From 83138142c5f0f0b1111add203ebc33eda803dc47 Mon Sep 17 00:00:00 2001 From: Arnaud Roques Date: Thu, 26 Sep 2019 19:08:48 +0200 Subject: [PATCH] Fix security #122 --- .../net/sourceforge/plantuml/servlet/DiagramResponse.java | 6 ++++++ .../net/sourceforge/plantuml/servlet/ProxyServlet.java | 7 +++++++ .../sourceforge/plantuml/servlet/UmlDiagramService.java | 7 +++++++ .../sourceforge/plantuml/servlet/utility/UmlExtractor.java | 7 +++++++ 4 files changed, 27 insertions(+) diff --git a/src/main/java/net/sourceforge/plantuml/servlet/DiagramResponse.java b/src/main/java/net/sourceforge/plantuml/servlet/DiagramResponse.java index c0ef9b7..b3af58a 100644 --- a/src/main/java/net/sourceforge/plantuml/servlet/DiagramResponse.java +++ b/src/main/java/net/sourceforge/plantuml/servlet/DiagramResponse.java @@ -69,6 +69,12 @@ class DiagramResponse { map.put(FileFormat.BASE64, "text/plain; charset=x-user-defined"); CONTENT_TYPE = Collections.unmodifiableMap(map); } + static { + OptionFlags.ALLOW_INCLUDE = false; + if ("true".equalsIgnoreCase(System.getenv("ALLOW_PLANTUML_INCLUDE"))) { + OptionFlags.ALLOW_INCLUDE = true; + } + } DiagramResponse(HttpServletResponse r, FileFormat f, HttpServletRequest rq) { response = r; diff --git a/src/main/java/net/sourceforge/plantuml/servlet/ProxyServlet.java b/src/main/java/net/sourceforge/plantuml/servlet/ProxyServlet.java index 979abde..43fd8f7 100644 --- a/src/main/java/net/sourceforge/plantuml/servlet/ProxyServlet.java +++ b/src/main/java/net/sourceforge/plantuml/servlet/ProxyServlet.java @@ -56,6 +56,13 @@ import javax.net.ssl.SSLPeerUnverifiedException; @SuppressWarnings("serial") public class ProxyServlet extends HttpServlet { + static { + OptionFlags.ALLOW_INCLUDE = false; + if ("true".equalsIgnoreCase(System.getenv("ALLOW_PLANTUML_INCLUDE"))) { + OptionFlags.ALLOW_INCLUDE = true; + } + } + @Override public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { diff --git a/src/main/java/net/sourceforge/plantuml/servlet/UmlDiagramService.java b/src/main/java/net/sourceforge/plantuml/servlet/UmlDiagramService.java index a90f178..fd996c3 100644 --- a/src/main/java/net/sourceforge/plantuml/servlet/UmlDiagramService.java +++ b/src/main/java/net/sourceforge/plantuml/servlet/UmlDiagramService.java @@ -42,6 +42,13 @@ import java.util.regex.Pattern; @SuppressWarnings("serial") public abstract class UmlDiagramService extends HttpServlet { + static { + OptionFlags.ALLOW_INCLUDE = false; + if ("true".equalsIgnoreCase(System.getenv("ALLOW_PLANTUML_INCLUDE"))) { + OptionFlags.ALLOW_INCLUDE = true; + } + } + @Override public void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { diff --git a/src/main/java/net/sourceforge/plantuml/servlet/utility/UmlExtractor.java b/src/main/java/net/sourceforge/plantuml/servlet/utility/UmlExtractor.java index 6b2b5e8..fd6b789 100644 --- a/src/main/java/net/sourceforge/plantuml/servlet/utility/UmlExtractor.java +++ b/src/main/java/net/sourceforge/plantuml/servlet/utility/UmlExtractor.java @@ -36,6 +36,13 @@ import net.sourceforge.plantuml.code.TranscoderUtil; */ public class UmlExtractor { + static { + OptionFlags.ALLOW_INCLUDE = false; + if ("true".equalsIgnoreCase(System.getenv("ALLOW_PLANTUML_INCLUDE"))) { + OptionFlags.ALLOW_INCLUDE = true; + } + } + /** * Build the complete UML source from the compressed source extracted from the HTTP URI. *