From 4da7e304b86c9528d05b51b02459ee071b65e68a Mon Sep 17 00:00:00 2001
From: Arjen Poutsma <apoutsma@gopivotal.com>
Date: Wed, 24 Jul 2013 15:54:32 +0200
Subject: [PATCH] Additional docs about security vulnerabilities with XStream.

---
 .../oxm/xstream/XStreamMarshaller.java                | 11 +++++++++--
 src/reference/docbook/oxm.xml                         |  6 +++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
index 65fa78a6ee..8bddd56dc1 100644
--- a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
+++ b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
@@ -75,8 +75,15 @@ import org.springframework.util.xml.StaxUtils;
 /**
  * Implementation of the {@code Marshaller} interface for XStream.
  *
- * <p>By default, XStream does not require any further configuration,
- * though class aliases can be used to have more control over the behavior of XStream.
+ * <p>By default, XStream does not require any further configuration and can (un)marshal
+ * any class on the classpath. As such, it is <b>not recommended to use the
+ * {@code XStreamMarshaller} to unmarshal XML from external sources</b> (i.e. the Web), as
+ * this can result in <b>security vulnerabilities</b>. If you do use the
+ * {@code XStreamMarshaller} to unmarshal external XML, set the
+ * {@link #setConverters(ConverterMatcher[]) converters} and
+ * {@link #setSupportedClasses(Class[]) supportedClasses} properties or override the
+ * {@link #customizeXStream(XStream)} method to make sure it only accepts the classes
+ * you want it to support.
  *
  * <p>Due to XStream's API, it is required to set the encoding used for writing to OutputStreams.
  * It defaults to {@code UTF-8}.
diff --git a/src/reference/docbook/oxm.xml b/src/reference/docbook/oxm.xml
index 1a7cbac17c..aa4d7e2a91 100644
--- a/src/reference/docbook/oxm.xml
+++ b/src/reference/docbook/oxm.xml
@@ -755,7 +755,11 @@ public class Application {
                 <para>
                   By default, XStream allows for arbitrary classes to be unmarshalled, which can result in security
                   vulnerabilities.
-                  As such, it is recommended to set the <property>supportedClasses</property> property on the
+                  As such, it is <emphasis>not recommended to use the <classname>XStreamMarshaller</classname> to
+                  unmarshal XML from external sources</emphasis> (i.e. the Web), as this can result in
+                  <emphasis>security vulnerabilities</emphasis>.
+                  If you do use the <classname>XStreamMarshaller</classname> to unmarshal XML from an external source,
+                  set the <property>supportedClasses</property> property on the
                   <classname>XStreamMarshaller</classname>, like so:
                   <programlisting language="xml"><![CDATA[<bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller">
     <property name="supportedClasses" value="org.springframework.oxm.xstream.Flight"/>