This is an automated email from the ASF dual-hosted git repository. coheigea pushed a commit to branch coheigea/Aegis-MTOM in repository https://gitbox.apache.org/repos/asf/cxf.git
commit 3173d78b1b36ec6ba5e1e34cea043fc5496f0bc2 Author: Colm O hEigeartaigh <cohei...@apache.org> AuthorDate: Wed Mar 6 14:29:31 2024 +0000 Disable URLDataSource by default for Aegis --- .../apache/cxf/aegis/type/mtom/AttachmentUtil.java | 31 +++++++++++++++------- 1 file changed, 21 insertions(+), 10 deletions(-) diff --git a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java index 31c70c805a..fbc7b21cf3 100644 --- a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java +++ b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java @@ -30,9 +30,14 @@ import jakarta.activation.URLDataSource; import org.apache.cxf.aegis.DatabindingException; import org.apache.cxf.aegis.util.UID; import org.apache.cxf.attachment.AttachmentImpl; +import org.apache.cxf.common.util.SystemPropertyAction; import org.apache.cxf.message.Attachment; public final class AttachmentUtil { + // The xop:include "href" attribute (https://www.w3.org/TR/xop10/#xop_href) may include + // arbitrary URL which we should never follow (unless explicitly allowed). + public static final String ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY = "org.apache.cxf.attachment.xop.follow.urls"; + private AttachmentUtil() { //utility class } @@ -51,15 +56,16 @@ public final class AttachmentUtil { if (id == null) { throw new DatabindingException("Cannot get attachment: null id"); } + if (attachments == null) { + return null; + } + + int i = id.indexOf("cid:"); if (i != -1) { id = id.substring(4).trim(); } - if (attachments == null) { - return null; - } - for (Iterator<Attachment> iter = attachments.iterator(); iter.hasNext();) { Attachment a = iter.next(); if (a.getId().equals(id)) { @@ -67,12 +73,17 @@ public final class AttachmentUtil { } } - // Try loading the URL remotely - try { - URLDataSource source = new URLDataSource(new URL(id)); - return new AttachmentImpl(id, new DataHandler(source)); - } catch (MalformedURLException e) { - return null; + final boolean followUrls = Boolean.valueOf(SystemPropertyAction + .getProperty(ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY, "false")); + if (followUrls) { + // Try loading the URL remotely + try { + URLDataSource source = new URLDataSource(new URL(id)); + return new AttachmentImpl(id, new DataHandler(source)); + } catch (MalformedURLException e) { + return null; + } } + return null; } }