You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@syncope.apache.org by il...@apache.org on 2019/10/24 14:11:51 UTC

[syncope] branch 2_1_X updated: Disallow external DTDs/Stylesheets in a few places where we definately don't neeed them (#136)

This is an automated email from the ASF dual-hosted git repository.

ilgrosso pushed a commit to branch 2_1_X
in repository https://gitbox.apache.org/repos/asf/syncope.git


The following commit(s) were added to refs/heads/2_1_X by this push:
     new 03a0b74  Disallow external DTDs/Stylesheets in a few places where we definately don't neeed them (#136)
03a0b74 is described below

commit 03a0b743be6d3170072d4c185ad8c2008e1b5189
Author: Colm O hEigeartaigh <co...@users.noreply.github.com>
AuthorDate: Thu Oct 24 15:01:40 2019 +0100

    Disallow external DTDs/Stylesheets in a few places where we definately don't neeed them (#136)
---
 .../java/org/apache/syncope/core/logic/init/CamelRouteLoader.java  | 6 ++++++
 .../org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java     | 7 +++++++
 2 files changed, 13 insertions(+)

diff --git a/ext/camel/logic/src/main/java/org/apache/syncope/core/logic/init/CamelRouteLoader.java b/ext/camel/logic/src/main/java/org/apache/syncope/core/logic/init/CamelRouteLoader.java
index 44f9c8a..c78e334 100644
--- a/ext/camel/logic/src/main/java/org/apache/syncope/core/logic/init/CamelRouteLoader.java
+++ b/ext/camel/logic/src/main/java/org/apache/syncope/core/logic/init/CamelRouteLoader.java
@@ -154,6 +154,12 @@ public class CamelRouteLoader implements SyncopeLoader {
                 if (IS_JBOSS) {
                     tf = TransformerFactory.newInstance();
                     tf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+                    try {
+                        tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                        tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+                    } catch (IllegalArgumentException ex) {
+                        LOG.debug("The JAXP parser does not support the following attribute: ", ex);
+                    }
                     tf.setURIResolver((href, base) -> null);
 
                     Document doc = StaxUtils.read(resource.getInputStream());
diff --git a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
index 09ae7be..617ac47 100644
--- a/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
+++ b/ext/saml2sp/logic/src/main/java/org/apache/syncope/core/logic/saml2/SAML2ReaderWriter.java
@@ -83,6 +83,13 @@ public class SAML2ReaderWriter {
         } catch (TransformerConfigurationException e) {
             LOG.error("Could not enable secure XML processing", e);
         }
+
+        try {
+            TRANSFORMER_FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            TRANSFORMER_FACTORY.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        } catch (IllegalArgumentException ex) {
+             LOG.debug("The JAXP parser does not support the following attribute: ", ex);
+        }
     }
 
     @Autowired