You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@camel.apache.org by da...@apache.org on 2022/12/19 09:58:29 UTC
[camel] branch main updated: CAMEL-18825: Make XmlHelper more secure
This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 3a3ff1717e1 CAMEL-18825: Make XmlHelper more secure
3a3ff1717e1 is described below
commit 3a3ff1717e1e02981503631bda46336d9d1745f7
Author: Claus Ibsen <cl...@gmail.com>
AuthorDate: Mon Dec 19 10:58:11 2022 +0100
CAMEL-18825: Make XmlHelper more secure
---
.../camel/support/processor/validation/SchemaReader.java | 1 +
.../support/processor/validation/ValidatingProcessor.java | 13 +++++--------
2 files changed, 6 insertions(+), 8 deletions(-)
diff --git a/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/processor/validation/SchemaReader.java b/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/processor/validation/SchemaReader.java
index 5e176a323a6..a7b96fd23e1 100644
--- a/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/processor/validation/SchemaReader.java
+++ b/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/processor/validation/SchemaReader.java
@@ -182,6 +182,7 @@ public class SchemaReader {
try {
LOG.debug("Configuring SchemaFactory to not allow access to external DTD/Schema");
factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
} catch (SAXException e) {
LOG.warn(e.getMessage(), e);
}
diff --git a/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/processor/validation/ValidatingProcessor.java b/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/processor/validation/ValidatingProcessor.java
index 386d9e557ac..30af5ba5be8 100644
--- a/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/processor/validation/ValidatingProcessor.java
+++ b/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/processor/validation/ValidatingProcessor.java
@@ -76,9 +76,8 @@ public class ValidatingProcessor extends AsyncProcessorSupport {
}
public ValidatingProcessor(SchemaReader schemaReader) {
- // schema reader can be a singelton per schema, therefore make reuse,
- // see
- // ValidatorEndpoint and ValidatorProducer
+ // schema reader can be a singleton per schema, therefore make reuse,
+ // see ValidatorEndpoint and ValidatorProducer
this.schemaReader = schemaReader;
}
@@ -144,8 +143,7 @@ public class ValidatingProcessor extends AsyncProcessorSupport {
}
// CAMEL-7036 We don't need to set the result if the source is an
- // instance of
- // StreamSource
+ // instance of StreamSource
if (source instanceof DOMSource) {
result = new DOMResult();
} else if (source instanceof SAXSource) {
@@ -157,8 +155,7 @@ public class ValidatingProcessor extends AsyncProcessorSupport {
if (source != null) {
// create a new errorHandler and set it on the validator
// must be a local instance to avoid problems with concurrency
- // (to be
- // thread safe)
+ // (to be thread safe)
ValidatorErrorHandler handler = errorHandler.getClass().getDeclaredConstructor().newInstance();
validator.setErrorHandler(handler);
@@ -167,7 +164,7 @@ public class ValidatingProcessor extends AsyncProcessorSupport {
validator.validate(source, result);
handler.handleErrors(exchange, schema, result);
} catch (SAXParseException e) {
- // can be thrown for non well formed XML
+ // can be thrown for non-well-formed XML
throw new SchemaValidationException(
exchange, schema, Collections.singletonList(e), Collections.<SAXParseException> emptyList(),
Collections.<SAXParseException> emptyList());