You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by co...@apache.org on 2019/11/06 20:09:24 UTC
[camel] 01/02: Disallowing DocTypes in a few places
This is an automated email from the ASF dual-hosted git repository.
coheigea pushed a commit to branch camel-2.x
in repository https://gitbox.apache.org/repos/asf/camel.git
commit 38815b521aa4bd5fd00c7c62199127958749ae56
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Tue Nov 5 09:45:43 2019 +0000
Disallowing DocTypes in a few places
---
.../src/main/java/org/apache/camel/util/XmlLineNumberParser.java | 6 ++++--
.../java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java | 3 ++-
.../java/org/apache/camel/component/flatpack/FlatpackConverter.java | 4 +++-
.../java/org/apache/camel/parser/helper/XmlLineNumberParser.java | 6 ++++--
.../java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java | 1 +
.../src/main/java/org/apache/camel/maven/RouteCoverageMojo.java | 3 +++
.../org/apache/camel/maven/packaging/PrepareCatalogKarafMojo.java | 1 +
.../org/apache/camel/maven/packaging/SpringBootStarterMojo.java | 1 +
8 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/camel-core/src/main/java/org/apache/camel/util/XmlLineNumberParser.java b/camel-core/src/main/java/org/apache/camel/util/XmlLineNumberParser.java
index 7c01d8a..43ae6dd 100644
--- a/camel-core/src/main/java/org/apache/camel/util/XmlLineNumberParser.java
+++ b/camel-core/src/main/java/org/apache/camel/util/XmlLineNumberParser.java
@@ -108,19 +108,21 @@ public final class XmlLineNumberParser {
final Document doc;
SAXParser parser;
final SAXParserFactory factory = SAXParserFactory.newInstance();
- factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
parser = factory.newSAXParser();
final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// turn off validator and loading external dtd
dbf.setValidating(false);
dbf.setNamespaceAware(true);
- dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
dbf.setFeature("http://xml.org/sax/features/namespaces", false);
dbf.setFeature("http://xml.org/sax/features/validation", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ dbf.setXIncludeAware(false);
+ dbf.setExpandEntityReferences(false);
final DocumentBuilder docBuilder = dbf.newDocumentBuilder();
doc = docBuilder.newDocument();
diff --git a/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java b/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
index 64bb92d..8c962ce 100644
--- a/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
+++ b/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
@@ -91,7 +91,8 @@ public class CMSenderOneMessageImpl implements CMSender {
final ByteArrayOutputStream xml = new ByteArrayOutputStream();
final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
- factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setNamespaceAware(true);
// Get the DocumentBuilder
diff --git a/components/camel-flatpack/src/main/java/org/apache/camel/component/flatpack/FlatpackConverter.java b/components/camel-flatpack/src/main/java/org/apache/camel/component/flatpack/FlatpackConverter.java
index 335861b..600cbb9 100644
--- a/components/camel-flatpack/src/main/java/org/apache/camel/component/flatpack/FlatpackConverter.java
+++ b/components/camel-flatpack/src/main/java/org/apache/camel/component/flatpack/FlatpackConverter.java
@@ -65,7 +65,9 @@ public final class FlatpackConverter {
@Converter
public static Document toDocument(DataSet dataSet) throws ParserConfigurationException {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
- dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+
Document doc = dbf.newDocumentBuilder().newDocument();
if (dataSet.getIndex() == -1) {
diff --git a/tooling/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java b/tooling/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java
index 129740b..1f08bb5 100644
--- a/tooling/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java
+++ b/tooling/camel-route-parser/src/main/java/org/apache/camel/parser/helper/XmlLineNumberParser.java
@@ -88,19 +88,21 @@ public final class XmlLineNumberParser {
final Document doc;
SAXParser parser;
final SAXParserFactory factory = SAXParserFactory.newInstance();
- factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
parser = factory.newSAXParser();
final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
// turn off validator and loading external dtd
dbf.setValidating(false);
dbf.setNamespaceAware(true);
- dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
dbf.setFeature("http://xml.org/sax/features/namespaces", false);
dbf.setFeature("http://xml.org/sax/features/validation", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ dbf.setXIncludeAware(false);
+ dbf.setExpandEntityReferences(false);
final DocumentBuilder docBuilder = dbf.newDocumentBuilder();
doc = docBuilder.newDocument();
diff --git a/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java b/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
index aeda649..dc730bd 100644
--- a/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
+++ b/tooling/maven/bom-generator-maven-plugin/src/main/java/org/apache/camel/maven/bom/generator/BomGeneratorMojo.java
@@ -188,6 +188,7 @@ public class BomGeneratorMojo extends AbstractMojo {
private Document loadBasePom() throws Exception {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = dbf.newDocumentBuilder();
Document pom = builder.parse(sourcePom);
diff --git a/tooling/maven/camel-maven-plugin/src/main/java/org/apache/camel/maven/RouteCoverageMojo.java b/tooling/maven/camel-maven-plugin/src/main/java/org/apache/camel/maven/RouteCoverageMojo.java
index 5123a8b..b77f491 100644
--- a/tooling/maven/camel-maven-plugin/src/main/java/org/apache/camel/maven/RouteCoverageMojo.java
+++ b/tooling/maven/camel-maven-plugin/src/main/java/org/apache/camel/maven/RouteCoverageMojo.java
@@ -481,6 +481,9 @@ public class RouteCoverageMojo extends AbstractExecMojo {
private static Document createDocument() throws ParserConfigurationException {
Document document = null;
DocumentBuilderFactory documentFactory = DocumentBuilderFactory.newInstance();
+ documentFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ documentFactory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
DocumentBuilder documentBuilder = documentFactory.newDocumentBuilder();
document = documentBuilder.newDocument();
diff --git a/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PrepareCatalogKarafMojo.java b/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PrepareCatalogKarafMojo.java
index e9e1e05..3d8745b 100644
--- a/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PrepareCatalogKarafMojo.java
+++ b/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/PrepareCatalogKarafMojo.java
@@ -627,6 +627,7 @@ public class PrepareCatalogKarafMojo extends AbstractMojo {
InputStream is = new FileInputStream(new File(featuresDir, "features.xml"));
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+ dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setIgnoringComments(true);
dbf.setIgnoringElementContentWhitespace(true);
dbf.setNamespaceAware(false);
diff --git a/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/SpringBootStarterMojo.java b/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/SpringBootStarterMojo.java
index e5bbc88..d742935 100644
--- a/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/SpringBootStarterMojo.java
+++ b/tooling/maven/camel-package-maven-plugin/src/main/java/org/apache/camel/maven/packaging/SpringBootStarterMojo.java
@@ -250,6 +250,7 @@ public class SpringBootStarterMojo extends AbstractMojo {
if (project.getFile() != null) {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder builder = dbf.newDocumentBuilder();
Document originalPom = builder.parse(project.getFile());