ppkarwasz opened a new pull request, #21:
URL: https://github.com/apache/commons-xml/pull/21

   This PR ports the fix for GHSA-xm28-xvqc-gxxg to Commons XML.
   
   ## Problem
   
   The behavior of `setXIncludeAware(true)` on a hardened factory currently 
depends on the JAXP implementation:
   
   - On Apache Xerces, XInclude resolution goes through the parser's 
`EntityResolver`, so the deny-all resolver installed by the hardening already 
blocks all inclusions.
   - On the stock JDK implementation, XInclude resolution is governed by 
neither `ACCESS_EXTERNAL_DTD` nor `ACCESS_EXTERNAL_SCHEMA`, the attributes used 
by the hardening. Enabling XInclude awareness therefore allows **arbitrary** 
inclusions, bypassing the intended hardening.
   
   ## Fix
   
   After this change both implementations behave the same: XInclude fails 
closed by default. To use XInclude, users must opt trusted resources in through 
an explicit `EntityResolver`:
   
   ```java
   DocumentBuilderFactory factory = XmlFactories.newDocumentBuilderFactory();
   factory.setNamespaceAware(true);
   factory.setXIncludeAware(true);
   DocumentBuilder builder = factory.newDocumentBuilder();
   // Delegates to the deny-all floor for anything it does not resolve
   builder.setEntityResolver((publicId, systemId) -> {
       if (isTrusted(systemId)) {
           return new InputSource(systemId);
       }
       return null; // falls through to the floor, which blocks the fetch
   });
   ```
   
   Note that returning `null` does not restore the default behavior of fetching 
the URL: the caller's resolver runs as a delegate of the deny-all floor, so 
unresolved hrefs stay blocked.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to