ppkarwasz opened a new pull request, #12: URL: https://github.com/apache/commons-xml/pull/12
Applies the COMMONSXML-1 capability-driven approach to the StAX path, replacing the per-implementation class-name dispatch for `XMLInputFactory` with a single `StaxHardener`. - StAX has no single standard knob like JAXP 1.5 `ACCESS_EXTERNAL_*`, so `StaxHardener.harden` consolidates the JDK Zephyr and Woodstox recipes into one pass: apply limits and Zephyr `ignore-external-dtd` best-effort, try the Woodstox resolver trio, and fall back to a single deny-all `XMLResolver` when that trio is not accepted. - External entities stay on and are denied via resolvers, leaving the standard `SUPPORT_DTD` / `IS_SUPPORTING_EXTERNAL_ENTITIES` defaults untouched, so both bundled parsers keep their original throw-on-external-entity behavior. - `Limits.tryApply(XMLInputFactory)` replaces `applyToJdkStax`/`applyToWoodstox`; `JaxpSetters` gains `trySetProperty(XMLInputFactory)` and `setOptionalProperty(XMLInputFactory)`. `WoodstoxProvider` and `StockJdkProvider.configure(XMLInputFactory)` are removed; `XmlFactories.newXMLInputFactory()` routes through `StaxHardener`. The `DTD_SUBSET_ONLY` resolver and its SpotBugs known-null exclusion move with it. **Behaviour:** an unrecognized StAX implementation is now hardened best-effort (deny-all `XMLResolver`) instead of being rejected; on such an implementation that fallback also denies the external subset, so a DOCTYPE-only document may fail (fail-closed). The StAX attack tests are unchanged. `mvn verify` green across the stock JDK (Zephyr) and Woodstox profiles. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
