You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@camel.apache.org by co...@apache.org on 2019/10/11 09:56:08 UTC

[camel] branch camel-2.24.x updated: Disable external entities for schematron component

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch camel-2.24.x
in repository https://gitbox.apache.org/repos/asf/camel.git


The following commit(s) were added to refs/heads/camel-2.24.x by this push:
     new b2e6d10  Disable external entities for schematron component
b2e6d10 is described below

commit b2e6d10a50d3613179cf6c4655ff3b7e2d52a1d9
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Oct 11 10:37:17 2019 +0100

    Disable external entities for schematron component
---
 .../schematron/processor/SchematronProcessorFactory.java       | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
index 13f146e..1f098da 100644
--- a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
+++ b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
@@ -69,7 +69,15 @@ public final class SchematronProcessorFactory {
      */
     private static XMLReader getXMLReader() throws ParserConfigurationException, SAXException {
         final SAXParserFactory fac = SAXParserFactory.newInstance();
-        fac.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+        try {
+            fac.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+            fac.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            fac.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            fac.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        } catch (ParserConfigurationException | SAXException ex) {
+            // LOG.debug("Error setting feature on parser: " +
+            // ex.getMessage());
+        }
         fac.setValidating(false);
         final SAXParser parser = fac.newSAXParser();
         XMLReader reader = parser.getXMLReader();

Re: [camel] branch camel-2.24.x updated: Disable external entities for schematron component

Posted by Claus Ibsen <cl...@gmail.com>.

Hi Colm

Can you cherry pick this to camel-2.x branch also.
And I assume it should also be done for master branch.

Also it would be good to cleanup the commented out code you have in
the catch block

On Fri, Oct 11, 2019 at 11:56 AM <co...@apache.org> wrote:
>
> This is an automated email from the ASF dual-hosted git repository.
>
> coheigea pushed a commit to branch camel-2.24.x
> in repository https://gitbox.apache.org/repos/asf/camel.git
>
>
> The following commit(s) were added to refs/heads/camel-2.24.x by this push:
>      new b2e6d10  Disable external entities for schematron component
> b2e6d10 is described below
>
> commit b2e6d10a50d3613179cf6c4655ff3b7e2d52a1d9
> Author: Colm O hEigeartaigh <co...@apache.org>
> AuthorDate: Fri Oct 11 10:37:17 2019 +0100
>
>     Disable external entities for schematron component
> ---
>  .../schematron/processor/SchematronProcessorFactory.java       | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
> index 13f146e..1f098da 100644
> --- a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
> +++ b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
> @@ -69,7 +69,15 @@ public final class SchematronProcessorFactory {
>       */
>      private static XMLReader getXMLReader() throws ParserConfigurationException, SAXException {
>          final SAXParserFactory fac = SAXParserFactory.newInstance();
> -        fac.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
> +        try {
> +            fac.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
> +            fac.setFeature("http://xml.org/sax/features/external-general-entities", false);
> +            fac.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
> +            fac.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
> +        } catch (ParserConfigurationException | SAXException ex) {
> +            // LOG.debug("Error setting feature on parser: " +
> +            // ex.getMessage());
> +        }
>          fac.setValidating(false);
>          final SAXParser parser = fac.newSAXParser();
>          XMLReader reader = parser.getXMLReader();
>


-- 
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2