You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by re...@apache.org on 2022/11/30 23:36:06 UTC
[cxf] branch 3.4.x-fixes updated (04dccdeda4 -> bd514b4e8b)
This is an automated email from the ASF dual-hosted git repository.
reta pushed a change to branch 3.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
from 04dccdeda4 Recording .gitmergeinfo Changes
new 276f2a8720 CXF-8706: CXF MTOM handler allow content injection (#960)
new bd514b4e8b Recording .gitmergeinfo Changes
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.gitmergeinfo | 2 +
.../org/apache/cxf/attachment/AttachmentUtil.java | 46 +++++++++++++++++-----
.../cxf/attachment/AttachmentDeserializerTest.java | 21 ++++++++++
systests/uncategorized/pom.xml | 9 +++++
.../apache/cxf/systest/mtom/request-url-attachment | 2 +-
5 files changed, 69 insertions(+), 11 deletions(-)
[cxf] 02/02: Recording .gitmergeinfo Changes
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
reta pushed a commit to branch 3.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit bd514b4e8bf1b344f705c141462a2a272ea2f4cf
Author: Andriy Redko <dr...@gmail.com>
AuthorDate: Wed Nov 30 17:58:21 2022 -0500
Recording .gitmergeinfo Changes
---
.gitmergeinfo | 2 ++
1 file changed, 2 insertions(+)
diff --git a/.gitmergeinfo b/.gitmergeinfo
index 76492ebe4c..7fa12eb355 100644
--- a/.gitmergeinfo
+++ b/.gitmergeinfo
@@ -310,6 +310,7 @@ M 401fd5c8587d1bd4240a13b94d6a3ae5c3880597
M 40c300d07abf9a6c073900c4779f8daf847d849c
M 4162189dabdb22aec54dc3c5ae93cf42b0575d3d
M 420f6f35915cbd50cc175a6a10359125516b0213
+M 425d642a4f14bf5e1ec1ffb0ea946b9fcc1ac395
M 426210e57897a73314bbb2746246300b24cd3925
M 42c6b5c7d2bb5887ba3c19cbf26de76c0e96f721
M 4305454bd25c47424ddaa8ded6270fdd08b61bea
@@ -498,6 +499,7 @@ M bc5d02a1823de215646508b22976358b1905adab
M bd0cbb621f42899f64d4d769376c1c9218c9e3d4
M bde90079207ea06b8e01e7f75ce75aa2bee8ac9e
M bfc509c206d67124d3f0ae46cea6963cabb8f3ca
+M bff4eb1959ecac3ddd5e824550497ef137479e26
M c02e932e97b8580eaa80e7152f633741bc49334f
M c0690e1fa57e0231461c9dd644d6b3c80852eef9
M c070a8f50d83b82d864884020a64d1d67f5e7c95
[cxf] 01/02: CXF-8706: CXF MTOM handler allow content injection (#960)
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
reta pushed a commit to branch 3.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 276f2a8720a6edab13010f657acd3f7bc249ca59
Author: Andriy Redko <dr...@gmail.com>
AuthorDate: Wed Nov 30 17:04:20 2022 -0500
CXF-8706: CXF MTOM handler allow content injection (#960)
* CXF-8706: CXF MTOM handler allow content injection
* Disable URLDataSource by default, always look inside attachments list by default
* Address code review comments
(cherry picked from commit 63388ffb81e4c8be64a9cce4a3efd1d145eeca7c)
(cherry picked from commit bff4eb1959ecac3ddd5e824550497ef137479e26)
---
.../org/apache/cxf/attachment/AttachmentUtil.java | 46 +++++++++++++++++-----
.../cxf/attachment/AttachmentDeserializerTest.java | 21 ++++++++++
systests/uncategorized/pom.xml | 9 +++++
.../apache/cxf/systest/mtom/request-url-attachment | 2 +-
4 files changed, 67 insertions(+), 11 deletions(-)
diff --git a/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java b/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
index 9db5934c52..942c3a9833 100644
--- a/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
+++ b/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
@@ -57,6 +57,7 @@ import javax.activation.URLDataSource;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.common.util.SystemPropertyAction;
import org.apache.cxf.helpers.FileUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.io.CachedOutputStream;
@@ -65,6 +66,9 @@ import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
public final class AttachmentUtil {
+ // The xop:include "href" attribute (https://www.w3.org/TR/xop10/#xop_href) may include
+ // arbitrary URL which we should never follow (unless explicitly allowed).
+ public static final String ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY = "org.apache.cxf.attachment.xop.follow.urls";
public static final String BODY_ATTACHMENT_ID = "root.message@cxf.apache.org";
private static final Logger LOG = LogUtils.getL7dLogger(AttachmentUtil.class);
@@ -540,24 +544,46 @@ public final class AttachmentUtil {
}
public static DataSource getAttachmentDataSource(String contentId, Collection<Attachment> atts) {
- // Is this right? - DD
+ //
+ // RFC-2392 (https://datatracker.ietf.org/doc/html/rfc2392) says:
+ //
+ // A "cid" URL is converted to the corresponding Content-ID message
+ // header [MIME] by removing the "cid:" prefix, converting the % encoded
+ // character to their equivalent US-ASCII characters, and enclosing the
+ // remaining parts with an angle bracket pair, "<" and ">".
+ //
if (contentId.startsWith("cid:")) {
try {
contentId = URLDecoder.decode(contentId.substring(4), StandardCharsets.UTF_8.name());
} catch (UnsupportedEncodingException ue) {
contentId = contentId.substring(4);
}
- return loadDataSource(contentId, atts);
- } else if (contentId.indexOf("://") == -1) {
- return loadDataSource(contentId, atts);
- } else {
- try {
- return new URLDataSource(new URL(contentId));
- } catch (MalformedURLException e) {
- throw new Fault(e);
+
+ // href attribute information item: MUST be a valid URI per the cid: URI scheme (RFC 2392),
+ // for example:
+ //
+ // <xop:Include xmlns:xop='http://www.w3.org/2004/08/xop/include' href='cid:http://example.org/me.png'/>
+ //
+ // See please https://www.w3.org/TR/xop10/
+ //
+ if (contentId.indexOf("://") == -1) {
+ return loadDataSource(contentId, atts);
+ } else {
+ try {
+ final boolean followUrls = Boolean.valueOf(SystemPropertyAction
+ .getProperty(ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY, "false"));
+ if (followUrls) {
+ return new URLDataSource(new URL(contentId));
+ } else {
+ return loadDataSource(contentId, atts);
+ }
+ } catch (MalformedURLException e) {
+ throw new Fault(e);
+ }
}
+ } else {
+ return loadDataSource(contentId, atts);
}
-
}
private static DataSource loadDataSource(String contentId, Collection<Attachment> atts) {
diff --git a/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java b/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
index 717083e91b..b2d90c1093 100644
--- a/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
+++ b/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
@@ -33,6 +33,7 @@ import java.util.regex.Pattern;
import java.util.stream.IntStream;
import javax.activation.DataSource;
+import javax.activation.URLDataSource;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
@@ -49,9 +50,11 @@ import org.apache.cxf.message.XMLMessage;
import org.junit.Before;
import org.junit.Test;
+import static org.hamcrest.CoreMatchers.instanceOf;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
@@ -783,4 +786,22 @@ public class AttachmentDeserializerTest {
assertEquals("passwd", dataSource.getName());
}
+ @Test
+ public void testCXF8706() {
+ final DataSource ds = AttachmentUtil
+ .getAttachmentDataSource("cid:http://image.com/1.gif", Collections.emptyList());
+ assertThat(ds, instanceOf(LazyDataSource.class));
+ }
+
+ @Test
+ public void testCXF8706followUrl() {
+ System.setProperty(AttachmentUtil.ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY, "true");
+ try {
+ final DataSource ds = AttachmentUtil
+ .getAttachmentDataSource("cid:http://image.com/1.gif", Collections.emptyList());
+ assertThat(ds, instanceOf(URLDataSource.class));
+ } finally {
+ System.clearProperty(AttachmentUtil.ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY);
+ }
+ }
}
diff --git a/systests/uncategorized/pom.xml b/systests/uncategorized/pom.xml
index 250ba5d437..5c799b8555 100644
--- a/systests/uncategorized/pom.xml
+++ b/systests/uncategorized/pom.xml
@@ -128,6 +128,15 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <configuration>
+ <systemPropertyVariables>
+ <org.apache.cxf.attachment.xop.follow.urls>true</org.apache.cxf.attachment.xop.follow.urls>
+ </systemPropertyVariables>
+ </configuration>
+ </plugin>
</plugins>
</build>
<dependencies>
diff --git a/systests/uncategorized/src/test/java/org/apache/cxf/systest/mtom/request-url-attachment b/systests/uncategorized/src/test/java/org/apache/cxf/systest/mtom/request-url-attachment
index 8d3b0d4ea0..0e4945a5c5 100755
--- a/systests/uncategorized/src/test/java/org/apache/cxf/systest/mtom/request-url-attachment
+++ b/systests/uncategorized/src/test/java/org/apache/cxf/systest/mtom/request-url-attachment
@@ -10,7 +10,7 @@ Content-ID: <echo.xml>
<m:Data>
<m:someData><xop:Include
xmlns:xop='http://www.w3.org/2004/08/xop/include'
- href='http://localhost:9036/policy.xsd'/>
+ href='cid:http://localhost:9036/policy.xsd'/>
</m:someData>
</m:Data>
</m:echo>