Andrea Cosentino created CAMEL-23878:
----------------------------------------

             Summary: core/camel-xml-jaxp: align createSAXParserFactory 
hardening with createDocumentBuilderFactory
                 Key: CAMEL-23878
                 URL: https://issues.apache.org/jira/browse/CAMEL-23878
             Project: Camel
          Issue Type: Improvement
          Components: camel-core
            Reporter: Andrea Cosentino


h3. Background

In {{XmlConverter}}, {{createDocumentBuilderFactory()}} sets 
{{FEATURE_SECURE_PROCESSING}}, {{disallow-doctype-decl=true}}, and 
{{external-general-entities=false}}. {{createSAXParserFactory()}} sets only 
{{FEATURE_SECURE_PROCESSING}} and {{external-general-entities=false}} -- it 
does not set {{disallow-doctype-decl}}, nor disable 
{{external-parameter-entities}}.

The SAX factory backs {{XMLReaderPool}} and the framework-wide 
{{toSAXSourceFromStream}} conversion, so the two factory methods produce 
parsers with different DOCTYPE / parameter-entity handling depending on which 
path a stream takes. General entities are already blocked on both.

h3. Proposed change

Add to {{createSAXParserFactory()}} (in the existing try/catch + warn style) 
the two features {{createDocumentBuilderFactory()}} already sets:

* {{disallow-doctype-decl}} = true
* {{external-parameter-entities}} = false

h3. Affected code

* 
{{core/camel-xml-jaxp/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java}}
 ({{createSAXParserFactory}}, ~lines 1193-1210; compare 
{{createDocumentBuilderFactory}}, ~lines 1020-1044)

h3. Notes

Consuming code that legitimately relies on DOCTYPE handling through the SAX 
path would be affected; a test should confirm a DOCTYPE-bearing document is 
rejected by the SAX conversion path after the change, matching the DOM path.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to