Commit 58166368 authored by Torben Barsbsballe's avatar Torben Barsbsballe
Browse files

[GEOS-7095] Fix for exploitable bypass for XXE fix

parent 042cbfe7
......@@ -91,7 +91,7 @@ public class ExecuteTest extends WPSTestSupport {
String xml =
"<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>" +
"<!DOCTYPE foo [<!ELEMENT foo ANY >\n" +
" <!ENTITY xxe SYSTEM \"file:///file/not/there\" >]>\n" +
" <!ENTITY xxe SYSTEM \"file:///file/not/there?.xsd\" >]>\n" +
"<wps:Execute service='WPS' version='1.0.0' xmlns:wps='http://www.opengis.net/wps/1.0.0' " +
"xmlns:ows='http://www.opengis.net/ows/1.1'>" +
"<ows:Identifier>JTS:buffer</ows:Identifier>" +
......
......@@ -34,8 +34,8 @@ public class NoExternalEntityResolver implements EntityResolver {
LOGGER.finest("resolveEntity request: publicId=" + publicId + ", systemId=" + systemId);
}
// allow schema parsing for validation
if (systemId != null && systemId.endsWith(".xsd")) {
// allow schema parsing for validation (jar or external only)
if (systemId != null && systemId.endsWith(".xsd") && !systemId.startsWith("file")) {
return null;
}
......
......@@ -307,7 +307,7 @@ public class GetCoverageTest extends WCSTestSupport {
+ " version CDATA #FIXED \"1.0.0\"\n"
+ " xmlns CDATA #FIXED \"http://www.opengis.net/wcs\">\n"
+ " <!ELEMENT sourceCoverage (#PCDATA) >\n"
+ " <!ENTITY xxe SYSTEM \"file:///file/not/there\" >]>\n"
+ " <!ENTITY xxe SYSTEM \"file:///file/not/there?.xsd\" >]>\n"
+ "<GetCoverage version=\"1.0.0\" service=\"WCS\""
+ " xmlns=\"http://www.opengis.net/wcs\" >\n"
+ " <sourceCoverage>&xxe;</sourceCoverage>\n"
......
/* (c) 2014 Open Source Geospatial Foundation - all rights reserved
/* (c) 2014 - 2015 Open Source Geospatial Foundation - all rights reserved
* (c) 2001 - 2013 OpenPlans
* This code is licensed under the GPL 2.0 license, available at the root
* application directory.
......@@ -478,7 +478,7 @@ public class GetCoverageTest extends AbstractGetCoverageTest {
+ " xmlns:ows CDATA #FIXED \"http://www.opengis.net/ows/1.1\"\n"
+ " xmlns:wcs CDATA #FIXED \"http://www.opengis.net/wcs/1.1.1\">\n"
+ " <!ELEMENT ows:Identifier (#PCDATA) >\n"
+ " <!ENTITY xxe SYSTEM \"file:///file/not/there\" >]>\n"
+ " <!ENTITY xxe SYSTEM \"file:///file/not/there?.xsd\" >]>\n"
+ " <wcs:GetCoverage service=\"WCS\" version=\"1.1.1\" "
+ " xmlns:ows=\"http://www.opengis.net/ows/1.1\"\n"
+ " xmlns:wcs=\"http://www.opengis.net/wcs/1.1.1\">\n"
......
......@@ -6,7 +6,7 @@
version CDATA #FIXED "2.0.1"
xmlns:wcs CDATA #FIXED "http://www.opengis.net/wcs/2.0">
<!ELEMENT wcs:CoverageId (#PCDATA)>
<!ENTITY xxe SYSTEM "file:///file/not/there.txt" >]>
<!ENTITY xxe SYSTEM "file:///file/not/there?.xsd" >]>
<wcs:DescribeCoverage
xmlns:wcs='http://www.opengis.net/wcs/2.0'
service="WCS"
......
/* (c) 2014 Open Source Geospatial Foundation - all rights reserved
/* (c) 2014 - 2015 Open Source Geospatial Foundation - all rights reserved
* (c) 2001 - 2013 OpenPlans
* This code is licensed under the GPL 2.0 license, available at the root
* application directory.
......@@ -299,7 +299,7 @@ public class WFS extends XSD {
* Returns the location of 'wfs.xsd'
*/
public String getSchemaLocation() {
return getClass().getResource( "wfs.xsd" ).toString();
return org.geotools.wfs.v1_1.WFS.class.getResource( "wfs.xsd" ).toString();
}
/**
......
......@@ -25,7 +25,7 @@ public class ExternalEntitiesTest extends WFSTestSupport {
private static final String WFS_1_0_0_REQUEST = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n" +
"<!DOCTYPE wfs:GetFeature [\r\n" +
"<!ENTITY c SYSTEM \"file:///this/file/does/not/exist\">\r\n" +
"<!ENTITY c SYSTEM \"file:///this/file/does/not/exist?.xsd\">\r\n" +
"]>\r\n" +
"<wfs:GetFeature service=\"WFS\" version=\"1.0.0\" \r\n" +
" outputFormat=\"GML2\"\r\n" +
......@@ -63,7 +63,7 @@ public class ExternalEntitiesTest extends WFSTestSupport {
"<!ELEMENT ogc:FeatureId EMPTY>\r\n" +
"<!ATTLIST ogc:FeatureId fid CDATA #FIXED \"states.3\">\r\n" +
"\r\n" +
"<!ENTITY passwd SYSTEM \"file:///this/file/does/not/exist\">]>\r\n" +
"<!ENTITY passwd SYSTEM \"file:///this/file/does/not/exist?.xsd\">]>\r\n" +
"<wfs:GetFeature service=\"WFS\" version=\"1.1.0\" \r\n" +
" xmlns:wfs=\"http://www.opengis.net/wfs\"\r\n" +
" xmlns:ogc=\"http://www.opengis.net/ogc\">\r\n" +
......@@ -92,7 +92,7 @@ public class ExternalEntitiesTest extends WFSTestSupport {
"<!ELEMENT fes:ResourceId EMPTY>\r\n" +
"<!ATTLIST fes:ResourceId rid CDATA #FIXED \"states.3\">\r\n" +
"\r\n" +
"<!ENTITY passwd SYSTEM \"file:///thisfiledoesnotexist\">\r\n" +
"<!ENTITY passwd SYSTEM \"file:///thisfiledoesnotexist?.xsd\">\r\n" +
"]>\r\n" +
"<wfs:GetFeature service=\"WFS\" version=\"2.0.0\" outputFormat=\"application/gml+xml; version=3.2\"\r\n" +
" xmlns:wfs=\"http://www.opengis.net/wfs/2.0\"\r\n" +
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment