You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2019/10/24 14:11:47 UTC

[syncope] branch 2_0_X updated: Disallow external DTDs/Stylesheets in a few places where we definately don't neeed them (#136)

This is an automated email from the ASF dual-hosted git repository.

ilgrosso pushed a commit to branch 2_0_X
in repository https://gitbox.apache.org/repos/asf/syncope.git


The following commit(s) were added to refs/heads/2_0_X by this push:
     new e8544a4  Disallow external DTDs/Stylesheets in a few places where we definately don't neeed them (#136)
e8544a4 is described below

commit e8544a4d0bee6df39774f7bb0fd4bc5da4ea4d8d
Author: Colm O hEigeartaigh <co...@users.noreply.github.com>
AuthorDate: Thu Oct 24 15:01:40 2019 +0100

    Disallow external DTDs/Stylesheets in a few places where we definately don't neeed them (#136)
---
 .../java/org/apache/syncope/core/logic/init/CamelRouteLoader.java  | 6 ++++++
 .../org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java     | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/ext/camel/logic/src/main/java/org/apache/syncope/core/logic/init/CamelRouteLoader.java b/ext/camel/logic/src/main/java/org/apache/syncope/core/logic/init/CamelRouteLoader.java
index 8317589..c0e41f4 100644
--- a/ext/camel/logic/src/main/java/org/apache/syncope/core/logic/init/CamelRouteLoader.java
+++ b/ext/camel/logic/src/main/java/org/apache/syncope/core/logic/init/CamelRouteLoader.java
@@ -155,6 +155,12 @@ public class CamelRouteLoader implements SyncopeLoader {
                 if (IS_JBOSS) {
                     tf = TransformerFactory.newInstance();
                     tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+                    try {
+                        tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                        tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+                    } catch (IllegalArgumentException ex) {
+                        LOG.debug("The JAXP parser does not support the following attribute: ", ex);
+                    }
                     tf.setURIResolver(new VoidURIResolver());
 
                     Document doc = StaxUtils.read(resource.getInputStream());
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
index b41fa76..d84d252 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
@@ -84,6 +84,13 @@ public class SAML2ReaderWriter {
         } catch (TransformerConfigurationException e) {
             LOG.error("Could not enable secure XML processing", e);
         }
+
+        try {
+            TRANSFORMER_FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            TRANSFORMER_FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        } catch (IllegalArgumentException ex) {
+             LOG.debug("The JAXP parser does not support the following attribute: ", ex);
+        }
     }
 
     @Autowired