From 4202730c11ecc6be31e73629c4091d2875efb574 Mon Sep 17 00:00:00 2001
From: HeinrichAD <heinrichad@users.noreply.github.com>
Date: Tue, 13 Jun 2023 18:07:27 +0200
Subject: [PATCH] remove ALLOW_PLANTUML_INCLUDE + update to 1.2023.9

- update Plantuml to v1.2023.9
- PlantUML core removed `OptionFlags.ALLOW_INCLUDE` and uses now the `PLANTUML_SECURITY_PROFILE`
---
 README.md                                     | 36 +++++++++++--------
 pom.parent.xml                                |  2 +-
 .../plantuml/servlet/DiagramResponse.java     |  5 ---
 3 files changed, 22 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index d58f157..ca30ff1 100644
--- a/README.md
+++ b/README.md
@@ -18,11 +18,15 @@ PlantUML Server is a web application to generate UML diagrams on-the-fly.
 
 > [PlantUML is **not** affected by the log4j vulnerability.](https://github.com/plantuml/plantuml/issues/826)
 
-> **Breaking changes**:
-> PlantUML Server sets `PLANTUML_SECURITY_PROFILE` to `INTERNET` by default starting with version `v1.2023.9`.
-> You can change its behavior back to work like before if you set the environment variable `PLANTUML_SECURITY_PROFILE` to `LEGACY`.
-> But before you do that, please take a look to [PlantUMLs Security](https://plantuml.com/security) page.
-
+> **Breaking changes**:  
+> The PlantUML core removed the deprecated `ALLOW_PLANTUML_INCLUDE` environment property feature and switch to the
+> `PLANTUML_SECURITY_PROFILE` concept with version `v1.2023.9`.
+> All details about PlantUML's security can be found on <https://plantuml.com/security>.
+>
+> By default PlantUML server sets the `PLANTUML_SECURITY_PROFILE` to `INTERNET`.
+> If you need more access to e.g. other ports than 80 (http) and 443 (https) or even access to local files, please
+> consider using one of the allowlist features.
+> It is strongly advised **not** to set the `PLANTUML_SECURITY_PROFILE` below `INTERNET`!
 
 ![PlantUML Server](https://raw.githubusercontent.com/plantuml/plantuml-server/master/docs/screenshot.png)
 
@@ -122,6 +126,18 @@ You can set all  the following variables:
 * `BASE_URL`
   * PlantUML Base URL path
   * Default value: `ROOT`
+* `PLANTUML_SECURITY_PROFILE`
+  * Set PlantUML security profile. See [PlantUML security](https://plantuml.com/security).
+  * If you need more access to e.g. other ports than 80 (http) and 443 (https) or even access to local files, please consider using one of the allowlist features:
+    * `plantuml.allowlist.path`
+    * `plantuml.include.path`
+    * `plantuml.allowlist.url`
+  * It is strongly advised **not** to set the `PLANTUML_SECURITY_PROFILE` below `INTERNET`!
+  * Default value: `INTERNET`
+* `PLANTUML_PROPERTY_FILE`
+  * Set PlantUML system properties (like over the Java command line using the `-Dpropertyname=value` syntax).
+  * To see what kind of file content is supported, see the documentation of [`java.util.Properties.load`](https://docs.oracle.com/javase/8/docs/api/java/util/Properties.html#load-java.io.Reader-).
+  * Default value: `null`
 * `PLANTUML_CONFIG_FILE`
   * Local path to a PlantUML configuration file (identical to the `-config` flag on the CLI)
   * File content will be added before each PlantUML diagram code.
@@ -138,16 +154,6 @@ You can set all  the following variables:
 * `HTTP_PROXY_READ_TIMEOUT`
   * when calling the `proxy` endpoint, the value of `HTTP_PROXY_READ_TIMEOUT` will be the connection read timeout in milliseconds
   * Default value: `10000` (10 seconds)
-* `ALLOW_PLANTUML_INCLUDE`
-  * Enables `!include` processing which can read files from the server into diagrams. Files are read relative to the current working directory.
-  * Default value: `false`
-* `PLANTUML_SECURITY_PROFILE`
-  * Set PlantUML security profile. See [PlantUML security](https://plantuml.com/security).
-  * Default value: `INTERNET`
-* `PLANTUML_PROPERTY_FILE`
-  * Set PlantUML system properties (like over the Java command line using the `-Dpropertyname=value` syntax).
-  * To see what kind of file content is supported, see the documentation of [`java.util.Properties.load`](https://docs.oracle.com/javase/8/docs/api/java/util/Properties.html#load-java.io.Reader-).
-  * Default value: `null`
 
 
 ## Alternate: How to build your docker image
diff --git a/pom.parent.xml b/pom.parent.xml
index 9230a0f..2542433 100644
--- a/pom.parent.xml
+++ b/pom.parent.xml
@@ -61,7 +61,7 @@
     <jetty.contextpath>/${wtp.contextName}</jetty.contextpath>
 
     <!-- main versions -->
-    <plantuml.version>1.2023.8</plantuml.version>
+    <plantuml.version>1.2023.9</plantuml.version>
     <!-- Please keep the jetty version identical with the docker image -->
     <jetty.version>11.0.15</jetty.version>
     <!--
diff --git a/src/main/java/net/sourceforge/plantuml/servlet/DiagramResponse.java b/src/main/java/net/sourceforge/plantuml/servlet/DiagramResponse.java
index e43ab14..fa6887c 100644
--- a/src/main/java/net/sourceforge/plantuml/servlet/DiagramResponse.java
+++ b/src/main/java/net/sourceforge/plantuml/servlet/DiagramResponse.java
@@ -111,11 +111,6 @@ public class DiagramResponse {
             return;
         }
         initialized = true;
-        // set allow include to false by default
-        OptionFlags.ALLOW_INCLUDE = false;
-        if ("true".equalsIgnoreCase(System.getenv("ALLOW_PLANTUML_INCLUDE"))) {
-            OptionFlags.ALLOW_INCLUDE = true;
-        }
         // set security profile to INTERNET by default
         // NOTE: this property is cached inside PlantUML and cannot be changed after the first call of PlantUML
         System.setProperty("PLANTUML_SECURITY_PROFILE", SecurityProfile.INTERNET.toString());