You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cxf.apache.org by re...@apache.org on 2022/11/30 23:36:07 UTC
[cxf] 01/02: CXF-8706: CXF MTOM handler allow content injection (#960)
This is an automated email from the ASF dual-hosted git repository.
reta pushed a commit to branch 3.4.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 276f2a8720a6edab13010f657acd3f7bc249ca59
Author: Andriy Redko <dr...@gmail.com>
AuthorDate: Wed Nov 30 17:04:20 2022 -0500
CXF-8706: CXF MTOM handler allow content injection (#960)
* CXF-8706: CXF MTOM handler allow content injection
* Disable URLDataSource by default, always look inside attachments list by default
* Address code review comments
(cherry picked from commit 63388ffb81e4c8be64a9cce4a3efd1d145eeca7c)
(cherry picked from commit bff4eb1959ecac3ddd5e824550497ef137479e26)
---
.../org/apache/cxf/attachment/AttachmentUtil.java | 46 +++++++++++++++++-----
.../cxf/attachment/AttachmentDeserializerTest.java | 21 ++++++++++
systests/uncategorized/pom.xml | 9 +++++
.../apache/cxf/systest/mtom/request-url-attachment | 2 +-
4 files changed, 67 insertions(+), 11 deletions(-)
diff --git a/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java b/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
index 9db5934c52..942c3a9833 100644
--- a/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
+++ b/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
@@ -57,6 +57,7 @@ import javax.activation.URLDataSource;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.common.util.SystemPropertyAction;
import org.apache.cxf.helpers.FileUtils;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.io.CachedOutputStream;
@@ -65,6 +66,9 @@ import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
public final class AttachmentUtil {
+ // The xop:include "href" attribute (https://www.w3.org/TR/xop10/#xop_href) may include
+ // arbitrary URL which we should never follow (unless explicitly allowed).
+ public static final String ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY = "org.apache.cxf.attachment.xop.follow.urls";
public static final String BODY_ATTACHMENT_ID = "root.message@cxf.apache.org";
private static final Logger LOG = LogUtils.getL7dLogger(AttachmentUtil.class);
@@ -540,24 +544,46 @@ public final class AttachmentUtil {
}
public static DataSource getAttachmentDataSource(String contentId, Collection<Attachment> atts) {
- // Is this right? - DD
+ //
+ // RFC-2392 (https://datatracker.ietf.org/doc/html/rfc2392) says:
+ //
+ // A "cid" URL is converted to the corresponding Content-ID message
+ // header [MIME] by removing the "cid:" prefix, converting the % encoded
+ // character to their equivalent US-ASCII characters, and enclosing the
+ // remaining parts with an angle bracket pair, "<" and ">".
+ //
if (contentId.startsWith("cid:")) {
try {
contentId = URLDecoder.decode(contentId.substring(4), StandardCharsets.UTF_8.name());
} catch (UnsupportedEncodingException ue) {
contentId = contentId.substring(4);
}
- return loadDataSource(contentId, atts);
- } else if (contentId.indexOf("://") == -1) {
- return loadDataSource(contentId, atts);
- } else {
- try {
- return new URLDataSource(new URL(contentId));
- } catch (MalformedURLException e) {
- throw new Fault(e);
+
+ // href attribute information item: MUST be a valid URI per the cid: URI scheme (RFC 2392),
+ // for example:
+ //
+ // <xop:Include xmlns:xop='http://www.w3.org/2004/08/xop/include' href='cid:http://example.org/me.png'/>
+ //
+ // See please https://www.w3.org/TR/xop10/
+ //
+ if (contentId.indexOf("://") == -1) {
+ return loadDataSource(contentId, atts);
+ } else {
+ try {
+ final boolean followUrls = Boolean.valueOf(SystemPropertyAction
+ .getProperty(ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY, "false"));
+ if (followUrls) {
+ return new URLDataSource(new URL(contentId));
+ } else {
+ return loadDataSource(contentId, atts);
+ }
+ } catch (MalformedURLException e) {
+ throw new Fault(e);
+ }
}
+ } else {
+ return loadDataSource(contentId, atts);
}
-
}
private static DataSource loadDataSource(String contentId, Collection<Attachment> atts) {
diff --git a/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java b/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
index 717083e91b..b2d90c1093 100644
--- a/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
+++ b/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
@@ -33,6 +33,7 @@ import java.util.regex.Pattern;
import java.util.stream.IntStream;
import javax.activation.DataSource;
+import javax.activation.URLDataSource;
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
@@ -49,9 +50,11 @@ import org.apache.cxf.message.XMLMessage;
import org.junit.Before;
import org.junit.Test;
+import static org.hamcrest.CoreMatchers.instanceOf;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertThat;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
@@ -783,4 +786,22 @@ public class AttachmentDeserializerTest {
assertEquals("passwd", dataSource.getName());
}
+ @Test
+ public void testCXF8706() {
+ final DataSource ds = AttachmentUtil
+ .getAttachmentDataSource("cid:http://image.com/1.gif", Collections.emptyList());
+ assertThat(ds, instanceOf(LazyDataSource.class));
+ }
+
+ @Test
+ public void testCXF8706followUrl() {
+ System.setProperty(AttachmentUtil.ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY, "true");
+ try {
+ final DataSource ds = AttachmentUtil
+ .getAttachmentDataSource("cid:http://image.com/1.gif", Collections.emptyList());
+ assertThat(ds, instanceOf(URLDataSource.class));
+ } finally {
+ System.clearProperty(AttachmentUtil.ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY);
+ }
+ }
}
diff --git a/systests/uncategorized/pom.xml b/systests/uncategorized/pom.xml
index 250ba5d437..5c799b8555 100644
--- a/systests/uncategorized/pom.xml
+++ b/systests/uncategorized/pom.xml
@@ -128,6 +128,15 @@
</execution>
</executions>
</plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <configuration>
+ <systemPropertyVariables>
+ <org.apache.cxf.attachment.xop.follow.urls>true</org.apache.cxf.attachment.xop.follow.urls>
+ </systemPropertyVariables>
+ </configuration>
+ </plugin>
</plugins>
</build>
<dependencies>
diff --git a/systests/uncategorized/src/test/java/org/apache/cxf/systest/mtom/request-url-attachment b/systests/uncategorized/src/test/java/org/apache/cxf/systest/mtom/request-url-attachment
index 8d3b0d4ea0..0e4945a5c5 100755
--- a/systests/uncategorized/src/test/java/org/apache/cxf/systest/mtom/request-url-attachment
+++ b/systests/uncategorized/src/test/java/org/apache/cxf/systest/mtom/request-url-attachment
@@ -10,7 +10,7 @@ Content-ID: <echo.xml>
<m:Data>
<m:someData><xop:Include
xmlns:xop='http://www.w3.org/2004/08/xop/include'
- href='http://localhost:9036/policy.xsd'/>
+ href='cid:http://localhost:9036/policy.xsd'/>
</m:someData>
</m:Data>
</m:echo>