diff --git a/CVE-2019-17566.patch b/CVE-2019-17566.patch
new file mode 100644
index 0000000000000000000000000000000000000000..38381ee2631c3105d8afb5d3956f0e8b43c1ba0a
--- /dev/null
+++ b/CVE-2019-17566.patch
@@ -0,0 +1,116 @@
+From bc6078ca949039e2076cd08b4cb169c84c1179b1 Mon Sep 17 00:00:00 2001
+From: Simon Steiner <ssteiner@apache.org>
+Date: Mon, 9 Dec 2019 12:24:18 +0000
+Subject: [PATCH] BATIK-1276: Allow blocking of external resources
+
+git-svn-id: https://svn.apache.org/repos/asf/xmlgraphics/batik/trunk@1871084 13f79535-47bb-0310-9956-ffa450edef68
+---
+ .../apache/batik/apps/rasterizer/Main.java    | 17 +++++++++++++++++
+ .../batik/apps/rasterizer/SVGConverter.java   |  6 ++++++
+ .../transcoder/SVGAbstractTranscoder.java     | 19 +++++++++++++++++++
+ 3 files changed, 42 insertions(+)
+
+diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
+index c70b4dd691..a4248b527d 100644
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/Main.java
+@@ -501,6 +501,12 @@ public Color parseARGB(String argbVal){
+     public static String CL_OPTION_CONSTRAIN_SCRIPT_ORIGIN_DESCRIPTION
+         = Messages.get("Main.cl.option.constrain.script.origin.description", "No description");
+ 
++    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES
++            = Messages.get("Main.cl.option.block.external.resources", "-blockExternalResources");
++
++    public static String CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION
++            = Messages.get("Main.cl.option.block.external.resources.description", "No description");
++
+     /**
+      * Option to turn off secure execution of scripts
+      */
+@@ -829,6 +835,17 @@ public String getOptionDescription(){
+                               return CL_OPTION_SECURITY_OFF_DESCRIPTION;
+                           }
+                       });
++
++        optionMap.put(CL_OPTION_BLOCK_EXTERNAL_RESOURCES,
++                new NoValueOptionHandler(){
++                    public void handleOption(SVGConverter c){
++                        c.allowExternalResources = false;
++                    }
++
++                    public String getOptionDescription(){
++                        return CL_OPTION_BLOCK_EXTERNAL_RESOURCES_DESCRIPTION;
++                    }
++                });
+     }
+ 
+     /**
+diff --git a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
+index 324c3abcfe..9ec2135458 100644
+--- a/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
++++ b/batik-svgrasterizer/src/main/java/org/apache/batik/apps/rasterizer/SVGConverter.java
+@@ -253,6 +253,8 @@ Licensed to the Apache Software Foundation (ASF) under one or more
+         the document which references them. */
+     protected boolean constrainScriptOrigin = true;
+ 
++    protected boolean allowExternalResources = true;
++
+     /** Controls whether scripts should be run securely or not */
+     protected boolean securityOff = false;
+ 
+@@ -925,6 +927,10 @@ protected Map computeTranscodingHints(){
+             map.put(ImageTranscoder.KEY_CONSTRAIN_SCRIPT_ORIGIN, Boolean.FALSE);
+         }
+ 
++        if (!allowExternalResources) {
++            map.put(ImageTranscoder.KEY_ALLOW_EXTERNAL_RESOURCES, Boolean.FALSE);
++        }
++
+         return map;
+     }
+ 
+diff --git a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+index 65d983bfae..8d6ffe3b1f 100644
+--- a/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
++++ b/batik-transcoder/src/main/java/org/apache/batik/transcoder/SVGAbstractTranscoder.java
+@@ -33,8 +33,10 @@ Licensed to the Apache Software Foundation (ASF) under one or more
+ import org.apache.batik.bridge.BridgeContext;
+ import org.apache.batik.bridge.BridgeException;
+ import org.apache.batik.bridge.DefaultScriptSecurity;
++import org.apache.batik.bridge.ExternalResourceSecurity;
+ import org.apache.batik.bridge.GVTBuilder;
+ import org.apache.batik.bridge.NoLoadScriptSecurity;
++import org.apache.batik.bridge.NoLoadExternalResourceSecurity;
+ import org.apache.batik.bridge.RelaxedScriptSecurity;
+ import org.apache.batik.bridge.SVGUtilities;
+ import org.apache.batik.bridge.ScriptSecurity;
+@@ -877,6 +879,9 @@ protected void setImageSize(float docWidth, float docHeight) {
+         = new BooleanKey();
+ 
+ 
++    public static final TranscodingHints.Key KEY_ALLOW_EXTERNAL_RESOURCES
++            = new BooleanKey();
++
+     /**
+      * A user agent implementation for <code>PrintTranscoder</code>.
+      */
+@@ -1109,5 +1114,19 @@ protected void computeAllowedScripts(){
+             }
+         }
+ 
++        public ExternalResourceSecurity getExternalResourceSecurity(ParsedURL resourceURL, ParsedURL docURL) {
++            if (isAllowExternalResources()) {
++                return super.getExternalResourceSecurity(resourceURL, docURL);
++            }
++            return new NoLoadExternalResourceSecurity();
++        }
++
++        public boolean isAllowExternalResources() {
++            Boolean b = (Boolean)SVGAbstractTranscoder.this.hints.get(KEY_ALLOW_EXTERNAL_RESOURCES);
++            if (b != null) {
++                return b;
++            }
++            return true;
++        }
+     }
+ }
diff --git a/batik.spec b/batik.spec
index 8eb1992209d488b7bc45d13a4a4c50d5f8dc0eaa..1f04596e1c2672454ef7539de1ffd17ff4a33c99 100644
--- a/batik.spec
+++ b/batik.spec
@@ -1,14 +1,15 @@
 %global classpath batik:rhino:xml-commons-apis:xml-commons-apis-ext:xmlgraphics-commons:jai_imageio
-Name:		batik
-Version:	1.10
-Release:	3
-Summary:	Batik is an inline templating engine for CoffeeScript
-License:	ASL 2.0 and W3C
-URL:		https://xmlgraphics.apache.org/batik/
-Source0:	http://archive.apache.org/dist/xmlgraphics/batik/source/batik-src-%{version}.zip
+Name:           batik
+Version:        1.10
+Release:        4
+Summary:        Batik is an inline templating engine for CoffeeScript
+License:        Apache-2.0 and W3C
+URL:            https://xmlgraphics.apache.org/batik/
+Source0:        http://archive.apache.org/dist/xmlgraphics/batik/source/batik-src-%{version}.zip
 Source1:        %{name}-security.policy
 
 Patch1:         0001-Fix-imageio-codec-lookup.patch
+Patch6000:      CVE-2019-17566.patch
 
 BuildArch:      noarch
 
@@ -120,5 +121,8 @@ cp -a samples %{buildroot}/%{_datadir}/%{name}/
 %doc CHANGES MAINTAIN README NOTICE
 
 %changelog
+* Mon Dec 07 2020 zhanghua <zhanghua40@huawei.com> - 1.10-4
+- fix CVE-2019-17566
+
 * Tue Dec 10 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.10-3
 - Package init