You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by da...@apache.org on 2018/04/16 08:58:44 UTC

[camel] 01/02: CAMEL-12444: Improved DTD handling in validator component.

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch camel-2.20.x
in repository https://gitbox.apache.org/repos/asf/camel.git

commit 3fe03e361725b66c1c3eaa40bb11577fb3dc17b3
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Mon Apr 16 10:55:24 2018 +0200

    CAMEL-12444: Improved DTD handling in validator component.
---
 .../org/apache/camel/processor/validation/SchemaReader.java |  1 +
 .../camel/processor/validation/ValidatingProcessor.java     | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java b/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java
index ac42cc9..c77aea0 100644
--- a/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java
+++ b/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java
@@ -175,6 +175,7 @@ public class SchemaReader {
         }  
         if (camelContext == null || !Boolean.parseBoolean(camelContext.getGlobalOptions().get(ACCESS_EXTERNAL_DTD))) {
             try {
+                LOG.debug("Configuring SchemaFactory to not allow access to external DTD/Schema");
                 factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
             } catch (SAXException e) {
                 LOG.warn(e.getMessage(), e);
diff --git a/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java b/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java
index 96b3db8..8bba7e7 100644
--- a/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java
+++ b/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java
@@ -22,6 +22,7 @@ import java.io.InputStream;
 import java.net.URL;
 import java.util.Collections;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.Result;
 import javax.xml.transform.Source;
@@ -53,6 +54,8 @@ import org.apache.camel.util.IOHelper;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import static org.apache.camel.processor.validation.SchemaReader.ACCESS_EXTERNAL_DTD;
+
 /**
  * A processor which validates the XML version of the inbound message body
  * against some schema either in XSD or RelaxNG
@@ -100,6 +103,16 @@ public class ValidatingProcessor implements AsyncProcessor {
         }
 
         Validator validator = schema.newValidator();
+        // turn off access to external schema by default
+        if (!Boolean.parseBoolean(exchange.getContext().getGlobalOptions().get(ACCESS_EXTERNAL_DTD))) {
+            try {
+                LOG.debug("Configuring Validator to not allow access to external DTD/Schema");
+                validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+            } catch (SAXException e) {
+                LOG.warn(e.getMessage(), e);
+            }
+        }
 
         // the underlying input stream, which we need to close to avoid locking files or other resources
         Source source = null;

-- 
To stop receiving notification emails like this one, please contact
davsclaus@apache.org.