This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch 3.6.x-fixes in repository https://gitbox.apache.org/repos/asf/cxf.git
The following commit(s) were added to refs/heads/3.6.x-fixes by this push: new f973751b67 Disable URLDataSource by default for Aegis (#1727) f973751b67 is described below commit f973751b67f79ea2b53fabb2f1762214b7d07131 Author: Colm O hEigeartaigh <cohei...@users.noreply.github.com> AuthorDate: Wed Mar 6 15:43:02 2024 +0000 Disable URLDataSource by default for Aegis (#1727) (cherry picked from commit d0baeb3ee64c6d7c883bd2f5c4cb0de6b0b5f463) --- .../apache/cxf/aegis/type/mtom/AttachmentUtil.java | 31 +++++++++++++++------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java index c44f1fabe5..5474d57369 100644 --- a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java +++ b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java @@ -31,9 +31,14 @@ import javax.activation.URLDataSource; import org.apache.cxf.aegis.DatabindingException; import org.apache.cxf.aegis.util.UID; import org.apache.cxf.attachment.AttachmentImpl; +import org.apache.cxf.common.util.SystemPropertyAction; import org.apache.cxf.message.Attachment; public final class AttachmentUtil { + // The xop:include "href" attribute (https://www.w3.org/TR/xop10/#xop_href) may include + // arbitrary URL which we should never follow (unless explicitly allowed). + public static final String ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY = "org.apache.cxf.attachment.xop.follow.urls"; + private AttachmentUtil() { //utility class } @@ -52,15 +57,16 @@ public final class AttachmentUtil { if (id == null) { throw new DatabindingException("Cannot get attachment: null id"); } + if (attachments == null) { + return null; + } + + int i = id.indexOf("cid:"); if (i != -1) { id = id.substring(4).trim(); } - if (attachments == null) { - return null; - } - for (Iterator<Attachment> iter = attachments.iterator(); iter.hasNext();) { Attachment a = iter.next(); if (a.getId().equals(id)) { @@ -68,12 +74,17 @@ public final class AttachmentUtil { } } - // Try loading the URL remotely - try { - URLDataSource source = new URLDataSource(new URL(id)); - return new AttachmentImpl(id, new DataHandler(source)); - } catch (MalformedURLException e) { - return null; + final boolean followUrls = Boolean.valueOf(SystemPropertyAction + .getProperty(ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY, "false")); + if (followUrls) { + // Try loading the URL remotely + try { + URLDataSource source = new URLDataSource(new URL(id)); + return new AttachmentImpl(id, new DataHandler(source)); + } catch (MalformedURLException e) { + return null; + } } + return null; } }