New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Additional docs about security vulnerabilities with XStream. #322

Closed
wants to merge 1 commit into
base: master
from
Jump to file or symbol
Failed to load files and symbols.
+14 −3
Diff settings

Always

Just for now

@@ -75,8 +75,15 @@
/**
* Implementation of the {@code Marshaller} interface for XStream.
*
* <p>By default, XStream does not require any further configuration,
* though class aliases can be used to have more control over the behavior of XStream.
* <p>By default, XStream does not require any further configuration and can (un)marshal
* any class on the classpath. As such, it is <b>not recommended to use the
* {@code XStreamMarshaller} to unmarshal XML from external sources</b> (i.e. the Web), as
* this can result in <b>security vulnerabilities</b>. If you do use the
* {@code XStreamMarshaller} to unmarshal external XML, set the
* {@link #setConverters(ConverterMatcher[]) converters} and
* {@link #setSupportedClasses(Class[]) supportedClasses} properties or override the
* {@link #customizeXStream(XStream)} method to make sure it only accepts the classes
* you want it to support.
*
* <p>Due to XStream's API, it is required to set the encoding used for writing to OutputStreams.
* It defaults to {@code UTF-8}.
@@ -755,7 +755,11 @@ public class Application {
<para>
By default, XStream allows for arbitrary classes to be unmarshalled, which can result in security
vulnerabilities.
As such, it is recommended to set the <property>supportedClasses</property> property on the
As such, it is <emphasis>not recommended to use the <classname>XStreamMarshaller</classname> to
unmarshal XML from external sources</emphasis> (i.e. the Web), as this can result in
<emphasis>security vulnerabilities</emphasis>.
If you do use the <classname>XStreamMarshaller</classname> to unmarshal XML from an external source,
set the <property>supportedClasses</property> property on the
<classname>XStreamMarshaller</classname>, like so:
<programlisting language="xml"><![CDATA[<bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller">
<property name="supportedClasses" value="org.springframework.oxm.xstream.Flight"/>
ProTip! Use n and p to navigate between commits in a pull request.