Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure DOM parsing defaults to not expanding external entities #1279

Closed
cowtowncoder opened this issue Jun 24, 2016 · 2 comments
Closed

Ensure DOM parsing defaults to not expanding external entities #1279

cowtowncoder opened this issue Jun 24, 2016 · 2 comments
Milestone
2.6.7.4

Comments

@cowtowncoder
Copy link
Member

Since there were issues wrt general XML handling:

FasterXML/jackson-dataformat-xml#190

it would make sense to review smaller but relevant concers wrt DOM types that databind supports

http://stackoverflow.com/questions/38017676/small-fix-for-cve-2016-3720-with-older-versions-of-jackson-all-1-9-11-and-in-ja/38018454#38018454
@cowtowncoder
Copy link
Member Author

Looks like DOMDeserializer should disable external entity resolution:

DocumentBuilderFactory.setExpandEntityReferences(false);

it could also be possible to add alternate constructor to take in pre-configured builder factory for users that want to configure this on their own.

@cowtowncoder cowtowncoder changed the title Verify DOM type handling concerns wrt parser settings Ensure DOM parsing defaults to not expanding external entities Jun 28, 2016
@cowtowncoder cowtowncoder added this to the 2.7.6 milestone Jun 28, 2016
cowtowncoder added a commit that referenced this issue Jul 1, 2016
@cowtowncoder
Minor addition to #1279
261ea42
cowtowncoder added a commit that referenced this issue Oct 25, 2020
@cowtowncoder
Backport fix for #2589 as well as #1279, preparing for 2.6.7.4 micro-…
b59b611 
…patch
@cowtowncoder cowtowncoder modified the milestones: 2.7.6, 2.6.7.4 Oct 25, 2020
@cowtowncoder
Copy link
Member Author

Backported in 2.6.7.4, in addition to original fix for 2.7.6.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.6.7.4
Development

No branches or pull requests
1 participant
@cowtowncoder