Fix potential security risk when using Spring OXM

Arjen Poutsma · philwebb · commit 7576274874de · 2013-08-06T15:08:53.000-07:00
Disable by default external entity resolution when using Spring OXM with jaxb. This prevents a XML entity from being able to resolve a local file on the host system. See: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing Issue: SPR-10806
diff --git a/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java b/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java
@@ -226,7 +226,9 @@ protected void writeToResult(T t, HttpHeaders headers, Result result) throws IOE
 	 * @return the created factory
 	 */
 	protected XMLInputFactory createXmlInputFactory() {
-		return XMLInputFactory.newInstance();
+		XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+		inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
+		return inputFactory;
 	}
 
 }

Original file line number	Diff line number	Diff line change
`@@ -226,7 +226,9 @@ protected void writeToResult(T t, HttpHeaders headers, Result result) throws IOE`
`226`	`226`	`* @return the created factory`
`227`	`227`	`*/`
`228`	`228`	`protected XMLInputFactory createXmlInputFactory() {`
`229`		`- return XMLInputFactory.newInstance();`
	`229`	`+ XMLInputFactory inputFactory = XMLInputFactory.newInstance();`
	`230`	`+ inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);`
	`231`	`+ return inputFactory;`
`230`	`232`	`}`
`231`	`233`
`232`	`234`	`}`