Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AbstractMarshaller should avoid SAXSource workaround when processExternalEntities=true [SPR-11737] #16359

Closed
spring-projects-issues opened this issue Apr 25, 2014 · 6 comments
Assignees
Labels
in: data status: backported type: enhancement
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Apr 25, 2014

Muminur Choudhury opened SPR-11737 and commented

We are currently using spring 4.0.1.

Updated to 4.0.2 (also tried latest 4.0.3) , got unexpected unmarshalling issues with XMLBeansMarshaller for any XSD that uses the "extension" element.

Work-round we had to apply :

XmlBeansMarshaller xmlBeansMarshaller = new XmlBeansMarshaller() {            
            // work-round for spring 4.0.2 
            protected Object unmarshalStreamSourceNoExternalEntitities(StreamSource streamSource) throws XmlMappingException, IOException {
                return unmarshalStreamSource(streamSource);
            }
        };


Affects: 3.2.8, 4.0.2

Issue Links:

  • #16003 Jaxb2RootElementHttpMessageConverter is susceptible to XXE vulnerability

Backported to: 3.2.9

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Apr 25, 2014

Juergen Hoeller commented

The idea behind the XXE vulnerability fix in #16003 was that the processing of external entities should be disabled by default for security reasons, with a processExternalEntities=true flag a.k.a. setProcessExternalEntities(true) call enabling it. Please give that flag a try; it should make external entities work again.

That said, with processExternalEntities=true, we should actually be able to use the regular unmarshalStreamSource code path, bypassing the configurable adapting to SAXSource parsing. We'll revise that for 4.0.4.

As a side note, we also need to fix the name of that lately introduced "unmarshalStreamSourceNoExternalEntities" method, or rather get rid of it completely.

Juergen

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Apr 25, 2014

Juergen Hoeller commented

Assuming that the processExternalEntities flag does make XmlBeansMarshaller work again for your scenario, there's still the code path that you suggest in your workaround: AbstractMarshaller should avoid its SAXSource parsing workaround if processExternalEntities=true and rather use the regular unmarshalStreamSource code path.

From that perspective, I'll turn this issue into a corresponding improvement. Let me know whether the processExternalEntities flag doesn't work for you, or whether there are any other concerns with respect to unmarshalStreamSource .

Juergen

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Apr 25, 2014

Muminur Choudhury commented

Originally tried to use setProcessExternalEntities(true) (both for 4.0.2 and 4.0.3) and unfortunately it didn't work, so had to use the workround.

Suggestion sounds good to me, processExternalEntities=true should use the regular unmarshalStreamSource code path.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented May 12, 2014

Juergen Hoeller commented

Muminur, does this work for you now, against 4.0.4 and/or the latest 3.2.9 snapshot?

Juergen

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented May 12, 2014

Muminur Choudhury commented

I've tested against 4.0.4 a few days ago and I can confirm if set processExternalEntities=true, XMLBeansMarshaller is working for me.

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented May 12, 2014

Juergen Hoeller commented

Thanks, that's good to hear!

Juergen

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: data status: backported type: enhancement
Projects
None yet
Development

No branches or pull requests

2 participants