From d0baeb3ee64c6d7c883bd2f5c4cb0de6b0b5f463 Mon Sep 17 00:00:00 2001
From: Colm O hEigeartaigh <coheigea@users.noreply.github.com>
Date: Wed, 6 Mar 2024 15:43:02 +0000
Subject: [PATCH] Disable URLDataSource by default for Aegis (#1727)

---
 .../cxf/aegis/type/mtom/AttachmentUtil.java   | 31 +++++++++++++------
 1 file changed, 21 insertions(+), 10 deletions(-)

diff --git a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java
index 31c70c805ae..fbc7b21cf3b 100644
--- a/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java
+++ b/rt/databinding/aegis/src/main/java/org/apache/cxf/aegis/type/mtom/AttachmentUtil.java
@@ -30,9 +30,14 @@
 import org.apache.cxf.aegis.DatabindingException;
 import org.apache.cxf.aegis.util.UID;
 import org.apache.cxf.attachment.AttachmentImpl;
+import org.apache.cxf.common.util.SystemPropertyAction;
 import org.apache.cxf.message.Attachment;
 
 public final class AttachmentUtil {
+    // The xop:include "href" attribute (https://www.w3.org/TR/xop10/#xop_href) may include 
+    // arbitrary URL which we should never follow (unless explicitly allowed).
+    public static final String ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY = "org.apache.cxf.attachment.xop.follow.urls";
+
     private AttachmentUtil() {
         //utility class
     }
@@ -51,15 +56,16 @@ public static Attachment getAttachment(String id, Collection<Attachment> attachm
         if (id == null) {
             throw new DatabindingException("Cannot get attachment: null id");
         }
+        if (attachments == null) {
+            return null;
+        }
+
+
         int i = id.indexOf("cid:");
         if (i != -1) {
             id = id.substring(4).trim();
         }
 
-        if (attachments == null) {
-            return null;
-        }
-
         for (Iterator<Attachment> iter = attachments.iterator(); iter.hasNext();) {
             Attachment a = iter.next();
             if (a.getId().equals(id)) {
@@ -67,12 +73,17 @@ public static Attachment getAttachment(String id, Collection<Attachment> attachm
             }
         }
 
-        // Try loading the URL remotely
-        try {
-            URLDataSource source = new URLDataSource(new URL(id));
-            return new AttachmentImpl(id, new DataHandler(source));
-        } catch (MalformedURLException e) {
-            return null;
+        final boolean followUrls = Boolean.valueOf(SystemPropertyAction
+                        .getProperty(ATTACHMENT_XOP_FOLLOW_URLS_PROPERTY, "false"));
+        if (followUrls) {
+            // Try loading the URL remotely
+            try {
+                URLDataSource source = new URLDataSource(new URL(id));
+                return new AttachmentImpl(id, new DataHandler(source));
+            } catch (MalformedURLException e) {
+                return null;
+            }
         }
+        return null;
     }
 }