This is an automated email from the ASF dual-hosted git repository. davsclaus pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel.git
commit 628a1622666b4ce0d08a03e399ef9ab55e862047 Author: Claus Ibsen <claus.ib...@gmail.com> AuthorDate: Sun Dec 25 14:08:12 2022 +0100 CAMEL-18825: Make XML parser/transformers more secure out of the box. --- .../org/apache/camel/component/cm/CMSenderOneMessageImpl.java | 9 +++------ .../modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc | 4 ++++ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java b/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java index 7fe25e2d862..7e897d32a1c 100644 --- a/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java +++ b/components/camel-cm-sms/src/main/java/org/apache/camel/component/cm/CMSenderOneMessageImpl.java @@ -65,7 +65,6 @@ public class CMSenderOneMessageImpl implements CMSender { private final UUID productToken; public CMSenderOneMessageImpl(final String url, final UUID productToken) { - this.url = url; this.productToken = productToken; } @@ -87,13 +86,13 @@ public class CMSenderOneMessageImpl implements CMSender { } private String createXml(final CMMessage message) { - try { - final ByteArrayOutputStream xml = new ByteArrayOutputStream(); final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setNamespaceAware(true); // Get the DocumentBuilder @@ -170,9 +169,7 @@ public class CMSenderOneMessageImpl implements CMSender { final Result dest = new StreamResult(xml); aTransformer.transform(src, dest); return xml.toString(); - } catch (final TransformerException e) { - throw new XMLConstructionException(String.format("Cant serialize CMMessage %s", message), e); - } catch (final ParserConfigurationException e) { + } catch (final TransformerException | ParserConfigurationException e) { throw new XMLConstructionException(String.format("Cant serialize CMMessage %s", message), e); } } diff --git a/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc b/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc index e3e9ae59b0a..219c0f8b4c0 100644 --- a/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc +++ b/docs/user-manual/modules/ROOT/pages/camel-3x-upgrade-guide-3_21.adoc @@ -14,6 +14,10 @@ XML parsers & XML transformers has been made more secure by disabling access to The `StAXJAXBIteratorExpression` has been made more secure by disabling XML parser to access external DTD/Schema. +=== camel-cm-sms + +XML parsers has been made more secure by disabling access to external DTD/Schema. + === camel-schematron XML parsers has been made more secure by disabling access to external DTD/Schema.