camel-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From davscl...@apache.org
Subject [5/7] camel git commit: XML External Entity (XXE) injection in XmlConverter. Thanks to Stephan Siano for the patch.
Date Mon, 02 Mar 2015 12:01:10 GMT
XML External Entity (XXE) injection in XmlConverter. Thanks to Stephan Siano for the patch.

Conflicts:
	camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java


Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/367d53e7
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/367d53e7
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/367d53e7

Branch: refs/heads/camel-2.13.x
Commit: 367d53e73c8b5a1e73c24423e631709f9a96e08d
Parents: 7360aad
Author: Claus Ibsen <davsclaus@apache.org>
Authored: Sun Mar 1 11:52:57 2015 +0100
Committer: Claus Ibsen <davsclaus@apache.org>
Committed: Mon Mar 2 11:48:18 2015 +0100

----------------------------------------------------------------------
 .../apache/camel/converter/jaxp/XmlConverter.java   |  6 ++++++
 .../apache/camel/component/xslt/XsltDTDTest.java    | 16 +++++++++++-----
 2 files changed, 17 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/camel/blob/367d53e7/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
----------------------------------------------------------------------
diff --git a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
index a3f4a29..5fd8920 100644
--- a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
+++ b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
@@ -579,6 +579,12 @@ public class XmlConverter {
             } catch (Exception e) {
                 LOG.warn("SAXParser doesn't support the feature {} with value {}, due to
{}.", new Object[]{javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, "true", e});
             }
+            try {
+                sfactory.setFeature("http://xml.org/sax/features/external-general-entities",
false);
+            } catch (SAXException e) {
+                LOG.warn("SAXParser doesn't support the feature {} with value {}, due to
{}."
+                        , new Object[]{"http://xml.org/sax/features/external-general-entities",
false, e});
+            }
             sfactory.setNamespaceAware(true);
             SAXParser parser = sfactory.newSAXParser();
             xmlReader = parser.getXMLReader();

http://git-wip-us.apache.org/repos/asf/camel/blob/367d53e7/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
----------------------------------------------------------------------
diff --git a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
index db5d63c..c0d2723 100644
--- a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
+++ b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
@@ -57,19 +57,25 @@ public class XsltDTDTest extends ContextTestSupport {
         Exchange exchange = list.get(0);
         String xml = exchange.getIn().getBody(String.class);
         assertTrue("Get a wrong transformed message", xml.indexOf("<transformed subject=\"\">")
> 0);
-        
-        
-        
+
         try {
+            endpoint.reset();
+            endpoint.expectedMessageCount(1);
+
             template.sendBody("direct:start2", message);
-            fail("Expect an exception here");
+
+            assertMockEndpointsSatisfied();
+
+            list = endpoint.getReceivedExchanges();
+            exchange = list.get(0);
+            xml = exchange.getIn().getBody(String.class);
+            assertTrue("Get a wrong transformed message", xml.indexOf("<transformed subject=\"\">")
> 0);
         } catch (Exception ex) {
             // expect an exception here
             assertTrue("Get a wrong exception", ex instanceof CamelExecutionException);
             // the file could not be found
             assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException);
         }
-        
     }
     
 


Mime
View raw message