Hi John, I changed the TransformerFactory to prevent XXE by basically doing:
TransformerFactory tf = TransformerFactory.newInstance(); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, ""); I did the same trick for transformer factory, validator, schema factory, sax transformer factory. For SAX XMLReader, I should go via feature. Let me do a new pass on that. Regards JB On 05/01/2019 00:44, John Taylor wrote: > Hi All, > > I use Karaf as a runtime to host my Apache Camel routes. They are > mostly plain blueprint .xmls that are installed and deployed with the > blueprint handler. I make heavy use of xsl tranformations and have in > the past used Xalan but am moving to Saxon for xslt/xpath 2.0. > > On 4.2.1 I don't have any issues installing and using either Xalan or > Saxon bundles, but on 4.2.2, once either are installed I can no longer > install through blueprint. It looks to be the result of the change for > "Set the secure processing feature on TransformerFactory instances" in > XmlUtils in commit de4c413925379913ffb3bf96ead7edc2dba98d4b. That > commit sets XMLConstants.ACCESS_EXTERNAL_DTD and neither Xalan nor > Saxon support that property. From what I've read searching for that > error I believe external DTD isn't in the purview of transformation > but in the document parser. > > Note that it is after a restart of Karaf after installing Saxon that I > get the exception when trying to install another blueprint bundle. I > believe a transfomer is already created from the default > com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImp. > > Has anyone else seen this? > > Thanks. > -John > > > 2018-12-31T16:17:31,853 | ERROR | > fileinstall-/opt/sgscamel/karaf/apache-karaf-4.2.2/deploy | > BlueprintURLHandler | 63 - > org.apache.karaf.deployer.blueprint - 4.2.2 | Error opening blueprint > xml url > java.lang.IllegalArgumentException: Unknown configuration property > http://javax.xml.XMLConstants/property/accessExternalDTD > at > net.sf.saxon.Configuration.setConfigurationProperty(Configuration.java:4644) > ~[?:?] > at > net.sf.saxon.s9api.Processor.setConfigurationProperty(Processor.java:352) > ~[?:?] > at > net.sf.saxon.jaxp.SaxonTransformerFactory.setAttribute(SaxonTransformerFactory.java:306) > ~[?:?] > at org.apache.karaf.util.XmlUtils.transformer(XmlUtils.java:154) > ~[63:org.apache.karaf.deployer.blueprint:4.2.2] > at org.apache.karaf.util.XmlUtils.transform(XmlUtils.java:96) > ~[63:org.apache.karaf.deployer.blueprint:4.2.2] > at > org.apache.karaf.deployer.blueprint.BlueprintTransformer.analyze(BlueprintTransformer.java:129) > ~[63:org.apache.karaf.deployer.blueprint:4.2.2] > at > org.apache.karaf.deployer.blueprint.BlueprintTransformer.transform(BlueprintTransformer.java:71) > ~[63:org.apache.karaf.deployer.blueprint:4.2.2] > at > org.apache.karaf.deployer.blueprint.BlueprintURLHandler$Connection.getInputStream(BlueprintURLHandler.java:73) > [63:org.apache.karaf.deployer.blueprint:4.2.2] > at java.net.URL.openStream(URL.java:1045) [?:?] > at > org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:962) > [10:org.apache.felix.fileinstall:3.6.4] > at > org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:884) > [10:org.apache.felix.fileinstall:3.6.4] > at > org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:489) > [10:org.apache.felix.fileinstall:3.6.4] > at > org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:365) > [10:org.apache.felix.fileinstall:3.6.4] > at > org.apache.felix.fileinstall.internal.DirectoryWatcher.run(DirectoryWatcher.java:316) > [10:org.apache.felix.fileinstall:3.6.4] > 2018-12-31T16:17:31,881 | ERROR | > fileinstall-/opt/sgscamel/karaf/apache-karaf-4.2.2/deploy | > fileinstall | 10 - org.apache.felix.fileinstall - > 3.6.4 | Failed to install artifact: > /opt/sgscamel/karaf/apache-karaf-4.2.2/deploy/connectionfactory-amq1.xml > java.io.IOException: Error opening blueprint xml url > at > org.apache.karaf.deployer.blueprint.BlueprintURLHandler$Connection.getInputStream(BlueprintURLHandler.java:78) > ~[?:?] > at java.net.URL.openStream(URL.java:1045) ~[?:?] > at > org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:962) > [10:org.apache.felix.fileinstall:3.6.4] > at > org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:884) > [10:org.apache.felix.fileinstall:3.6.4] > at > org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:489) > [10:org.apache.felix.fileinstall:3.6.4] > at > org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:365) > [10:org.apache.felix.fileinstall:3.6.4] > at > org.apache.felix.fileinstall.internal.DirectoryWatcher.run(DirectoryWatcher.java:316) > [10:org.apache.felix.fileinstall:3.6.4] > Caused by: java.lang.IllegalArgumentException: Unknown configuration > property http://javax.xml.XMLConstants/property/accessExternalDTD > at > net.sf.saxon.Configuration.setConfigurationProperty(Configuration.java:4644) > ~[?:?] > at > net.sf.saxon.s9api.Processor.setConfigurationProperty(Processor.java:352) > ~[?:?] > at > net.sf.saxon.jaxp.SaxonTransformerFactory.setAttribute(SaxonTransformerFactory.java:306) > ~[?:?] > at org.apache.karaf.util.XmlUtils.transformer(XmlUtils.java:154) > ~[?:?] > at org.apache.karaf.util.XmlUtils.transform(XmlUtils.java:96) ~[?:?] > at > org.apache.karaf.deployer.blueprint.BlueprintTransformer.analyze(BlueprintTransformer.java:129) > ~[?:?] > at > org.apache.karaf.deployer.blueprint.BlueprintTransformer.transform(BlueprintTransformer.java:71) > ~[?:?] > at > org.apache.karaf.deployer.blueprint.BlueprintURLHandler$Connection.getInputStream(BlueprintURLHandler.java:73) > ~[?:?] > ... 6 more > -- Jean-Baptiste Onofré [email protected] http://blog.nanthrax.net Talend - http://www.talend.com
