Return-Path: 
 <commits-return-41383-apmail-camel-commits-archive=camel.apache.org@camel.apache.org>
X-Original-To: apmail-camel-commits-archive@www.apache.org
Delivered-To: apmail-camel-commits-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id A7FC817605
	for <apmail-camel-commits-archive@www.apache.org>;
 Fri,  8 May 2015 15:09:53 +0000 (UTC)
Received: (qmail 99504 invoked by uid 500); 8 May 2015 15:09:53 -0000
Delivered-To: apmail-camel-commits-archive@camel.apache.org
Received: (qmail 99460 invoked by uid 500); 8 May 2015 15:09:53 -0000
Mailing-List: contact commits-help@camel.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@camel.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@camel.apache.org>
List-Post: <mailto:commits@camel.apache.org>
List-Id: <commits.camel.apache.org>
Reply-To: dev@camel.apache.org
Delivered-To: mailing list commits@camel.apache.org
Received: (qmail 99361 invoked by uid 99); 8 May 2015 15:09:53 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org)
 (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 08 May 2015 15:09:53 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at
 git1-us-west.apache.org, from userid 33)
	id 5DC6DE05E3; Fri,  8 May 2015 15:09:53 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: cschneider@apache.org
To: commits@camel.apache.org
Date: Fri, 08 May 2015 15:09:53 -0000
Message-Id: <53f941070f75416498cd306b3603905c@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: [1/2] camel git commit: XML External Entity (XXE) injection in
 XmlConverter. Thanks to Stephan Siano for the patch.

Repository: camel
Updated Branches:
  refs/heads/camel-2.12.x 30bffc8dc -> 601ddda44


XML External Entity (XXE) injection in XmlConverter. Thanks to Stephan Siano for the patch.

Conflicts:
	camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java


Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/b0ee3e0c
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/b0ee3e0c
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/b0ee3e0c

Branch: refs/heads/camel-2.12.x
Commit: b0ee3e0ce155f5455a3ab744fe57d038075fedb4
Parents: 30bffc8
Author: Claus Ibsen <davsclaus@apache.org>
Authored: Sun Mar 1 11:52:57 2015 +0100
Committer: Christian Schneider <chris@die-schneider.net>
Committed: Fri May 8 16:32:51 2015 +0200

----------------------------------------------------------------------
 .../apache/camel/converter/jaxp/XmlConverter.java   |  7 +++++++
 .../apache/camel/component/xslt/XsltDTDTest.java    | 16 +++++++++++-----
 2 files changed, 18 insertions(+), 5 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/camel/blob/b0ee3e0c/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
----------------------------------------------------------------------
diff --git a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
index 0532011..5fd8920 100644
--- a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
+++ b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
@@ -579,6 +579,13 @@ public class XmlConverter {
             } catch (Exception e) {
                 LOG.warn("SAXParser doesn't support the feature {} with value {}, due to {}.", new Object[]{javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING, "true", e});
             }
+            try {
+                sfactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            } catch (SAXException e) {
+                LOG.warn("SAXParser doesn't support the feature {} with value {}, due to {}."
+                        , new Object[]{"http://xml.org/sax/features/external-general-entities", false, e});
+            }
+            sfactory.setNamespaceAware(true);
             SAXParser parser = sfactory.newSAXParser();
             xmlReader = parser.getXMLReader();
         } catch (Exception ex) {

http://git-wip-us.apache.org/repos/asf/camel/blob/b0ee3e0c/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
----------------------------------------------------------------------
diff --git a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
index db5d63c..c0d2723 100644
--- a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
+++ b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
@@ -57,19 +57,25 @@ public class XsltDTDTest extends ContextTestSupport {
         Exchange exchange = list.get(0);
         String xml = exchange.getIn().getBody(String.class);
         assertTrue("Get a wrong transformed message", xml.indexOf("<transformed subject=\"\">") > 0);
-        
-        
-        
+
         try {
+            endpoint.reset();
+            endpoint.expectedMessageCount(1);
+
             template.sendBody("direct:start2", message);
-            fail("Expect an exception here");
+
+            assertMockEndpointsSatisfied();
+
+            list = endpoint.getReceivedExchanges();
+            exchange = list.get(0);
+            xml = exchange.getIn().getBody(String.class);
+            assertTrue("Get a wrong transformed message", xml.indexOf("<transformed subject=\"\">") > 0);
         } catch (Exception ex) {
             // expect an exception here
             assertTrue("Get a wrong exception", ex instanceof CamelExecutionException);
             // the file could not be found
             assertTrue("Get a wrong exception cause", ex.getCause() instanceof TransformerException);
         }
-        
     }