[camel] 03/03: CAMEL-18825: Make XmlHelper more secure

Mon, 19 Dec 2022 01:00:57 -0800 

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git

commit 3b12e488b52762c8d3012c5d4a10aa2a72e9800f
Author: Claus Ibsen <[email protected]>
AuthorDate: Mon Dec 19 09:59:34 2022 +0100

    CAMEL-18825: Make XmlHelper more secure
---
 .../org/apache/camel/support/builder/xml/XMLConverterHelper.java | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git 
a/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/builder/xml/XMLConverterHelper.java
 
b/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/builder/xml/XMLConverterHelper.java
index e1a4afc0fc5..6dd23db75be 100644
--- 
a/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/builder/xml/XMLConverterHelper.java
+++ 
b/core/camel-xml-jaxp/src/main/java/org/apache/camel/support/builder/xml/XMLConverterHelper.java
@@ -128,6 +128,13 @@ public class XMLConverterHelper {
             LOG.warn("DocumentBuilderFactory doesn't support the feature {} 
with value {}, due to {}.",
                     XMLConstants.FEATURE_SECURE_PROCESSING, true, 
e.getMessage());
         }
+        try {
+            // Set secure processing
+            
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+        } catch (ParserConfigurationException e) {
+            LOG.warn("DocumentBuilderFactory doesn't support the feature {} 
with value {}, due to {}.",
+                    "http://apache.org/xml/features/disallow-doctype-decl";, 
true, e.getMessage());
+        }
         try {
             // Disable the external-general-entities by default
             
factory.setFeature("http://xml.org/sax/features/external-general-entities";, 
false);
@@ -140,7 +147,7 @@ public class XMLConverterHelper {
             Class<?> smClass = 
ObjectHelper.loadClass("org.apache.xerces.util.SecurityManager");
             if (smClass != null) {
                 Object sm = smClass.getDeclaredConstructor().newInstance();
-                // Here we just use the default setting of the SeurityManager
+                // Here we just use the default setting of the SecurityManager
                 
factory.setAttribute("http://apache.org/xml/properties/security-manager";, sm);
             }
         } catch (Exception e) {

Reply via email to