You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by re...@apache.org on 2022/11/30 22:58:10 UTC
[cxf] branch 3.5.x-fixes updated (1d90a3448a -> bff4eb1959)
This is an automated email from the ASF dual-hosted git repository.
reta pushed a change to branch 3.5.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
from 1d90a3448a Recording .gitmergeinfo Changes
new 425d642a4f Fix java.security.acl OSGi resolution for core
new bff4eb1959 CXF-8706: CXF MTOM handler allow content injection (#960)
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
core/pom.xml | 3 +-
.../org/apache/cxf/attachment/AttachmentUtil.java | 46 +++++++++++++++++-----
.../cxf/attachment/AttachmentDeserializerTest.java | 21 ++++++++++
systests/uncategorized/pom.xml | 9 +++++
.../apache/cxf/systest/mtom/request-url-attachment | 2 +-
5 files changed, 69 insertions(+), 12 deletions(-)
[cxf] 01/02: Fix java.security.acl OSGi resolution for core
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
reta pushed a commit to branch 3.5.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 425d642a4f14bf5e1ec1ffb0ea946b9fcc1ac395
Author: Andriy Redko <dr...@gmail.com>
AuthorDate: Sun Nov 27 15:29:14 2022 -0500
Fix java.security.acl OSGi resolution for core
(cherry picked from commit d15d0ef764215afaa9f8b10594019af3ba9c5cc0)
---
core/pom.xml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/core/pom.xml b/core/pom.xml
index 164e6f83c0..43e472f911 100644
--- a/core/pom.xml
+++ b/core/pom.xml
@@ -66,7 +66,8 @@
org.apache.aries*;version="${cxf.aries.version.range}";resolution:=optional,
org.apache.karaf.jaas.boot.principal;resolution:=optional,
org.apache.commons.logging;resolution:=optional,
- !sun.misc
+ !sun.misc,
+ java.security.acl;resolution:=optional
</cxf.osgi.import>
<cxf.osgi.dynamic.import>
org.apache.cxf.bus,org.apache.cxf.*,com.ctc.wstx.*,org.apache.karaf.jaas.boot.principal.*
[cxf] 02/02: CXF-8706: CXF MTOM handler allow content injection (#960)
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
reta pushed a commit to branch 3.5.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit bff4eb1959ecac3ddd5e824550497ef137479e26
Author: Andriy Redko <dr...@gmail.com>
AuthorDate: Wed Nov 30 17:04:20 2022 -0500
CXF-8706: CXF MTOM handler allow content injection (#960)
* CXF-8706: CXF MTOM handler allow content injection
* Disable URLDataSource by default, always look inside attachments list by default
* Address code review comments
(cherry picked from commit 63388ffb81e4c8be64a9cce4a3efd1d145eeca7c)
---
.../org/apache/cxf/attachment/AttachmentUtil.java | 46 +++++++++++++++++-----
.../cxf/attachment/AttachmentDeserializerTest.java | 21 ++++++++++
systests/uncategorized/pom.xml | 9 +++++
.../apache/cxf/systest/mtom/request-url-attachment | 2 +-
4 files changed, 67 insertions(+), 11 deletions(-)
diff --git a/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java b/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
index ce393ee54d..7ff0734645 100644
--- a/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
+++ b/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
@@ -57,6 +57,7 @@ import javax.activation.URLDataSource;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.common.util.SystemPropertyAction;
import org.apache.cxf.helpers.FileUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.io.CachedOutputStream;
@@ -65,6 +66,9 @@ import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
public final class AttachmentUtil {
+ // The xop:include "href" attribute (https://www.w3.org/TR/xop10/#xop_href) may include
+ // arbitrary URL which we should never follow (unless explicitly allowed).
+ public static final String ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY = "org.apache.cxf.attachment.xop.follow.urls";
public static final String BODY_ATTACHMENT_ID = "root.message@cxf.apache.org";
static final String BINARY = "binary";
@@ -546,24 +550,46 @@ public final class AttachmentUtil {
}
public static DataSource getAttachmentDataSource(String contentId, Collection<Attachment> atts) {
- // Is this right? - DD
+ //
+ // RFC-2392 (https://datatracker.ietf.org/doc/html/rfc2392) says:
+ //
+ // A "cid" URL is converted to the corresponding Content-ID message
+ // header [MIME] by removing the "cid:" prefix, converting the % encoded
+ // character to their equivalent US-ASCII characters, and enclosing the
+ // remaining parts with an angle bracket pair, "<" and ">".
+ //
if (contentId.startsWith("cid:")) {
try {
contentId = URLDecoder.decode(contentId.substring(4), StandardCharsets.UTF_8.name());
} catch (UnsupportedEncodingException ue) {
contentId = contentId.substring(4);
}
- return loadDataSource(contentId, atts);
- } else if (contentId.indexOf("://") == -1) {
- return loadDataSource(contentId, atts);
- } else {
- try {
- return new URLDataSource(new URL(contentId));
- } catch (MalformedURLException e) {
- throw new Fault(e);
+
+ // href attribute information item: MUST be a valid URI per the cid: URI scheme (RFC 2392),
+ // for example:
+ //
+ // <xop:Include xmlns:xop='http://www.w3.org/2004/08/xop/include' href='cid:http://example.org/me.png'/>
+ //
+ // See please https://www.w3.org/TR/xop10/
+ //
+ if (contentId.indexOf("://") == -1) {
+ return loadDataSource(contentId, atts);
+ } else {
+ try {
+ final boolean followUrls = Boolean.valueOf(SystemPropertyAction
+ .getProperty(ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY, "false"));
+ if (followUrls) {
+ return new URLDataSource(new URL(contentId));
+ } else {
+ return loadDataSource(contentId, atts);
+ }
+ } catch (MalformedURLException e) {
+ throw new Fault(e);
+ }
}
+ } else {
+ return loadDataSource(contentId, atts);
}
-
}
private static DataSource loadDataSource(String contentId, Collection<Attachment> atts) {
diff --git a/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java b/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
index 717083e91b..b2d90c1093 100644
--- a/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
+++ b/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
@@ -33,6 +33,7 @@ import java.util.regex.Pattern;
import java.util.stream.IntStream;
import javax.activation.DataSource;
+import javax.activation.URLDataSource;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
@@ -49,9 +50,11 @@ import org.apache.cxf.message.XMLMessage;
import org.junit.Before;
import org.junit.Test;
+import static org.hamcrest.CoreMatchers.instanceOf;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
@@ -783,4 +786,22 @@ public class AttachmentDeserializerTest {
assertEquals("passwd", dataSource.getName());
}
+ @Test
+ public void testCXF8706() {
+ final DataSource ds = AttachmentUtil
+ .getAttachmentDataSource("cid:http://image.com/1.gif", Collections.emptyList());
+ assertThat(ds, instanceOf(LazyDataSource.class));
+ }
+
+ @Test
+ public void testCXF8706followUrl() {
+ System.setProperty(AttachmentUtil.ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY, "true");
+ try {
+ final DataSource ds = AttachmentUtil
+ .getAttachmentDataSource("cid:http://image.com/1.gif", Collections.emptyList());
+ assertThat(ds, instanceOf(URLDataSource.class));
+ } finally {
+ System.clearProperty(AttachmentUtil.ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY);
+ }
+ }
}
diff --git a/systests/uncategorized/pom.xml b/systests/uncategorized/pom.xml
index b6f95a9984..54b4a73eeb 100644
--- a/systests/uncategorized/pom.xml
+++ b/systests/uncategorized/pom.xml
@@ -128,6 +128,15 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <configuration>
+ <systemPropertyVariables>
+ <org.apache.cxf.attachment.xop.follow.urls>true</org.apache.cxf.attachment.xop.follow.urls>
+ </systemPropertyVariables>
+ </configuration>
+ </plugin>
</plugins>
</build>
<dependencies>
diff --git a/systests/uncategorized/src/test/java/org/apache/cxf/systest/mtom/request-url-attachment b/systests/uncategorized/src/test/java/org/apache/cxf/systest/mtom/request-url-attachment
index 8d3b0d4ea0..0e4945a5c5 100755
--- a/systests/uncategorized/src/test/java/org/apache/cxf/systest/mtom/request-url-attachment
+++ b/systests/uncategorized/src/test/java/org/apache/cxf/systest/mtom/request-url-attachment
@@ -10,7 +10,7 @@ Content-ID: <echo.xml>
<m:Data>
<m:someData><xop:Include
xmlns:xop='http://www.w3.org/2004/08/xop/include'
- href='http://localhost:9036/policy.xsd'/>
+ href='cid:http://localhost:9036/policy.xsd'/>
</m:someData>
</m:Data>
</m:echo>