You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by da...@apache.org on 2018/04/16 08:58:44 UTC
[camel] 01/02: CAMEL-12444: Improved DTD handling in validator
component.
This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch camel-2.20.x
in repository https://gitbox.apache.org/repos/asf/camel.git
commit 3fe03e361725b66c1c3eaa40bb11577fb3dc17b3
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Mon Apr 16 10:55:24 2018 +0200
CAMEL-12444: Improved DTD handling in validator component.
---
.../org/apache/camel/processor/validation/SchemaReader.java | 1 +
.../camel/processor/validation/ValidatingProcessor.java | 13 +++++++++++++
2 files changed, 14 insertions(+)
diff --git a/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java b/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java
index ac42cc9..c77aea0 100644
--- a/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java
+++ b/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java
@@ -175,6 +175,7 @@ public class SchemaReader {
}
if (camelContext == null || !Boolean.parseBoolean(camelContext.getGlobalOptions().get(ACCESS_EXTERNAL_DTD))) {
try {
+ LOG.debug("Configuring SchemaFactory to not allow access to external DTD/Schema");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
} catch (SAXException e) {
LOG.warn(e.getMessage(), e);
diff --git a/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java b/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java
index 96b3db8..8bba7e7 100644
--- a/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java
+++ b/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java
@@ -22,6 +22,7 @@ import java.io.InputStream;
import java.net.URL;
import java.util.Collections;
+import javax.xml.XMLConstants;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
@@ -53,6 +54,8 @@ import org.apache.camel.util.IOHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
+import static org.apache.camel.processor.validation.SchemaReader.ACCESS_EXTERNAL_DTD;
+
/**
* A processor which validates the XML version of the inbound message body
* against some schema either in XSD or RelaxNG
@@ -100,6 +103,16 @@ public class ValidatingProcessor implements AsyncProcessor {
}
Validator validator = schema.newValidator();
+ // turn off access to external schema by default
+ if (!Boolean.parseBoolean(exchange.getContext().getGlobalOptions().get(ACCESS_EXTERNAL_DTD))) {
+ try {
+ LOG.debug("Configuring Validator to not allow access to external DTD/Schema");
+ validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+ } catch (SAXException e) {
+ LOG.warn(e.getMessage(), e);
+ }
+ }
// the underlying input stream, which we need to close to avoid locking files or other resources
Source source = null;
--
To stop receiving notification emails like this one, please contact
davsclaus@apache.org.