Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-15797

Disable DTD and external entities support in XmlEventDecoder to prevent XXE and XML bomb attack

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 5.0 RC2
    • Fix Version/s: 5.0 RC3
    • Component/s: Web
    • Labels:
      None
    • Last commented by a User:
      true

      Description

      An instance of XMLInputFactory in XmlEventDecoder supports DTD and external entities.
      Because Jaxb2XMLDecoder uses XMLEventDecoder, this could be exploited to some kind of attack like XXE or XML Bomb.
      To prevent these attacks, it should disable support DTD and external entities by setting properties of XMLInputFactory.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                juergen.hoeller Juergen Hoeller
                Reporter:
                tiwatsuka Takuya Iwatsuka
                Last updater:
                St├ęphane Nicoll
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Days since last comment:
                  48 weeks, 2 days ago