Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-15797

Disable DTD and external entities support in XmlEventDecoder to prevent XXE and XML bomb attack

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 5.0 RC2
    • Fix Version/s: 5.0 RC3
    • Component/s: Web
    • Labels:
      None
    • Last commented by a User:
      true

      Description

      An instance of XMLInputFactory in XmlEventDecoder supports DTD and external entities.
      Because Jaxb2XMLDecoder uses XMLEventDecoder, this could be exploited to some kind of attack like XXE or XML Bomb.
      To prevent these attacks, it should disable support DTD and external entities by setting properties of XMLInputFactory.

        Issue Links

          Activity

          Hide
          juergen.hoeller Juergen Hoeller added a comment -

          We have a common setup for a defensive XMLInputFactory already, so I've taken the opportunity to factor it out to StaxUtils and reuse it in XmlEventDecoder now.

          Thanks for raising this - just in time for 5.0 RC3!

          Show
          juergen.hoeller Juergen Hoeller added a comment - We have a common setup for a defensive XMLInputFactory already, so I've taken the opportunity to factor it out to StaxUtils and reuse it in XmlEventDecoder now. Thanks for raising this - just in time for 5.0 RC3!
          Hide
          tiwatsuka Takuya Iwatsuka added a comment -

          Thank you for the quick response.
          I'm looking forward to the next release!

          Show
          tiwatsuka Takuya Iwatsuka added a comment - Thank you for the quick response. I'm looking forward to the next release!

            People

            • Assignee:
              juergen.hoeller Juergen Hoeller
              Reporter:
              tiwatsuka Takuya Iwatsuka
              Last updater:
              St├ęphane Nicoll
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                25 weeks, 5 days ago