Author: taher
Date: Wed Jul 18 06:30:15 2018 New Revision: 1836141 URL: http://svn.apache.org/viewvc?rev=1836141&view=rev Log: Improved: sanitized the output of XML-RPC when errors are reported. (OFBIZ-10848) This is implemented by overriding the parent "execute" method with a more sanitized output for clarity and enhanced security. Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java?rev=1836141&r1=1836140&r2=1836141&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java (original) +++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java Wed Jul 18 06:30:15 2018 @@ -22,6 +22,7 @@ package org.apache.ofbiz.webapp.event; import static org.apache.ofbiz.base.util.UtilGenerics.checkMap; import java.io.BufferedReader; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; @@ -54,6 +55,7 @@ import org.apache.xmlrpc.XmlRpcRequest; import org.apache.xmlrpc.common.ServerStreamConnection; import org.apache.xmlrpc.common.XmlRpcHttpRequestConfig; import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl; +import org.apache.xmlrpc.common.XmlRpcStreamRequestConfig; import org.apache.xmlrpc.server.AbstractReflectiveHandlerMapping; import org.apache.xmlrpc.server.XmlRpcHttpServer; import org.apache.xmlrpc.server.XmlRpcHttpServerConfig; @@ -209,6 +211,60 @@ public class XmlRpcEventHandler extends } } + @Override + public void execute(XmlRpcStreamRequestConfig pConfig, + ServerStreamConnection pConnection) throws XmlRpcException { + try { + Object result = null; + boolean foundError = false; + + try (InputStream istream = getInputStream(pConfig, pConnection)) { + XmlRpcRequest request = getRequest(pConfig, istream); + result = execute(request); + } catch (Exception e) { + Debug.logError(e, module); + foundError = true; + } + + ByteArrayOutputStream baos; + OutputStream initialStream; + if (isContentLengthRequired(pConfig)) { + baos = new ByteArrayOutputStream(); + initialStream = baos; + } else { + baos = null; + initialStream = pConnection.newOutputStream(); + } + + try (OutputStream ostream = getOutputStream(pConnection, pConfig, initialStream)) { + if (!foundError) { + writeResponse(pConfig, ostream, result); + } else { + writeError(pConfig, ostream, new Exception("Failed to read XML-RPC request. Please check logs for more information")); + } + } + + if (baos != null) { + try (OutputStream dest = getOutputStream(pConfig, pConnection, baos.size())) { + baos.writeTo(dest); + } + } + + pConnection.close(); + pConnection = null; + } catch (IOException e) { + throw new XmlRpcException("I/O error while processing request: " + e.getMessage(), e); + } finally { + if (pConnection != null) { + try { + pConnection.close(); + } catch (IOException e) { + Debug.logError(e, "Unable to close stream connection"); + } + } + } + } + class ServiceRpcHandler extends AbstractReflectiveHandlerMapping implements XmlRpcHandler { public ServiceRpcHandler() { |
Administrator
|
Hi Taher, It's actually OFBIZ-10484 ;) Jacques Le 18/07/2018 à 08:30, [hidden email]
a écrit :
Author: taher Date: Wed Jul 18 06:30:15 2018 New Revision: 1836141 URL: http://svn.apache.org/viewvc?rev=1836141&view=rev Log: Improved: sanitized the output of XML-RPC when errors are reported. (OFBIZ-10848) This is implemented by overriding the parent "execute" method with a more sanitized output for clarity and enhanced security. Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java Modified: ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java?rev=1836141&r1=1836140&r2=1836141&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java (original) +++ ofbiz/ofbiz-framework/trunk/framework/webapp/src/main/java/org/apache/ofbiz/webapp/event/XmlRpcEventHandler.java Wed Jul 18 06:30:15 2018 @@ -22,6 +22,7 @@ package org.apache.ofbiz.webapp.event; import static org.apache.ofbiz.base.util.UtilGenerics.checkMap; import java.io.BufferedReader; +import java.io.ByteArrayOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.InputStreamReader; @@ -54,6 +55,7 @@ import org.apache.xmlrpc.XmlRpcRequest; import org.apache.xmlrpc.common.ServerStreamConnection; import org.apache.xmlrpc.common.XmlRpcHttpRequestConfig; import org.apache.xmlrpc.common.XmlRpcHttpRequestConfigImpl; +import org.apache.xmlrpc.common.XmlRpcStreamRequestConfig; import org.apache.xmlrpc.server.AbstractReflectiveHandlerMapping; import org.apache.xmlrpc.server.XmlRpcHttpServer; import org.apache.xmlrpc.server.XmlRpcHttpServerConfig; @@ -209,6 +211,60 @@ public class XmlRpcEventHandler extends } } + @Override + public void execute(XmlRpcStreamRequestConfig pConfig, + ServerStreamConnection pConnection) throws XmlRpcException { + try { + Object result = null; + boolean foundError = false; + + try (InputStream istream = getInputStream(pConfig, pConnection)) { + XmlRpcRequest request = getRequest(pConfig, istream); + result = execute(request); + } catch (Exception e) { + Debug.logError(e, module); + foundError = true; + } + + ByteArrayOutputStream baos; + OutputStream initialStream; + if (isContentLengthRequired(pConfig)) { + baos = new ByteArrayOutputStream(); + initialStream = baos; + } else { + baos = null; + initialStream = pConnection.newOutputStream(); + } + + try (OutputStream ostream = getOutputStream(pConnection, pConfig, initialStream)) { + if (!foundError) { + writeResponse(pConfig, ostream, result); + } else { + writeError(pConfig, ostream, new Exception("Failed to read XML-RPC request. Please check logs for more information")); + } + } + + if (baos != null) { + try (OutputStream dest = getOutputStream(pConfig, pConnection, baos.size())) { + baos.writeTo(dest); + } + } + + pConnection.close(); + pConnection = null; + } catch (IOException e) { + throw new XmlRpcException("I/O error while processing request: " + e.getMessage(), e); + } finally { + if (pConnection != null) { + try { + pConnection.close(); + } catch (IOException e) { + Debug.logError(e, "Unable to close stream connection"); + } + } + } + } + class ServiceRpcHandler extends AbstractReflectiveHandlerMapping implements XmlRpcHandler { public ServiceRpcHandler() { |
Free forum by Nabble | Edit this page |