rpms / pki-core

Clone
Source Code
GIT

Files

  1.   3fd438da75db39cd65032ca1643ff4ebfe79e56b
  2.   SOURCES
  3.   pki-core-server-access-banner-retrieval-validation.patch
Blob Blame History Raw 
From 384cd35c5298010386047b62d6db64916dd6689c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 18 Aug 2017 23:05:24 +0200
Subject: [PATCH] Added banner validation in InfoService.

Previously banner was only validated during server startup. Since
banner can be modified anytime, the InfoService has been changed
such that it validates the banner on each banner retrieval.

https://pagure.io/dogtagpki/issue/2671

Change-Id: I208f4c5b4ce2ce594e92acd4792aa03c729fa2cf
(cherry picked from commit 889a9c9efce62488f098fb96fcf4a1454c0b3bc2)
---
 .../src/org/dogtagpki/server/rest/InfoService.java | 27 +++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/base/server/cms/src/org/dogtagpki/server/rest/InfoService.java b/base/server/cms/src/org/dogtagpki/server/rest/InfoService.java
index 13581dd..5467bda 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/InfoService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/InfoService.java
@@ -20,12 +20,15 @@ package org.dogtagpki.server.rest;
 
 import javax.servlet.http.HttpSession;
 import javax.ws.rs.core.Response;
+import javax.xml.bind.UnmarshalException;
 
 import org.dogtagpki.common.Info;
 import org.dogtagpki.common.InfoResource;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
+import org.xml.sax.SAXParseException;
 
+import com.netscape.certsrv.base.PKIException;
 import com.netscape.cms.servlet.base.PKIService;
 
 /**
@@ -42,17 +45,39 @@ public class InfoService extends PKIService implements InfoResource {
         logger.debug("InfoService.getInfo(): session: " + session.getId());
 
         Info info = new Info();
-        info.setVersion(getVersion());
 
         boolean bannerDisplayed = session.getAttribute("bannerDisplayed") != null;
         boolean bannerEnabled = isBannerEnabled();
 
         // if banner not yet displayed in this session and it's enabled, return banner
         if (!bannerDisplayed && bannerEnabled) {
+
             String banner = getBanner();
             info.setBanner(banner);
+
+            // validate banner
+            try {
+                // converting Info object into XML
+                String xmlInfo = info.toString();
+
+                // and parse it back into Info object
+                info = Info.valueOf(xmlInfo);
+
+            } catch (UnmarshalException e) {
+                Throwable cause = e.getCause();
+                logger.error("InfoService: Invalid access banner: " + cause, e);
+
+                if (cause instanceof SAXParseException) {
+                    throw new PKIException("Banner contains invalid character(s)", e);
+                } else {
+                    throw new PKIException("Invalid access banner: " + cause, e);
+                }
+            }
         }
 
+        // add other info attributes after banner validation
+        info.setVersion(getVersion());
+
         return createOKResponse(info);
     }
 }
-- 
1.8.3.1

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation