Repository: camel
Updated Branches:
refs/heads/camel-2.12.x 30bffc8dc -> 601ddda44
XML External Entity (XXE) injection in XmlConverter. Thanks to Stephan Siano
for the patch.
Conflicts:
camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
Project: http://git-wip-us.apache.org/repos/asf/camel/repo
Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/b0ee3e0c
Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/b0ee3e0c
Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/b0ee3e0c
Branch: refs/heads/camel-2.12.x
Commit: b0ee3e0ce155f5455a3ab744fe57d038075fedb4
Parents: 30bffc8
Author: Claus Ibsen <[email protected]>
Authored: Sun Mar 1 11:52:57 2015 +0100
Committer: Christian Schneider <[email protected]>
Committed: Fri May 8 16:32:51 2015 +0200
----------------------------------------------------------------------
.../apache/camel/converter/jaxp/XmlConverter.java | 7 +++++++
.../apache/camel/component/xslt/XsltDTDTest.java | 16 +++++++++++-----
2 files changed, 18 insertions(+), 5 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/camel/blob/b0ee3e0c/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
----------------------------------------------------------------------
diff --git
a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
index 0532011..5fd8920 100644
--- a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
+++ b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java
@@ -579,6 +579,13 @@ public class XmlConverter {
} catch (Exception e) {
LOG.warn("SAXParser doesn't support the feature {} with value
{}, due to {}.", new Object[]{javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING,
"true", e});
}
+ try {
+
sfactory.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
+ } catch (SAXException e) {
+ LOG.warn("SAXParser doesn't support the feature {} with value
{}, due to {}."
+ , new
Object[]{"http://xml.org/sax/features/external-general-entities";, false, e});
+ }
+ sfactory.setNamespaceAware(true);
SAXParser parser = sfactory.newSAXParser();
xmlReader = parser.getXMLReader();
} catch (Exception ex) {
http://git-wip-us.apache.org/repos/asf/camel/blob/b0ee3e0c/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
----------------------------------------------------------------------
diff --git
a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
index db5d63c..c0d2723 100644
--- a/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
+++ b/camel-core/src/test/java/org/apache/camel/component/xslt/XsltDTDTest.java
@@ -57,19 +57,25 @@ public class XsltDTDTest extends ContextTestSupport {
Exchange exchange = list.get(0);
String xml = exchange.getIn().getBody(String.class);
assertTrue("Get a wrong transformed message",
xml.indexOf("<transformed subject=\"\">") > 0);
-
-
-
+
try {
+ endpoint.reset();
+ endpoint.expectedMessageCount(1);
+
template.sendBody("direct:start2", message);
- fail("Expect an exception here");
+
+ assertMockEndpointsSatisfied();
+
+ list = endpoint.getReceivedExchanges();
+ exchange = list.get(0);
+ xml = exchange.getIn().getBody(String.class);
+ assertTrue("Get a wrong transformed message",
xml.indexOf("<transformed subject=\"\">") > 0);
} catch (Exception ex) {
// expect an exception here
assertTrue("Get a wrong exception", ex instanceof
CamelExecutionException);
// the file could not be found
assertTrue("Get a wrong exception cause", ex.getCause() instanceof
TransformerException);
}
-
}
