From 24eefa559fe6b310629d2bf00663d2679ec81b96 Mon Sep 17 00:00:00 2001
From: Claus Ibsen <claus.ibsen@gmail.com>
Date: Mon, 16 Apr 2018 10:55:24 +0200
Subject: [PATCH] CAMEL-12444: Improved DTD handling in validator component.

---
 .../camel/processor/validation/SchemaReader.java    |  1 +
 .../processor/validation/ValidatingProcessor.java   | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java b/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java
index ac42cc906a9f8..c77aea0cb35e6 100644
--- a/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java
+++ b/camel-core/src/main/java/org/apache/camel/processor/validation/SchemaReader.java
@@ -175,6 +175,7 @@ protected SchemaFactory createSchemaFactory() {
         }  
         if (camelContext == null || !Boolean.parseBoolean(camelContext.getGlobalOptions().get(ACCESS_EXTERNAL_DTD))) {
             try {
+                LOG.debug("Configuring SchemaFactory to not allow access to external DTD/Schema");
                 factory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
             } catch (SAXException e) {
                 LOG.warn(e.getMessage(), e);
diff --git a/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java b/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java
index 96b3db8605e93..8bba7e760988f 100644
--- a/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java
+++ b/camel-core/src/main/java/org/apache/camel/processor/validation/ValidatingProcessor.java
@@ -22,6 +22,7 @@
 import java.net.URL;
 import java.util.Collections;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.Result;
 import javax.xml.transform.Source;
@@ -53,6 +54,8 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import static org.apache.camel.processor.validation.SchemaReader.ACCESS_EXTERNAL_DTD;
+
 /**
  * A processor which validates the XML version of the inbound message body
  * against some schema either in XSD or RelaxNG
@@ -100,6 +103,16 @@ protected void doProcess(Exchange exchange) throws Exception {
         }
 
         Validator validator = schema.newValidator();
+        // turn off access to external schema by default
+        if (!Boolean.parseBoolean(exchange.getContext().getGlobalOptions().get(ACCESS_EXTERNAL_DTD))) {
+            try {
+                LOG.debug("Configuring Validator to not allow access to external DTD/Schema");
+                validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+            } catch (SAXException e) {
+                LOG.warn(e.getMessage(), e);
+            }
+        }
 
         // the underlying input stream, which we need to close to avoid locking files or other resources
         Source source = null;