changeset 2098:8284c8fca840

Removed security problem when working with map infos. flys-artifacts/trunk@3650 c6561f87-3c4e-4783-a992-168aeb5c3f6f
author Sascha L. Teichmann <sascha.teichmann@intevation.de>
date Wed, 11 Jan 2012 11:54:16 +0000
parents a18ec861b4a4
children 925c88ecb842
files flys-artifacts/ChangeLog flys-artifacts/src/main/java/de/intevation/flys/artifacts/services/MapInfoService.java
diffstat 2 files changed, 38 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/flys-artifacts/ChangeLog	Wed Jan 11 11:01:36 2012 +0000
+++ b/flys-artifacts/ChangeLog	Wed Jan 11 11:54:16 2012 +0000
@@ -1,3 +1,9 @@
+2012-01-11	Sascha L. Teichmann	<sascha.teichmann@intevation.de>
+
+	* src/main/java/de/intevation/flys/artifacts/services/MapInfoService.java:
+	  Removed XPath injection security hole. A serious one because it allowed
+	  inspecting the conf.xml file ... with all the db passwords.
+
 2012-01-11	Sascha L. Teichmann	<sascha.teichmann@intevation.de>
 
 	* src/main/java/de/intevation/flys/artifacts/services/MapInfoService.java,
--- a/flys-artifacts/src/main/java/de/intevation/flys/artifacts/services/MapInfoService.java	Wed Jan 11 11:01:36 2012 +0000
+++ b/flys-artifacts/src/main/java/de/intevation/flys/artifacts/services/MapInfoService.java	Wed Jan 11 11:54:16 2012 +0000
@@ -2,9 +2,15 @@
 
 import org.apache.log4j.Logger;
 
+import java.util.Map;
+import java.util.HashMap;
+
 import org.w3c.dom.Document;
+import org.w3c.dom.Node;
 import org.w3c.dom.Element;
 
+import javax.xml.xpath.XPathConstants;
+
 import com.vividsolutions.jts.geom.Envelope;
 
 import de.intevation.artifacts.CallMeta;
@@ -33,13 +39,13 @@
     public static final String XPATH_RIVER = "/mapinfo/river/text()";
 
     public static final String XPATH_RIVER_PROJECTION =
-        "/artifact-database/floodmap/river[@name='%RIVER%']/srid/@value";
+        "/artifact-database/floodmap/river[@name=$river]/srid/@value";
 
     public static final String XPATH_RIVER_BACKGROUND =
         "/artifact-database/floodmap/river[@name='%RIVER%']/background-wms";
 
     public static final String XPATH_RIVER_WMS =
-        "/artifact-database/floodmap/river[@name='%RIVER%']/river-wms/@url";
+        "/artifact-database/floodmap/river[@name=$river]/river-wms/@url";
 
 
     /** The logger used in this service.*/
@@ -52,6 +58,23 @@
     public MapInfoService() {
     }
 
+    protected static String getStringXPath(
+        String              query, 
+        Map<String, String> variables
+    ) {
+        return (String)XMLUtils.xpath(
+            Config.getConfig(), query, XPathConstants.STRING,
+            null, variables);
+    }
+
+    protected static Node getNodeXPath(
+        String              query, 
+        Map<String, String> variables
+    ) {
+        return (Node)XMLUtils.xpath(
+            Config.getConfig(), query, XPathConstants.NODE,
+            null, variables);
+    }
 
     public Document process(
         Document      data,
@@ -86,16 +109,18 @@
             root.appendChild(bbox);
         }
 
-        String xpathS  = XPATH_RIVER_PROJECTION.replace("%RIVER%", river);
-        String sridStr = Config.getStringXPath(xpathS);
+        Map<String, String> vars = new HashMap<String, String>();
+        vars.put("river", river);
+
+        String sridStr = getStringXPath(XPATH_RIVER_PROJECTION, vars);
+
         if (sridStr != null && sridStr.length() > 0) {
             Element srid = cr.create("srid");
             cr.addAttr(srid, "value", sridStr);
             root.appendChild(srid);
         }
 
-        String xpathB = XPATH_RIVER_BACKGROUND.replace("%RIVER%", river);
-        Element back  = (Element) Config.getNodeXPath(xpathB);
+        Element back = (Element)getNodeXPath(XPATH_RIVER_BACKGROUND, vars);
         if (back != null) {
             Element background = cr.create("background-wms");
             cr.addAttr(background, "url", back.getAttribute("url"));
@@ -103,8 +128,7 @@
             root.appendChild(background);
         }
 
-        String xpathWMS = XPATH_RIVER_WMS.replace("%RIVER%", river);
-        String wmsStr   = Config.getStringXPath(xpathWMS);
+        String wmsStr = getStringXPath(XPATH_RIVER_WMS, vars);
         if (wmsStr != null && wmsStr.length() > 0) {
             Element wms = cr.create("river-wms");
             cr.addAttr(wms, "url", wmsStr);

http://dive4elements.wald.intevation.org