[camel] 04/04: CAMEL-18825: Make XML parser/transformers more secure out of the box.

Sun, 25 Dec 2022 05:09:10 -0800 

This is an automated email from the ASF dual-hosted git repository.

davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git

commit 628a1622666b4ce0d08a03e399ef9ab55e862047
Author: Claus Ibsen <claus.ib...@gmail.com>
AuthorDate: Sun Dec 25 14:08:12 2022 +0100

    CAMEL-18825: Make XML parser/transformers more secure out of the box.
---
 .../org/apache/camel/component/cm/CMSenderOneMessageImpl.java    | 9 +++------
 .../modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc          | 4 ++++
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git 
a/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
 
b/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
index 7fe25e2d862..7e897d32a1c 100644
--- 
a/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
+++ 
b/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java
@@ -65,7 +65,6 @@ public class CMSenderOneMessageImpl implements CMSender {
     private final UUID productToken;
 
     public CMSenderOneMessageImpl(final String url, final UUID productToken) {
-
         this.url = url;
         this.productToken = productToken;
     }
@@ -87,13 +86,13 @@ public class CMSenderOneMessageImpl implements CMSender {
     }
 
     private String createXml(final CMMessage message) {
-
         try {
-
             final ByteArrayOutputStream xml = new ByteArrayOutputStream();
             final DocumentBuilderFactory factory = 
DocumentBuilderFactory.newInstance();
             factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, 
true);
+            
factory.setFeature("http://xml.org/sax/features/external-general-entities";, 
false);
+            
factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
false);
             factory.setNamespaceAware(true);
 
             // Get the DocumentBuilder
@@ -170,9 +169,7 @@ public class CMSenderOneMessageImpl implements CMSender {
             final Result dest = new StreamResult(xml);
             aTransformer.transform(src, dest);
             return xml.toString();
-        } catch (final TransformerException e) {
-            throw new XMLConstructionException(String.format("Cant serialize 
CMMessage %s", message), e);
-        } catch (final ParserConfigurationException e) {
+        } catch (final TransformerException | ParserConfigurationException e) {
             throw new XMLConstructionException(String.format("Cant serialize 
CMMessage %s", message), e);
         }
     }
diff --git 
a/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc 
b/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc
index e3e9ae59b0a..219c0f8b4c0 100644
--- a/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc
+++ b/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc
@@ -14,6 +14,10 @@ XML parsers & XML transformers has been made more secure by 
disabling access to
 
 The `StAXJAXBIteratorExpression` has been made more secure by disabling XML 
parser to access external DTD/Schema.
 
+=== camel-cm-sms
+
+XML parsers has been made more secure by disabling access to external 
DTD/Schema.
+
 === camel-schematron
 
 XML parsers has been made more secure by disabling access to external 
DTD/Schema.

Reply via email to