ppkarwasz opened a new pull request, #12:
URL: https://github.com/apache/commons-xml/pull/12

   Applies the COMMONSXML-1 capability-driven approach to the StAX path, 
replacing the per-implementation class-name dispatch for `XMLInputFactory` with 
a single `StaxHardener`.
   
   - StAX has no single standard knob like JAXP 1.5 `ACCESS_EXTERNAL_*`, so 
`StaxHardener.harden` consolidates the JDK Zephyr and Woodstox recipes into one 
pass: apply limits and Zephyr `ignore-external-dtd` best-effort, try the 
Woodstox resolver trio, and fall back to a single deny-all `XMLResolver` when 
that trio is not accepted.
   - External entities stay on and are denied via resolvers, leaving the 
standard `SUPPORT_DTD` / `IS_SUPPORTING_EXTERNAL_ENTITIES` defaults untouched, 
so both bundled parsers keep their original throw-on-external-entity behavior.
   - `Limits.tryApply(XMLInputFactory)` replaces 
`applyToJdkStax`/`applyToWoodstox`; `JaxpSetters` gains 
`trySetProperty(XMLInputFactory)` and `setOptionalProperty(XMLInputFactory)`. 
`WoodstoxProvider` and `StockJdkProvider.configure(XMLInputFactory)` are 
removed; `XmlFactories.newXMLInputFactory()` routes through `StaxHardener`. The 
`DTD_SUBSET_ONLY` resolver and its SpotBugs known-null exclusion move with it.
   
   **Behaviour:** an unrecognized StAX implementation is now hardened 
best-effort (deny-all `XMLResolver`) instead of being rejected; on such an 
implementation that fallback also denies the external subset, so a DOCTYPE-only 
document may fail (fail-closed). The StAX attack tests are unchanged. `mvn 
verify` green across the stock JDK (Zephyr) and Woodstox profiles.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to