BATIK-1349: Block loading external resource by default
git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1905049 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
index 8279a9a..dc4e9d0 100644
--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
+++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultExternalResourceSecurity.java
@@ -77,6 +77,9 @@
ParsedURL docURL){
// Make sure that the archives comes from the same host
// as the document itself
+ if (DATA_PROTOCOL.equals(externalResourceURL.getProtocol())) {
+ return;
+ }
if (docURL == null) {
se = new SecurityException
(Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
index a42f3e3..bbf4927 100644
--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
@@ -501,11 +501,11 @@
public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
= Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
- public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
- = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
+ public static String CL_OPTION_ALLOW_EXTERNAL_RESOURCES
+ = Messages.get("Main.cl.option.allow.external.resources", "-allowExternalResources");
- public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
- = Messages.get("Main.cl.option.block.external.resources.description", "No description");
+ public static String CL_OPTION_ALLOW_EXTERNAL_RESOURCES_DESCRIPTION
+ = Messages.get("Main.cl.option.allow.external.resources.description", "No description");
/**
* Option to turn off secure execution of scripts
@@ -836,14 +836,14 @@
}
});
- optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
+ optionMap.put(CL_OPTION_ALLOW_EXTERNAL_RESOURCES,
new NoValueOptionHandler(){
public void handleOption(SVGConverter c){
- c.allowExternalResources = false;
+ c.allowExternalResources = true;
}
public String getOptionDescription(){
- return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
+ return CL_OPTION_ALLOW_EXTERNAL_RESOURCES_DESCRIPTION;
}
});
}
diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
index 9ec2135..f2b1059 100644
--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
+++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
@@ -253,7 +253,7 @@
the document which references them. */
protected boolean constrainScriptOrigin = true;
- protected boolean allowExternalResources = true;
+ protected boolean allowExternalResources;
/** Controls whether scripts should be run securely or not */
protected boolean securityOff = false;
@@ -927,8 +927,8 @@
map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
}
- if (!allowExternalResources) {
- map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
+ if (allowExternalResources) {
+ map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.TRUE);
}
return map;
diff --git a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
index 8d6ffe3..bc4d233 100644
--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
@@ -32,11 +32,11 @@
import org.apache.batik.bridge.BaseScriptingEnvironment;
import org.apache.batik.bridge.BridgeContext;
import org.apache.batik.bridge.BridgeException;
+import org.apache.batik.bridge.DefaultExternalResourceSecurity;
import org.apache.batik.bridge.DefaultScriptSecurity;
import org.apache.batik.bridge.ExternalResourceSecurity;
import org.apache.batik.bridge.GVTBuilder;
import org.apache.batik.bridge.NoLoadScriptSecurity;
-import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
import org.apache.batik.bridge.RelaxedScriptSecurity;
import org.apache.batik.bridge.SVGUtilities;
import org.apache.batik.bridge.ScriptSecurity;
@@ -1118,7 +1118,7 @@
if (isAllowExternalResources()) {
return super.getExternalResourceSecurity(resourceURL, docURL);
}
- return new NoLoadExternalResourceSecurity();
+ return new DefaultExternalResourceSecurity(resourceURL, docURL);
}
public boolean isAllowExternalResources() {
@@ -1126,7 +1126,7 @@
if (b != null) {
return b;
}
- return true;
+ return false;
}
}
}