Disable URLDataSource by default for Aegis (#1727)

(cherry picked from commit d0baeb3) (cherry picked from commit f973751)
apache · Mar 6, 2024 · 659a8f9 · 659a8f9
1 parent 0f34554
commit 659a8f9
Showing 1 changed file with 21 additions and 10 deletions.
diff --git a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java
@@ -31,9 +31,14 @@
 import org.apache.cxf.aegis.DatabindingException;
 import org.apache.cxf.aegis.util.UID;
 import org.apache.cxf.attachment.AttachmentImpl;
+import org.apache.cxf.common.util.SystemPropertyAction;
 import org.apache.cxf.message.Attachment;
 
 public final class AttachmentUtil {
+    // The xop:include "href" attribute (https://www.w3.org/TR/xop10/#xop_href) may include 
+    // arbitrary URL which we should never follow (unless explicitly allowed).
+    public static final String ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY = "org.apache.cxf.attachment.xop.follow.urls";
+
     private AttachmentUtil() {
         //utility class
     }
@@ -52,28 +57,34 @@ public static Attachment getAttachment(String id, Collection<Attachment> attachm
         if (id == null) {
             throw new DatabindingException("Cannot get attachment: null id");
         }
+        if (attachments == null) {
+            return null;
+        }
+
+
         int i = id.indexOf("cid:");
         if (i != -1) {
             id = id.substring(4).trim();
         }
 
-        if (attachments == null) {
-            return null;
-        }
-
         for (Iterator<Attachment> iter = attachments.iterator(); iter.hasNext();) {
             Attachment a = iter.next();
             if (a.getId().equals(id)) {
                 return a;
             }
         }
 
-        // Try loading the URL remotely
-        try {
-            URLDataSource source = new URLDataSource(new URL(id));
-            return new AttachmentImpl(id, new DataHandler(source));
-        } catch (MalformedURLException e) {
-            return null;
+        final boolean followUrls = Boolean.valueOf(SystemPropertyAction
+                        .getProperty(ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY, "false"));
+        if (followUrls) {
+            // Try loading the URL remotely
+            try {
+                URLDataSource source = new URLDataSource(new URL(id));
+                return new AttachmentImpl(id, new DataHandler(source));
+            } catch (MalformedURLException e) {
+                return null;
+            }
         }
+        return null;
     }
 }