You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@camel.apache.org by co...@apache.org on 2019/10/11 09:38:31 UTC

[camel] branch camel-2.x updated: Disable external entities for schematron component

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch camel-2.x
in repository https://gitbox.apache.org/repos/asf/camel.git


The following commit(s) were added to refs/heads/camel-2.x by this push:
     new 85043c3  Disable external entities for schematron component
85043c3 is described below

commit 85043c375d22f151e41aaa0a5f51ee1cf88a9300
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Oct 11 10:37:17 2019 +0100

    Disable external entities for schematron component
---
 .../schematron/processor/SchematronProcessorFactory.java       | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
index 13f146e..1f098da 100644
--- a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
+++ b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
@@ -69,7 +69,15 @@ public final class SchematronProcessorFactory {
      */
     private static XMLReader getXMLReader() throws ParserConfigurationException, SAXException {
         final SAXParserFactory fac = SAXParserFactory.newInstance();
-        fac.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        try {
+            fac.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+            fac.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            fac.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            fac.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        } catch (ParserConfigurationException | SAXException ex) {
+            // LOG.debug("Error setting feature on parser: " +
+            // ex.getMessage());
+        }
         fac.setValidating(false);
         final SAXParser parser = fac.newSAXParser();
         XMLReader reader = parser.getXMLReader();