RankoR opened a new pull request, #1066: URL: https://github.com/apache/opennlp/pull/1066
There's no existing ticket for this issue. ### For code changes: - [x] Have you ensured that the full suite of tests is executed via mvn clean install at the root opennlp folder? - [x] Have you written or updated unit tests to verify your changes? ### What changed OpenNLP 2.5.9 added stricter XML parser hardening in `XmlUtil`, including JAXP external-access properties, implementation-specific parser features, and XInclude configuration. Some XML parser providers, including Android's, reject these optional settings even though they can still create a usable secure parser. This caused `XmlUtil.createDocumentBuilder()` to fail during OpenNLP model initialization on Android. We faced this issue in SpeechServices in GrapheneOS: https://github.com/GrapheneOS/SpeechServices/issues/18. This PR keeps the hardening behavior where supported, but applies provider-specific XML security options defensively: - unsupported `DocumentBuilderFactory` attributes are logged and ignored - unsupported parser features are logged and ignored - unsupported XInclude configuration is logged and ignored - actual parser construction failures still remain fatal A focused regression test was added using a custom `DocumentBuilderFactory` that rejects these optional settings. ### Verification - `./mvnw -pl opennlp-tools -Dtest=XmlUtilTest test` - `./mvnw -pl opennlp-tools test` Also manually verified with an SpeechServices app on a Pixel device. ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
