Disable external entities for StAX drivers.

Author: joehni

xstream/src/java/com/thoughtworks/xstream/io/xml/SjsxpDriver.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2011, 2013, 2014 XStream Committers.
+ * Copyright (C) 2009, 2011, 2013, 2014, 2015 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -66,7 +66,9 @@ public SjsxpDriver(final XmlFriendlyNameCoder nameCoder) {
     protected XMLInputFactory createInputFactory() {
         Exception exception = null;
         try {
-            return (XMLInputFactory)Class.forName("com.sun.xml.internal.stream.XMLInputFactoryImpl").newInstance();
+            final XMLInputFactory instance = (XMLInputFactory)Class.forName("com.sun.xml.internal.stream.XMLInputFactoryImpl").newInstance();
+            instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+            return instance;
         } catch (final InstantiationException e) {
             exception = e;
         } catch (final IllegalAccessException e) {

xstream/src/java/com/thoughtworks/xstream/io/xml/StandardStaxDriver.java

@@ -1,11 +1,11 @@
 /*
- * Copyright (C) 2013, 2014 XStream Committers.
+ * Copyright (C) 2013, 2014, 2015 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
  * style license a copy of which has been included with this distribution in
  * the LICENSE.txt file.
- * 
+ *
  * Created on 27. July 2013 by Joerg Schaible
  */
 package com.thoughtworks.xstream.io.xml;
@@ -26,7 +26,7 @@
  * <em>javax.xml.stream.XMLOutputFactory</em>, all implementations configured in <em>lib/stax.properties</em> or
  * registered with the Service API.
  * </p>
- * 
+ *
  * @author J&ouml;rg Schaible
  * @since 1.4.5
  */
@@ -76,7 +76,9 @@ protected XMLInputFactory createInputFactory() {
         try {
             final Class<? extends XMLInputFactory> staxInputFactory = JVM.getStaxInputFactory();
             if (staxInputFactory != null) {
-                return staxInputFactory.newInstance();
+                final XMLInputFactory instance = staxInputFactory.newInstance();
+                instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+                return instance;
             } else {
                 throw new StreamException("Java runtime has no standard XMLInputFactory implementation.", exception);
             }

xstream/src/java/com/thoughtworks/xstream/io/xml/StaxDriver.java

@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2004, 2005, 2006 Joe Walnes.
- * Copyright (C) 2006, 2007, 2009, 2011, 2013, 2014 XStream Committers.
+ * Copyright (C) 2006, 2007, 2009, 2011, 2013, 2014, 2015 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -248,7 +248,9 @@ protected XMLStreamReader createParser(final Source source) throws XMLStreamExce
      * @since 1.4
      */
     protected XMLInputFactory createInputFactory() {
-        return XMLInputFactory.newInstance();
+        final XMLInputFactory instance = XMLInputFactory.newInstance();
+        instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        return instance;
     }
 
     /**

xstream/src/java/com/thoughtworks/xstream/io/xml/WstxDriver.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2009, 2011, 2014 XStream Committers.
+ * Copyright (C) 2009, 2011, 2014, 2015 XStream Committers.
  * All rights reserved.
  *
  * The software in this package is published under the terms of the BSD
@@ -66,7 +66,9 @@ public WstxDriver(final NameCoder nameCoder) {
 
     @Override
     protected XMLInputFactory createInputFactory() {
-        return new WstxInputFactory();
+        final XMLInputFactory instance = new WstxInputFactory();
+        instance.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        return instance;
     }
 
     @Override