ppkarwasz opened a new pull request, #640: URL: https://github.com/apache/commons-configuration/pull/640
## Summary Route every direct JAXP factory instantiation through the hardened factories from [`eu.copernik:copernik-xml-factory`](https://github.com/copernik-eu/copernik-xml-factory) `0.1.1`. These factories block external DTD and entity fetching and bound internal entity expansion, regardless of the JAXP implementation on the classpath. Hardening the parsing of a configuration file is admittedly not necessary: configuration files are normally trusted. This limits the side-effects if a user (against advice) decides to parse untrusted configuration files. ## Changes - Add the `copernik-xml-factory` dependency. - Route factory creation through `XmlFactories` (`DocumentBuilderFactory`, `SAXParserFactory`, `TransformerFactory`) in `XMLConfiguration`, `XMLDocumentHelper`, `XMLPropertiesConfiguration` and `XMLPropertyListConfiguration`, plus the affected tests. - Harden the source passed to `XMLDocumentHelper.transform`. - `XMLConfiguration`'s entity resolver now throws a `SAXException` for unregistered entities instead of returning `null`. Returning `null` would let the parser fall back to fetching the external resource and would override the deny-all resolver the hardening factories install on some implementations. This is done in an anonymous `DefaultEntityResolver` subclass local to `XMLConfiguration`, leaving the public `DefaultEntityResolver` contract (return `null` for unknown entities) unchanged. ## Testing - `mvn test` for the affected XML test classes: 145 tests, all passing. - `mvn checkstyle:check`: clean. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
