Tue Apr 20 11:38:02 2010
New Revision: 935878

URL: http://svn.apache.org/viewvc?rev=935878&view=rev
Log:
Protect against potential XSS by sanitizing outputted user data.

Modified:

axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/util/Utils.java

axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/EngageToServiceGroup.jsp

axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingglobally.jsp

axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingtoanoperation.jsp

axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingtoaservice.jsp

axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/listGroupService.jsp

Modified: 
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/util/Utils.java
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/util/Utils.java?rev=935878&r1=935877&r2=935878&view=diff
==
--- 
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/util/Utils.java 
(original)
+++ 
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/util/Utils.java 
Tue Apr 20 11:38:02 2010
@@ -373,6 +373,17 @@ public class Utils {
 return moduleName;
 }
 
+private static final String ILLEGAL_CHARACTERS = "/\n\r\t\0\f`?*\\<>|\":";
+public static boolean isValidModuleName(String moduleName) {
+for (int i = 0; i < moduleName.length(); i++) {
+char c = moduleName.charAt(i);
+if ((c > 127) || (ILLEGAL_CHARACTERS.indexOf(c) >= 0)) {
+return false;
+}
+}
+return true;
+}
+
 /**
  * - if he trying to engage the same module then method will returen false
  * - else it will return true
@@ -653,6 +664,11 @@ public class Utils {
 int index = uri.indexOf(':');
 return index > 0 ? uri.substring(0, index) : null;
 }
+
+public static String sanitizeWebOutput(String text) {
+text = text.replaceAll("<", "<");
+return text;
+}
 
 /**
  * Create a service object for a given service. The method first looks for

Modified: 
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/EngageToServiceGroup.jsp
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/EngageToServiceGroup.jsp?rev=935878&r1=935877&r2=935878&view=diff
==
--- 
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/EngageToServiceGroup.jsp
 (original)
+++ 
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/EngageToServiceGroup.jsp
 Tue Apr 20 11:38:02 2010
@@ -23,6 +23,7 @@
  
java.util.Collection" %>
 <%@ page import="java.util.HashMap"%>
 <%@ page import="java.util.Iterator"%>
+<%@ page import="org.apache.axis2.util.Utils" %>
 
 <%
 String status = 
(String)request.getSession().getAttribute(Constants.ENGAGE_STATUS);
@@ -124,7 +125,7 @@
   style="display:none"
 <%
 } %>
-><%=status%>
+><%=Utils.sanitizeWebOutput(status)%>
 
 
 

Modified: 
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingglobally.jsp
URL: 
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingglobally.jsp?rev=935878&r1=935877&r2=935878&view=diff
==
--- 
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingglobally.jsp
 (original)
+++ 
axis/axis2/java/core/trunk/modules/webapp/src/main/webapp/axis2-web/engagingglobally.jsp
 Tue Apr 20 11:38:02 2010
@@ -22,6 +22,7 @@
  java.util.Collection,
  java.util.HashMap,
  java.util.Iterator" %>
+<%@ page import="org.apache.axis2.util.Utils" %>
 
 
 <%
@@ -40,13 +41,15 @@
 
 
 <%
-HashMap moduels = (HashMap) 
request.getSession().getAttribute(Constants.MODULE_MAP);
+HashMap modules = (HashMap) 
request.getSession().getAttribute(Constants.MODULE_MAP);
 
request.getSession().setAttribute(Constants.MODULE_MAP,null);
-Collection moduleCol = moduels.values();
+Collection moduleCol = modules.values();
 for (Iterator iterator = moduleCol.iterator(); 
iterator.hasNext();) {
 AxisModule axisOperation = (AxisModule) 
iterator.next();
 String modulename = axis