ppkarwasz opened a new pull request, #21:
URL: https://github.com/apache/commons-xml/pull/21
This PR ports the fix for GHSA-xm28-xvqc-gxxg to Commons XML.
## Problem
The behavior of `setXIncludeAware(true)` on a hardened factory currently
depends on the JAXP implementation:
- On Apache Xerces, XInclude resolution goes through the parser's
`EntityResolver`, so the deny-all resolver installed by the hardening already
blocks all inclusions.
- On the stock JDK implementation, XInclude resolution is governed by
neither `ACCESS_EXTERNAL_DTD` nor `ACCESS_EXTERNAL_SCHEMA`, the attributes used
by the hardening. Enabling XInclude awareness therefore allows **arbitrary**
inclusions, bypassing the intended hardening.
## Fix
After this change both implementations behave the same: XInclude fails
closed by default. To use XInclude, users must opt trusted resources in through
an explicit `EntityResolver`:
```java
DocumentBuilderFactory factory = XmlFactories.newDocumentBuilderFactory();
factory.setNamespaceAware(true);
factory.setXIncludeAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
// Delegates to the deny-all floor for anything it does not resolve
builder.setEntityResolver((publicId, systemId) -> {
if (isTrusted(systemId)) {
return new InputSource(systemId);
}
return null; // falls through to the floor, which blocks the fetch
});
```
Note that returning `null` does not restore the default behavior of fetching
the URL: the caller's resolver runs as a delegate of the deny-all floor, so
unresolved hrefs stay blocked.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]