CAMEL-7713 Set the Xerces SecurityManager for the DocumentBuilderFactory by default
Project: http://git-wip-us.apache.org/repos/asf/camel/repo Commit: http://git-wip-us.apache.org/repos/asf/camel/commit/a6227486 Tree: http://git-wip-us.apache.org/repos/asf/camel/tree/a6227486 Diff: http://git-wip-us.apache.org/repos/asf/camel/diff/a6227486 Branch: refs/heads/camel-2.12.x Commit: a6227486c44620d450a582132a627166608436d7 Parents: 8c4e34f Author: Willem Jiang <willem.ji...@gmail.com> Authored: Mon Aug 18 20:54:55 2014 +0800 Committer: Willem Jiang <willem.ji...@gmail.com> Committed: Mon Aug 18 21:33:42 2014 +0800 ---------------------------------------------------------------------- .../org/apache/camel/converter/jaxp/XmlConverter.java | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/camel/blob/a6227486/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java ---------------------------------------------------------------------- diff --git a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java index 4580c41..2543de5 100644 --- a/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java +++ b/camel-core/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java @@ -957,7 +957,19 @@ public class XmlConverter { factory.setFeature("http://xml.org/sax/features/external-general-entities";, false); } catch (ParserConfigurationException e) { LOG.warn("DocumentBuilderFactory doesn't support the feature {} with value {}, due to {}." - , new Object[]{"http://xml.org/sax/features/external-general-entities";, true, e}); + , new Object[]{"http://xml.org/sax/features/external-general-entities";, false, e}); + } + // setup the SecurityManager by default if it's apache xerces + try { + Class<?> smClass = ObjectHelper.loadClass("org.apache.xerces.util.SecurityManager"); + if (smClass != null) { + Object sm = smClass.newInstance(); + // Here we just use the default setting of the SeurityManager + factory.setAttribute("http://apache.org/xml/properties/security-manager";, sm); + } + } catch (Exception e) { + LOG.warn("DocumentBuilderFactory doesn't support the attribute {} with value {}, due to {}." + , new Object[]{"http://apache.org/xml/properties/security-manager";, true, e}); } // setup the feature from the system property setupFeatures(factory);
