You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by da...@apache.org on 2022/12/25 13:08:59 UTC
[camel] 02/04: CAMEL-18825: Make XML parser/transformers more secure out of the box.
This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
commit 9cb1ff41560b47c5d2c4ddcc5261777e0c4cc33f
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Sun Dec 25 14:01:14 2022 +0100
CAMEL-18825: Make XML parser/transformers more secure out of the box.
---
.../processor/SchematronProcessorFactory.java | 20 ++++++--------------
.../ROOT/pages/camel-3x-upgrade-guide-3_21.adoc | 4 ++++
2 files changed, 10 insertions(+), 14 deletions(-)
diff --git a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
index 7721ce2a83d..8575c38ca1b 100644
--- a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
+++ b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
@@ -53,30 +53,22 @@ public final class SchematronProcessorFactory {
try {
return new SchematronProcessor(getXMLReader(), rules);
} catch (Exception e) {
- LOG.error("Failed to parse the configuration file");
throw new SchematronConfigException(e);
}
}
/**
* Gets XMLReader.
- *
- * @return instance of XMLReader
- * @throws ParserConfigurationException
- * @throws SAXException
*/
private static XMLReader getXMLReader() throws ParserConfigurationException, SAXException {
final SAXParserFactory fac = SAXParserFactory.newInstance();
- try {
- fac.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
- fac.setFeature("http://xml.org/sax/features/external-general-entities", false);
- fac.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
- fac.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
- } catch (ParserConfigurationException | SAXException ex) {
- // LOG.debug("Error setting feature on parser: " +
- // ex.getMessage());
- }
+ fac.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
+ fac.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ fac.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ fac.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ fac.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
fac.setValidating(false);
+
final SAXParser parser = fac.newSAXParser();
XMLReader reader = parser.getXMLReader();
return reader;
diff --git a/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc b/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc
index c46f9e906e6..e3e9ae59b0a 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc
@@ -14,6 +14,10 @@ XML parsers & XML transformers has been made more secure by disabling access to
The `StAXJAXBIteratorExpression` has been made more secure by disabling XML parser to access external DTD/Schema.
+=== camel-schematron
+
+XML parsers has been made more secure by disabling access to external DTD/Schema.
+
=== camel-jbang
The command `camel dependencies` has been renamed to `camel dependency`.