You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-commits@xmlgraphics.apache.org by ss...@apache.org on 2022/11/03 15:04:52 UTC
svn commit: r1905049 - in /xmlgraphics/batik/trunk: batik-bridge/src/main/java/org/apache/batik/bridge/ batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/ batik-transcoder/src/main/java/org/apache/batik/transcoder/
Author: ssteiner
Date: Thu Nov 3 15:04:52 2022
New Revision: 1905049
URL: http://svn.apache.org/viewvc?rev=1905049&view=rev
Log:
BATIK-1349: Block loading external resource by default
Modified:
xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
xmlgraphics/batik/trunk/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
Modified: xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java?rev=1905049&r1=1905048&r2=1905049&view=diff
==============================================================================
--- xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java (original)
+++ xmlgraphics/batik/trunk/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java Thu Nov 3 15:04:52 2022
@@ -77,6 +77,9 @@ public class DefaultExternalResourceSecu
ParsedURL docURL){
// Make sure that the archives comes from the same host
// as the document itself
+ if (DATA_PROTOCOL.equals(externalResourceURL.getProtocol())) {
+ return;
+ }
if (docURL == null) {
se = new SecurityException
(Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
Modified: xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java?rev=1905049&r1=1905048&r2=1905049&view=diff
==============================================================================
--- xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java (original)
+++ xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java Thu Nov 3 15:04:52 2022
@@ -501,11 +501,11 @@ public class Main implements SVGConverte
public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
= Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
- public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
- = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
+ public static String CL_OPTION_ALLOW_EXTERNAL_RESOURCES
+ = Messages.get("Main.cl.option.allow.external.resources", "-allowExternalResources");
- public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
- = Messages.get("Main.cl.option.block.external.resources.description", "No description");
+ public static String CL_OPTION_ALLOW_EXTERNAL_RESOURCES_DESCRIPTION
+ = Messages.get("Main.cl.option.allow.external.resources.description", "No description");
/**
* Option to turn off secure execution of scripts
@@ -836,14 +836,14 @@ public class Main implements SVGConverte
}
});
- optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
+ optionMap.put(CL_OPTION_ALLOW_EXTERNAL_RESOURCES,
new NoValueOptionHandler(){
public void handleOption(SVGConverter c){
- c.allowExternalResources = false;
+ c.allowExternalResources = true;
}
public String getOptionDescription(){
- return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
+ return CL_OPTION_ALLOW_EXTERNAL_RESOURCES_DESCRIPTION;
}
});
}
Modified: xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java?rev=1905049&r1=1905048&r2=1905049&view=diff
==============================================================================
--- xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java (original)
+++ xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java Thu Nov 3 15:04:52 2022
@@ -253,7 +253,7 @@ public class SVGConverter {
the document which references them. */
protected boolean constrainScriptOrigin = true;
- protected boolean allowExternalResources = true;
+ protected boolean allowExternalResources;
/** Controls whether scripts should be run securely or not */
protected boolean securityOff = false;
@@ -927,8 +927,8 @@ public class SVGConverter {
map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
}
- if (!allowExternalResources) {
- map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
+ if (allowExternalResources) {
+ map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.TRUE);
}
return map;
Modified: xmlgraphics/batik/trunk/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java?rev=1905049&r1=1905048&r2=1905049&view=diff
==============================================================================
--- xmlgraphics/batik/trunk/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java (original)
+++ xmlgraphics/batik/trunk/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java Thu Nov 3 15:04:52 2022
@@ -32,11 +32,11 @@ import org.apache.batik.anim.dom.SVGOMDo
import org.apache.batik.bridge.BaseScriptingEnvironment;
import org.apache.batik.bridge.BridgeContext;
import org.apache.batik.bridge.BridgeException;
+import org.apache.batik.bridge.DefaultExternalResourceSecurity;
import org.apache.batik.bridge.DefaultScriptSecurity;
import org.apache.batik.bridge.ExternalResourceSecurity;
import org.apache.batik.bridge.GVTBuilder;
import org.apache.batik.bridge.NoLoadScriptSecurity;
-import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
import org.apache.batik.bridge.RelaxedScriptSecurity;
import org.apache.batik.bridge.SVGUtilities;
import org.apache.batik.bridge.ScriptSecurity;
@@ -1118,7 +1118,7 @@ public abstract class SVGAbstractTransco
if (isAllowExternalResources()) {
return super.getExternalResourceSecurity(resourceURL, docURL);
}
- return new NoLoadExternalResourceSecurity();
+ return new DefaultExternalResourceSecurity(resourceURL, docURL);
}
public boolean isAllowExternalResources() {
@@ -1126,7 +1126,7 @@ public abstract class SVGAbstractTransco
if (b != null) {
return b;
}
- return true;
+ return false;
}
}
}