You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-commits@xmlgraphics.apache.org by ss...@apache.org on 2019/12/09 12:24:18 UTC
svn commit: r1871084 - in /xmlgraphics/batik/trunk:
batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/
batik-transcoder/src/main/java/org/apache/batik/transcoder/
Author: ssteiner
Date: Mon Dec 9 12:24:18 2019
New Revision: 1871084
URL: http://svn.apache.org/viewvc?rev=1871084&view=rev
Log:
BATIK-1276: Allow blocking of external resources
Modified:
xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
xmlgraphics/batik/trunk/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
Modified: xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java?rev=1871084&r1=1871083&r2=1871084&view=diff
==============================================================================
--- xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java (original)
+++ xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java Mon Dec 9 12:24:18 2019
@@ -501,6 +501,12 @@ public class Main implements SVGConverte
public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
= Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
+ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
+ = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
+
+ public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
+ = Messages.get("Main.cl.option.block.external.resources.description", "No description");
+
/**
* Option to turn off secure execution of scripts
*/
@@ -829,6 +835,17 @@ public class Main implements SVGConverte
return CL_OPTION_SECURITY_OFF_DESCRIPTION;
}
});
+
+ optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
+ new NoValueOptionHandler(){
+ public void handleOption(SVGConverter c){
+ c.allowExternalResources = false;
+ }
+
+ public String getOptionDescription(){
+ return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
+ }
+ });
}
/**
Modified: xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java?rev=1871084&r1=1871083&r2=1871084&view=diff
==============================================================================
--- xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java (original)
+++ xmlgraphics/batik/trunk/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java Mon Dec 9 12:24:18 2019
@@ -253,6 +253,8 @@ public class SVGConverter {
the document which references them. */
protected boolean constrainScriptOrigin = true;
+ protected boolean allowExternalResources = true;
+
/** Controls whether scripts should be run securely or not */
protected boolean securityOff = false;
@@ -925,6 +927,10 @@ public class SVGConverter {
map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
}
+ if (!allowExternalResources) {
+ map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
+ }
+
return map;
}
Modified: xmlgraphics/batik/trunk/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
URL: http://svn.apache.org/viewvc/xmlgraphics/batik/trunk/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java?rev=1871084&r1=1871083&r2=1871084&view=diff
==============================================================================
--- xmlgraphics/batik/trunk/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java (original)
+++ xmlgraphics/batik/trunk/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java Mon Dec 9 12:24:18 2019
@@ -33,8 +33,10 @@ import org.apache.batik.bridge.BaseScrip
import org.apache.batik.bridge.BridgeContext;
import org.apache.batik.bridge.BridgeException;
import org.apache.batik.bridge.DefaultScriptSecurity;
+import org.apache.batik.bridge.ExternalResourceSecurity;
import org.apache.batik.bridge.GVTBuilder;
import org.apache.batik.bridge.NoLoadScriptSecurity;
+import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
import org.apache.batik.bridge.RelaxedScriptSecurity;
import org.apache.batik.bridge.SVGUtilities;
import org.apache.batik.bridge.ScriptSecurity;
@@ -877,6 +879,9 @@ public abstract class SVGAbstractTransco
= new BooleanKey();
+ public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES
+ = new BooleanKey();
+
/**
* A user agent implementation for <code>PrintTranscoder</code>.
*/
@@ -1109,5 +1114,19 @@ public abstract class SVGAbstractTransco
}
}
+ public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) {
+ if (isAllowExternalResources()) {
+ return super.getExternalResourceSecurity(resourceURL, docURL);
+ }
+ return new NoLoadExternalResourceSecurity();
+ }
+
+ public boolean isAllowExternalResources() {
+ Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES);
+ if (b != null) {
+ return b;
+ }
+ return true;
+ }
}
}