Fix potential security risk when using Spring OXM

Arjen Poutsma · philwebb · commit 434735fbf6e7 · 2013-08-06T15:10:05.000-07:00
Disable by default external entity resolution when using Spring OXM with jaxb. This prevents a XML entity from being able to resolve a local file on the host system. See: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing Issue: SPR-10806 (cherry picked from commit 7576274)
diff --git a/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java b/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java
@@ -224,7 +224,9 @@ protected void writeToResult(T t, HttpHeaders headers, Result result) throws IOE
 	 * @return the created factory
 	 */
 	protected XMLInputFactory createXmlInputFactory() {
-		return XMLInputFactory.newInstance();
+		XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+		inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
+		return inputFactory;
 	}
 
 }

Original file line number	Diff line number	Diff line change
`@@ -224,7 +224,9 @@ protected void writeToResult(T t, HttpHeaders headers, Result result) throws IOE`
`224`	`224`	`* @return the created factory`
`225`	`225`	`*/`
`226`	`226`	`protected XMLInputFactory createXmlInputFactory() {`
`227`		`- return XMLInputFactory.newInstance();`
	`227`	`+ XMLInputFactory inputFactory = XMLInputFactory.newInstance();`
	`228`	`+ inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);`
	`229`	`+ return inputFactory;`
`228`	`230`	`}`
`229`	`231`
`230`	`232`	`}`