From: Markus Koschany <apo@debian.org>
Date: Sat, 29 Oct 2022 08:28:58 +0200
Subject: CVE-2022-41704

Origin: http://svn.apache.org/viewvc?view=revision&revision=1904320
---
 .../src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java   | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
index cab8e0e..a3daa0d 100644
--- a/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
+++ b/batik-bridge/src/main/java/org/apache/batik/bridge/DefaultScriptSecurity.java
@@ -19,6 +19,7 @@
 package org.apache.batik.bridge;
 
 import org.apache.batik.util.ParsedURL;
+import static org.apache.batik.util.SVGConstants.SVG_SCRIPT_TYPE_JAVA;
 
 /**
  * Default implementation for the <code>ScriptSecurity</code> interface.
@@ -76,7 +77,7 @@ public class DefaultScriptSecurity implements ScriptSecurity {
                                  ParsedURL docURL){
         // Make sure that the archives comes from the same host
         // as the document itself
-        if (docURL == null) {
+        if (docURL == null || SVG_SCRIPT_TYPE_JAVA.equals(scriptType)) {
             se = new SecurityException
                 (Messages.formatMessage(ERROR_CANNOT_ACCESS_DOCUMENT_URL,
                                         new Object[]{scriptURL}));