camel-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From davscl...@apache.org
Subject [1/2] camel git commit: CAMEL-9309: Make it easier to turn on|off java transport over http
Date Thu, 12 Nov 2015 14:03:16 GMT
Repository: camel
Updated Branches:
  refs/heads/camel-2.16.x c558f30a6 -> 92081b203
  refs/heads/master f7f0b18f6 -> 7e28d0af4


CAMEL-9309: Make it easier to turn on|off java transport over http


Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/7e28d0af
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/7e28d0af
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/7e28d0af

Branch: refs/heads/master
Commit: 7e28d0af471ea992eb74807a4abd1626b88d678a
Parents: f7f0b18
Author: Claus Ibsen <davsclaus@apache.org>
Authored: Thu Nov 12 15:06:32 2015 +0100
Committer: Claus Ibsen <davsclaus@apache.org>
Committed: Thu Nov 12 15:06:32 2015 +0100

----------------------------------------------------------------------
 .../apache/camel/component/http4/HttpComponent.java    | 12 ++++++++++++
 .../org/apache/camel/component/http4/HttpProducer.java | 13 +++++++++++--
 2 files changed, 23 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/camel/blob/7e28d0af/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java
----------------------------------------------------------------------
diff --git a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java
b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java
index a2be672..df47d50 100644
--- a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java
+++ b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java
@@ -381,6 +381,18 @@ public class HttpComponent extends HttpCommonComponent {
         super.setHttpConfiguration(httpConfiguration);
     }
 
+    /**
+     * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object
+     * <p/>
+     * This is by default turned off. If you enable this then be aware that Java will deserialize
the incoming
+     * data from the request to Java and that can be a potential security risk.
+     */
+    @Override
+    public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) {
+        // need to override and call super for component docs
+        super.setAllowJavaSerializedObject(allowJavaSerializedObject);
+    }
+
     public HttpContext getHttpContext() {
         return httpContext;
     }

http://git-wip-us.apache.org/repos/asf/camel/blob/7e28d0af/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java
----------------------------------------------------------------------
diff --git a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java
b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java
index 9a22fbf..09f347d 100644
--- a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java
+++ b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java
@@ -304,7 +304,7 @@ public class HttpProducer extends DefaultProducer {
      * @return the response either as a stream, or as a deserialized java object
      * @throws IOException can be thrown
      */
-    protected static Object extractResponseBody(HttpRequestBase httpRequest, HttpResponse
httpResponse, Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException
{
+    protected Object extractResponseBody(HttpRequestBase httpRequest, HttpResponse httpResponse,
Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException
{
         HttpEntity entity = httpResponse.getEntity();
         if (entity == null) {
             return null;
@@ -331,7 +331,13 @@ public class HttpProducer extends DefaultProducer {
         }
         // if content type is a serialized java object then de-serialize it back to a Java
object
         if (contentType != null && contentType.equals(HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT))
{
-            return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext());
+            // only deserialize java if allowed
+            if (getEndpoint().getComponent().isAllowJavaSerializedObject() || getEndpoint().isTransferException())
{
+                return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext());
+            } else {
+                // empty response
+                return null;
+            }
         } else {
             InputStream response = null;
             if (!ignoreResponseBody) {
@@ -444,6 +450,9 @@ public class HttpProducer extends DefaultProducer {
                     }
 
                     if (contentTypeString != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentTypeString))
{
+                        if (!getEndpoint().getComponent().isAllowJavaSerializedObject())
{
+                            throw new CamelExchangeException("Content-type " + org.apache.camel.http.common.HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT
+ " is not allowed", exchange);
+                        }
                         // serialized java object
                         Serializable obj = in.getMandatoryBody(Serializable.class);
                         // write object to output stream


Mime
View raw message