Skip to content

Commit

Permalink
Fix potential security risk when using Spring OXM
Browse files Browse the repository at this point in the history 
Disable by default external entity resolution when using Spring OXM
with jaxb. This prevents a XML entity from being able to resolve a
local file on the host system.

See:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

Issue: SPR-10806
(cherry picked from commit 7576274)
  • Loading branch information
@philwebb
Arjen Poutsma authored and philwebb committed Aug 6, 2013
1 parent 8f4221d commit 434735f
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion ...main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -224,7 +224,9 @@ protected void writeToResult(T t, HttpHeaders headers, Result result) throws IOE
* @return the created factory
*/
protected XMLInputFactory createXmlInputFactory() {
return XMLInputFactory.newInstance();
XMLInputFactory inputFactory = XMLInputFactory.newInstance();
inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
return inputFactory;
}

}

0 comments on commit 434735f

Please sign in to comment.