sahvx655-wq opened a new pull request, #512: URL: https://github.com/apache/felix-dev/pull/512
This PR hardens XML parsing across Apache Felix by disabling DTD processing, external entity resolution, and XInclude support in SAX, DOM, StAX, and XMLReader implementations used by core components, libraries, and build tools. Parser Hardening:Secured XML parser factories in Declarative Services (SCR), iPOJO Manipulator, OSGi Check Maven Plugin, and StAX parsers. XXE Validation: Added `testParserRejectsXXE` in `XmlHandlerTest` to verify that XML containing external entities or DOCTYPE declarations is safely rejected. Compatibility: Existing OSGi descriptors do not rely on DTDs or external entities, so the changes are expected to be backward-compatible. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
