# HG changeset patch # User Sascha L. Teichmann # Date 1326282856 0 # Node ID 8284c8fca8406bf4d479763a133a546c0a6778af # Parent a18ec861b4a45d6da142c62929e60cf5de9cc5b9 Removed security problem when working with map infos. flys-artifacts/trunk@3650 c6561f87-3c4e-4783-a992-168aeb5c3f6f diff -r a18ec861b4a4 -r 8284c8fca840 flys-artifacts/ChangeLog --- a/flys-artifacts/ChangeLog Wed Jan 11 11:01:36 2012 +0000 +++ b/flys-artifacts/ChangeLog Wed Jan 11 11:54:16 2012 +0000 @@ -1,3 +1,9 @@ +2012-01-11 Sascha L. Teichmann + + * src/main/java/de/intevation/flys/artifacts/services/MapInfoService.java: + Removed XPath injection security hole. A serious one because it allowed + inspecting the conf.xml file ... with all the db passwords. + 2012-01-11 Sascha L. Teichmann * src/main/java/de/intevation/flys/artifacts/services/MapInfoService.java, diff -r a18ec861b4a4 -r 8284c8fca840 flys-artifacts/src/main/java/de/intevation/flys/artifacts/services/MapInfoService.java --- a/flys-artifacts/src/main/java/de/intevation/flys/artifacts/services/MapInfoService.java Wed Jan 11 11:01:36 2012 +0000 +++ b/flys-artifacts/src/main/java/de/intevation/flys/artifacts/services/MapInfoService.java Wed Jan 11 11:54:16 2012 +0000 @@ -2,9 +2,15 @@ import org.apache.log4j.Logger; +import java.util.Map; +import java.util.HashMap; + import org.w3c.dom.Document; +import org.w3c.dom.Node; import org.w3c.dom.Element; +import javax.xml.xpath.XPathConstants; + import com.vividsolutions.jts.geom.Envelope; import de.intevation.artifacts.CallMeta; @@ -33,13 +39,13 @@ public static final String XPATH_RIVER = "/mapinfo/river/text()"; public static final String XPATH_RIVER_PROJECTION = - "/artifact-database/floodmap/river[@name='%RIVER%']/srid/@value"; + "/artifact-database/floodmap/river[@name=$river]/srid/@value"; public static final String XPATH_RIVER_BACKGROUND = "/artifact-database/floodmap/river[@name='%RIVER%']/background-wms"; public static final String XPATH_RIVER_WMS = - "/artifact-database/floodmap/river[@name='%RIVER%']/river-wms/@url"; + "/artifact-database/floodmap/river[@name=$river]/river-wms/@url"; /** The logger used in this service.*/ @@ -52,6 +58,23 @@ public MapInfoService() { } + protected static String getStringXPath( + String query, + Map variables + ) { + return (String)XMLUtils.xpath( + Config.getConfig(), query, XPathConstants.STRING, + null, variables); + } + + protected static Node getNodeXPath( + String query, + Map variables + ) { + return (Node)XMLUtils.xpath( + Config.getConfig(), query, XPathConstants.NODE, + null, variables); + } public Document process( Document data, @@ -86,16 +109,18 @@ root.appendChild(bbox); } - String xpathS = XPATH_RIVER_PROJECTION.replace("%RIVER%", river); - String sridStr = Config.getStringXPath(xpathS); + Map vars = new HashMap(); + vars.put("river", river); + + String sridStr = getStringXPath(XPATH_RIVER_PROJECTION, vars); + if (sridStr != null && sridStr.length() > 0) { Element srid = cr.create("srid"); cr.addAttr(srid, "value", sridStr); root.appendChild(srid); } - String xpathB = XPATH_RIVER_BACKGROUND.replace("%RIVER%", river); - Element back = (Element) Config.getNodeXPath(xpathB); + Element back = (Element)getNodeXPath(XPATH_RIVER_BACKGROUND, vars); if (back != null) { Element background = cr.create("background-wms"); cr.addAttr(background, "url", back.getAttribute("url")); @@ -103,8 +128,7 @@ root.appendChild(background); } - String xpathWMS = XPATH_RIVER_WMS.replace("%RIVER%", river); - String wmsStr = Config.getStringXPath(xpathWMS); + String wmsStr = getStringXPath(XPATH_RIVER_WMS, vars); if (wmsStr != null && wmsStr.length() > 0) { Element wms = cr.create("river-wms"); cr.addAttr(wms, "url", wmsStr);