liangqi
/
spring-framework
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fix potential security risk when using Spring OXM

Browse Source 
Disable by default external entity resolution when using Spring OXM
with jaxb. This prevents a XML entity from being able to resolve a
local file on the host system.

See:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

Issue: SPR-10806
master
Arjen Poutsma 11 years ago committed by Phillip Webb
parent 28be8e9063
commit 7576274874
1 changed files with 3 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 4
      spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java

4
spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java
Unescape View File

@ -226,7 +226,9 @@ public class Jaxb2CollectionHttpMessageConverter<T extends Collection>
* @return the created factory
*/
protected XMLInputFactory createXmlInputFactory() {
return XMLInputFactory.newInstance();
XMLInputFactory inputFactory = XMLInputFactory.newInstance();
inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
return inputFactory;
}
}

Write Preview
Loading…
Cancel
Save