You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2019/10/24 14:11:51 UTC
[syncope] branch 2_1_X updated: Disallow external DTDs/Stylesheets
in a few places where we definately don't neeed them (#136)
This is an automated email from the ASF dual-hosted git repository.
ilgrosso pushed a commit to branch 2_1_X
in repository https://gitbox.apache.org/repos/asf/syncope.git
The following commit(s) were added to refs/heads/2_1_X by this push:
new 03a0b74 Disallow external DTDs/Stylesheets in a few places where we definately don't neeed them (#136)
03a0b74 is described below
commit 03a0b743be6d3170072d4c185ad8c2008e1b5189
Author: Colm O hEigeartaigh <co...@users.noreply.github.com>
AuthorDate: Thu Oct 24 15:01:40 2019 +0100
Disallow external DTDs/Stylesheets in a few places where we definately don't neeed them (#136)
---
.../java/org/apache/syncope/core/logic/init/CamelRouteLoader.java | 6 ++++++
.../org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java | 7 +++++++
2 files changed, 13 insertions(+)
diff --git a/ext/camel/logic/src/main/java/org/apache/syncope/core/logic/init/CamelRouteLoader.java b/ext/camel/logic/src/main/java/org/apache/syncope/core/logic/init/CamelRouteLoader.java
index 44f9c8a..c78e334 100644
--- a/ext/camel/logic/src/main/java/org/apache/syncope/core/logic/init/CamelRouteLoader.java
+++ b/ext/camel/logic/src/main/java/org/apache/syncope/core/logic/init/CamelRouteLoader.java
@@ -154,6 +154,12 @@ public class CamelRouteLoader implements SyncopeLoader {
if (IS_JBOSS) {
tf = TransformerFactory.newInstance();
tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ try {
+ tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ } catch (IllegalArgumentException ex) {
+ LOG.debug("The JAXP parser does not support the following attribute: ", ex);
+ }
tf.setURIResolver((href, base) -> null);
Document doc = StaxUtils.read(resource.getInputStream());
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
index 09ae7be..617ac47 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
@@ -83,6 +83,13 @@ public class SAML2ReaderWriter {
} catch (TransformerConfigurationException e) {
LOG.error("Could not enable secure XML processing", e);
}
+
+ try {
+ TRANSFORMER_FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ TRANSFORMER_FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+ } catch (IllegalArgumentException ex) {
+ LOG.debug("The JAXP parser does not support the following attribute: ", ex);
+ }
}
@Autowired