Fix security #122

2019-09-26 19:08:48 +02:00 · 2019-09-26 19:08:48 +02:00 · 83138142c5
parent aa9172f715
commit 83138142c5
4 changed files with 27 additions and 0 deletions
--- a/src/main/java/net/sourceforge/plantuml/servlet/DiagramResponse.java
+++ b/src/main/java/net/sourceforge/plantuml/servlet/DiagramResponse.java
@ -69,6 +69,12 @@ class DiagramResponse {
        map.put(FileFormat.BASE64, "text/plain; charset=x-user-defined");
        CONTENT_TYPE = Collections.unmodifiableMap(map);
    }
+    static {
+        OptionFlags.ALLOW_INCLUDE = false;
+        if ("true".equalsIgnoreCase(System.getenv("ALLOW_PLANTUML_INCLUDE"))) {
+            OptionFlags.ALLOW_INCLUDE = true;
+        }
+    }

    DiagramResponse(HttpServletResponse r, FileFormat f, HttpServletRequest rq) {
        response = r;
--- a/src/main/java/net/sourceforge/plantuml/servlet/ProxyServlet.java
+++ b/src/main/java/net/sourceforge/plantuml/servlet/ProxyServlet.java
@ -56,6 +56,13 @@ import javax.net.ssl.SSLPeerUnverifiedException;
@SuppressWarnings("serial")
 public class ProxyServlet extends HttpServlet {

+    static {
+        OptionFlags.ALLOW_INCLUDE = false;
+        if ("true".equalsIgnoreCase(System.getenv("ALLOW_PLANTUML_INCLUDE"))) {
+            OptionFlags.ALLOW_INCLUDE = true;
+        }
+    }
+
    @Override
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {

--- a/src/main/java/net/sourceforge/plantuml/servlet/UmlDiagramService.java
+++ b/src/main/java/net/sourceforge/plantuml/servlet/UmlDiagramService.java
@ -42,6 +42,13 @@ import java.util.regex.Pattern;
@SuppressWarnings("serial")
 public abstract class UmlDiagramService extends HttpServlet {

+    static {
+        OptionFlags.ALLOW_INCLUDE = false;
+        if ("true".equalsIgnoreCase(System.getenv("ALLOW_PLANTUML_INCLUDE"))) {
+            OptionFlags.ALLOW_INCLUDE = true;
+        }
+    }
+
    @Override
    public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException {

--- a/src/main/java/net/sourceforge/plantuml/servlet/utility/UmlExtractor.java
+++ b/src/main/java/net/sourceforge/plantuml/servlet/utility/UmlExtractor.java
@ -36,6 +36,13 @@ import net.sourceforge.plantuml.code.TranscoderUtil;
 */
 public class UmlExtractor {

+    static {
+        OptionFlags.ALLOW_INCLUDE = false;
+        if ("true".equalsIgnoreCase(System.getenv("ALLOW_PLANTUML_INCLUDE"))) {
+            OptionFlags.ALLOW_INCLUDE = true;
+        }
+    }
+
    /**
     * Build the complete UML source from the compressed source extracted from the HTTP URI.
     *