CAMEL-12444: Improved DTD handling in validator component.

davsclaus · davsclaus · commit 8467d644813a · 2018-04-16T10:55:24.000+02:00
diff --git a/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java b/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java
@@ -175,6 +175,7 @@ protected SchemaFactory createSchemaFactory() {
         }  
         if (camelContext == null || !Boolean.parseBoolean(camelContext.getGlobalOptions().get(ACCESS_EXTERNAL_DTD))) {
             try {
+                LOG.debug("Configuring SchemaFactory to not allow access to external DTD/Schema");
                 factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
             } catch (SAXException e) {
                 LOG.warn(e.getMessage(), e);
diff --git a/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java b/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java
@@ -22,6 +22,7 @@
 import java.net.URL;
 import java.util.Collections;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.Result;
 import javax.xml.transform.Source;
@@ -53,6 +54,8 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import static org.apache.camel.processor.validation.SchemaReader.ACCESS_EXTERNAL_DTD;
+
 /**
  * A processor which validates the XML version of the inbound message body
  * against some schema either in XSD or RelaxNG
@@ -100,6 +103,16 @@ protected void doProcess(Exchange exchange) throws Exception {
         }
 
         Validator validator = schema.newValidator();
+        // turn off access to external schema by default
+        if (!Boolean.parseBoolean(exchange.getContext().getGlobalOptions().get(ACCESS_EXTERNAL_DTD))) {
+            try {
+                LOG.debug("Configuring Validator to not allow access to external DTD/Schema");
+                validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+            } catch (SAXException e) {
+                LOG.warn(e.getMessage(), e);
+            }
+        }
 
         // the underlying input stream, which we need to close to avoid locking files or other resources
         Source source = null;

Original file line number	Diff line number	Diff line change
`@@ -175,6 +175,7 @@ protected SchemaFactory createSchemaFactory() {`
`175`	`175`	`}`
`176`	`176`	`if (camelContext == null \|\| !Boolean.parseBoolean(camelContext.getGlobalOptions().get(ACCESS_EXTERNAL_DTD))) {`
`177`	`177`	`try {`
	`178`	`+ LOG.debug("Configuring SchemaFactory to not allow access to external DTD/Schema");`
`178`	`179`	`factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");`
`179`	`180`	`} catch (SAXException e) {`
`180`	`181`	`LOG.warn(e.getMessage(), e);`