From 92081b203523c5ed502ed41df43cbd8655caf9b9 Mon Sep 17 00:00:00 2001 From: Claus Ibsen Date: Thu, 12 Nov 2015 15:06:32 +0100 Subject: [PATCH] CAMEL-9309: Make it easier to turn on|off java transport over http --- .../apache/camel/component/http4/HttpComponent.java | 12 ++++++++++++ .../apache/camel/component/http4/HttpProducer.java | 13 +++++++++++-- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java index a2be67260953a..df47d50ae5eb7 100644 --- a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java +++ b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpComponent.java @@ -381,6 +381,18 @@ public void setHttpConfiguration(HttpConfiguration httpConfiguration) { super.setHttpConfiguration(httpConfiguration); } + /** + * Whether to allow java serialization when a request uses context-type=application/x-java-serialized-object + *

+ * This is by default turned off. If you enable this then be aware that Java will deserialize the incoming + * data from the request to Java and that can be a potential security risk. + */ + @Override + public void setAllowJavaSerializedObject(boolean allowJavaSerializedObject) { + // need to override and call super for component docs + super.setAllowJavaSerializedObject(allowJavaSerializedObject); + } + public HttpContext getHttpContext() { return httpContext; } diff --git a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java index 9a22fbf34ddb4..09f347d023cef 100644 --- a/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java +++ b/components/camel-http4/src/main/java/org/apache/camel/component/http4/HttpProducer.java @@ -304,7 +304,7 @@ protected static Map extractResponseHeaders(Header[] responseHea * @return the response either as a stream, or as a deserialized java object * @throws IOException can be thrown */ - protected static Object extractResponseBody(HttpRequestBase httpRequest, HttpResponse httpResponse, Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException { + protected Object extractResponseBody(HttpRequestBase httpRequest, HttpResponse httpResponse, Exchange exchange, boolean ignoreResponseBody) throws IOException, ClassNotFoundException { HttpEntity entity = httpResponse.getEntity(); if (entity == null) { return null; @@ -331,7 +331,13 @@ protected static Object extractResponseBody(HttpRequestBase httpRequest, HttpRes } // if content type is a serialized java object then de-serialize it back to a Java object if (contentType != null && contentType.equals(HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT)) { - return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext()); + // only deserialize java if allowed + if (getEndpoint().getComponent().isAllowJavaSerializedObject() || getEndpoint().isTransferException()) { + return HttpHelper.deserializeJavaObjectFromStream(is, exchange.getContext()); + } else { + // empty response + return null; + } } else { InputStream response = null; if (!ignoreResponseBody) { @@ -444,6 +450,9 @@ protected HttpEntity createRequestEntity(Exchange exchange) throws CamelExchange } if (contentTypeString != null && HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT.equals(contentTypeString)) { + if (!getEndpoint().getComponent().isAllowJavaSerializedObject()) { + throw new CamelExchangeException("Content-type " + org.apache.camel.http.common.HttpConstants.CONTENT_TYPE_JAVA_SERIALIZED_OBJECT + " is not allowed", exchange); + } // serialized java object Serializable obj = in.getMandatoryBody(Serializable.class); // write object to output stream