[
https://issues.apache.org/jira/browse/GROOVY-11981?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Paul King resolved GROOVY-11981.
--------------------------------
Resolution: Fixed
> Document XML secure-by-default breaking changes for 6.0.0
> ---------------------------------------------------------
>
> Key: GROOVY-11981
> URL: https://issues.apache.org/jira/browse/GROOVY-11981
> Project: Groovy
> Issue Type: Task
> Reporter: Paul King
> Assignee: Paul King
> Priority: Major
> Labels: breaking
> Fix For: 6.0.0-alpha-1
>
>
> Groovy's front-line XML parsing APIs ({{XmlParser}}, {{XmlSlurper}}, the
> static {{DOMBuilder.parse(...)}} variants, {{XmlUtil.newSAXParser}}) have
> been secure-by-default for some time — DOCTYPE declarations, external
> entities and billion-laughs payloads are blocked unless the caller opts in
> via {{allowDocTypeDeclaration}}. Recenly GROOVY-11979 extended that same
> hardening to several behind-the-scenes pieces that had been left at JDK
> defaults: factory-creation helpers, the XSLT transform path used by
> {{XmlUtil.serialize}}, and the {{DOMBuilder.newInstance()}} factory. This
> ticket documents the resulting default-behaviour changes for users upgrading
> to Groovy 6.0.0.
> h4. Tier 1 — real default flips
> * *{{XmlUtil.serialize(...)}}* now blocks external {{<xsl:import>}} /
> {{<xsl:include>}} and external DTD references in the underlying
> {{TransformerFactory}}.
> ** *Affects:* callers passing XSLT documents with external resource
> references through {{serialize}}. The overwhelmingly common case
> (pretty-printing already-parsed Groovy nodes or DOM trees) is unaffected.
> ** *Relax knob:* {{new SerializeOptions().setAllowExternalResources(true)}}.
> * *{{FactorySupport.createDocumentBuilderFactory()}}* and
> *{{FactorySupport.createSaxParserFactory()}}* (zero-arg) now return hardened
> factories instead of bare JDK factories.
> ** *Affects:* direct callers of these helpers who were parsing
> DOCTYPE-bearing input through the returned factory.
> ** *Relax knob:* switch to the {{(true)}} overload —
> {{createDocumentBuilderFactory(true)}} / {{createSaxParserFactory(true)}}.
> h4. Tier 2 — mostly theoretical default flip
> * *{{DOMBuilder.newInstance()}}* and *{{DOMBuilder.newInstance(validating,
> namespaceAware)}}* now return a builder backed by a hardened factory.
> ** *Mostly theoretical because:* the DSL-build path doesn't parse external
> input, and {{parseText}} routes through the (already-hardened) static
> {{DOMBuilder.parse(...)}}. The change only bites if user code reaches into
> {{domBuilder.documentBuilder}} and parses DOCTYPE-bearing XML directly — an
> unusual pattern.
> ** *Relax knob:* new {{newInstance(validating, namespaceAware,
> allowDocTypeDeclaration)}} overload.
> h4. What did *not* change
> * No public method signatures removed.
> * No methods deprecated.
> * {{XmlParser}}, {{XmlSlurper}}, the static {{DOMBuilder.parse(...)}}
> overloads and {{XmlUtil.newSAXParser}} keep the same defaults and the same
> {{allowDocTypeDeclaration}} relax knob they have always had.
> * {{<xs:import>}} / {{<xs:include>}} schema imports continue to resolve; the
> SchemaFactory hardening adds {{FEATURE_SECURE_PROCESSING}} only.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
