[jira] [Commented] (HADOOP-18469) Add XMLUtils methods to centralise code that creates secure XML parsers

[Attila Doroszlai (Jira)]

    [ 
https://issues.apache.org/jira/browse/HADOOP-18469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17647557#comment-17647557
 ] 

Attila Doroszlai commented on HADOOP-18469:
-------------------------------------------

Hi [~pj.fanning], some old XML libraries may not support all properties being 
set on the factories in XMLUtils.  Two problems we have encountered so far:

{code}
Exception in thread "main" java.lang.IllegalArgumentException: Unknown 
configuration option http://javax.xml.XMLConstants/property/accessExternalDTD
        at 
net.sf.saxon.Configuration.setConfigurationProperty(Configuration.java:3915)
        at 
net.sf.saxon.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:285)
        at 
org.apache.hadoop.util.XMLUtils.newSecureTransformerFactory(XMLUtils.java:138)
        at 
org.apache.hadoop.conf.Configuration.writeXml(Configuration.java:3565)
{code}

and

{code}
java.lang.IllegalArgumentException: Not supported: 
http://javax.xml.XMLConstants/property/accessExternalDTD
        at 
org.apache.xalan.processor.TransformerFactoryImpl.setAttribute(TransformerFactoryImpl.java:571)
        at 
org.apache.hadoop.util.XMLUtils.newSecureTransformerFactory(XMLUtils.java:138)
        at 
org.apache.hadoop.conf.Configuration.writeXml(Configuration.java:3568)
{code}

Should we handle these more gracefully by catching the exception, thereby 
maintaining backwards compatibility?

> Add XMLUtils methods to centralise code that creates secure XML parsers
> -----------------------------------------------------------------------
>
>                 Key: HADOOP-18469
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18469
>             Project: Hadoop Common
>          Issue Type: Improvement
>    Affects Versions: 3.3.4
>            Reporter: PJ Fanning
>            Assignee: PJ Fanning
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.4.0, 3.3.5
>
>
> Relates to HDFS-16766
> There are other places in the code where DocumentBuilderFactory instances are 
> created that could benefit from the same changes as HDFS-16766
> h3. sonatype-2022-5820
> If anyone is landing on this page following the sonatype-2022-5820 alert, 
> know that there is no known issue here, just a centralisation of all 
> construction of XML parsers with lockdown of all the features.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org