(cxf) 01/02: Disable URLDataSource by default for Aegis (#1727)

Wed, 06 Mar 2024 07:56:45 -0800 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.5.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git

commit 659a8f9b10bc8037774c0399e61e77e3955fd230
Author: Colm O hEigeartaigh <cohei...@users.noreply.github.com>
AuthorDate: Wed Mar 6 15:43:02 2024 +0000

    Disable URLDataSource by default for Aegis (#1727)
    
    (cherry picked from commit d0baeb3ee64c6d7c883bd2f5c4cb0de6b0b5f463)
    (cherry picked from commit f973751b67f79ea2b53fabb2f1762214b7d07131)
---
 .../apache/cxf/aegis/type/mtom/AttachmentUtil.java | 31 +++++++++++++++-------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git 
a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java
 
b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java
index c44f1fabe5..5474d57369 100644
--- 
a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java
+++ 
b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java
@@ -31,9 +31,14 @@ import javax.activation.URLDataSource;
 import org.apache.cxf.aegis.DatabindingException;
 import org.apache.cxf.aegis.util.UID;
 import org.apache.cxf.attachment.AttachmentImpl;
+import org.apache.cxf.common.util.SystemPropertyAction;
 import org.apache.cxf.message.Attachment;
 
 public final class AttachmentUtil {
+    // The xop:include "href" attribute 
(https://www.w3.org/TR/xop10/#xop_href) may include 
+    // arbitrary URL which we should never follow (unless explicitly allowed).
+    public static final String ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY = 
"org.apache.cxf.attachment.xop.follow.urls";
+
     private AttachmentUtil() {
         //utility class
     }
@@ -52,15 +57,16 @@ public final class AttachmentUtil {
         if (id == null) {
             throw new DatabindingException("Cannot get attachment: null id");
         }
+        if (attachments == null) {
+            return null;
+        }
+
+
         int i = id.indexOf("cid:");
         if (i != -1) {
             id = id.substring(4).trim();
         }
 
-        if (attachments == null) {
-            return null;
-        }
-
         for (Iterator<Attachment> iter = attachments.iterator(); 
iter.hasNext();) {
             Attachment a = iter.next();
             if (a.getId().equals(id)) {
@@ -68,12 +74,17 @@ public final class AttachmentUtil {
             }
         }
 
-        // Try loading the URL remotely
-        try {
-            URLDataSource source = new URLDataSource(new URL(id));
-            return new AttachmentImpl(id, new DataHandler(source));
-        } catch (MalformedURLException e) {
-            return null;
+        final boolean followUrls = Boolean.valueOf(SystemPropertyAction
+                        .getProperty(ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY, 
"false"));
+        if (followUrls) {
+            // Try loading the URL remotely
+            try {
+                URLDataSource source = new URLDataSource(new URL(id));
+                return new AttachmentImpl(id, new DataHandler(source));
+            } catch (MalformedURLException e) {
+                return null;
+            }
         }
+        return null;
     }
 }

Reply via email to