Andrea Cosentino created CAMEL-23878:
----------------------------------------
Summary: core/camel-xml-jaxp: align createSAXParserFactory
hardening with createDocumentBuilderFactory
Key: CAMEL-23878
URL: https://issues.apache.org/jira/browse/CAMEL-23878
Project: Camel
Issue Type: Improvement
Components: camel-core
Reporter: Andrea Cosentino
h3. Background
In {{XmlConverter}}, {{createDocumentBuilderFactory()}} sets
{{FEATURE_SECURE_PROCESSING}}, {{disallow-doctype-decl=true}}, and
{{external-general-entities=false}}. {{createSAXParserFactory()}} sets only
{{FEATURE_SECURE_PROCESSING}} and {{external-general-entities=false}} -- it
does not set {{disallow-doctype-decl}}, nor disable
{{external-parameter-entities}}.
The SAX factory backs {{XMLReaderPool}} and the framework-wide
{{toSAXSourceFromStream}} conversion, so the two factory methods produce
parsers with different DOCTYPE / parameter-entity handling depending on which
path a stream takes. General entities are already blocked on both.
h3. Proposed change
Add to {{createSAXParserFactory()}} (in the existing try/catch + warn style)
the two features {{createDocumentBuilderFactory()}} already sets:
* {{disallow-doctype-decl}} = true
* {{external-parameter-entities}} = false
h3. Affected code
*
{{core/camel-xml-jaxp/src/main/java/org/apache/camel/converter/jaxp/XmlConverter.java}}
({{createSAXParserFactory}}, ~lines 1193-1210; compare
{{createDocumentBuilderFactory}}, ~lines 1020-1044)
h3. Notes
Consuming code that legitimately relies on DOCTYPE handling through the SAX
path would be affected; a test should confirm a DOCTYPE-bearing document is
rejected by the SAX conversion path after the change, matching the DOM path.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)