Re: [camel] branch camel-2.24.x updated: Disable external entities for schematron component

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [camel] branch camel-2.24.x updated: Disable external entities for schematron component

Claus Ibsen-2
Hi Colm

Can you cherry pick this to camel-2.x branch also.
And I assume it should also be done for master branch.

Also it would be good to cleanup the commented out code you have in
the catch block

On Fri, Oct 11, 2019 at 11:56 AM <[hidden email]> wrote:

>
> This is an automated email from the ASF dual-hosted git repository.
>
> coheigea pushed a commit to branch camel-2.24.x
> in repository https://gitbox.apache.org/repos/asf/camel.git
>
>
> The following commit(s) were added to refs/heads/camel-2.24.x by this push:
>      new b2e6d10  Disable external entities for schematron component
> b2e6d10 is described below
>
> commit b2e6d10a50d3613179cf6c4655ff3b7e2d52a1d9
> Author: Colm O hEigeartaigh <[hidden email]>
> AuthorDate: Fri Oct 11 10:37:17 2019 +0100
>
>     Disable external entities for schematron component
> ---
>  .../schematron/processor/SchematronProcessorFactory.java       | 10 +++++++++-
>  1 file changed, 9 insertions(+), 1 deletion(-)
>
> diff --git a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
> index 13f146e..1f098da 100644
> --- a/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
> +++ b/components/camel-schematron/src/main/java/org/apache/camel/component/schematron/processor/SchematronProcessorFactory.java
> @@ -69,7 +69,15 @@ public final class SchematronProcessorFactory {
>       */
>      private static XMLReader getXMLReader() throws ParserConfigurationException, SAXException {
>          final SAXParserFactory fac = SAXParserFactory.newInstance();
> -        fac.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
> +        try {
> +            fac.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, Boolean.TRUE);
> +            fac.setFeature("http://xml.org/sax/features/external-general-entities", false);
> +            fac.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
> +            fac.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
> +        } catch (ParserConfigurationException | SAXException ex) {
> +            // LOG.debug("Error setting feature on parser: " +
> +            // ex.getMessage());
> +        }
>          fac.setValidating(false);
>          final SAXParser parser = fac.newSAXParser();
>          XMLReader reader = parser.getXMLReader();
>


--
Claus Ibsen
-----------------
http://davsclaus.com @davsclaus
Camel in Action 2: https://www.manning.com/ibsen2