Additional docs about security vulnerabilities with XStream.

This commit is contained in:
Arjen Poutsma 2013-07-24 15:54:32 +02:00 committed by Rossen Stoyanchev
parent b6c54c3637
commit 4da7e304b8
2 changed files with 14 additions and 3 deletions

View File

@ -75,8 +75,15 @@ import org.springframework.util.xml.StaxUtils;
/** /**
* Implementation of the {@code Marshaller} interface for XStream. * Implementation of the {@code Marshaller} interface for XStream.
* *
* <p>By default, XStream does not require any further configuration, * <p>By default, XStream does not require any further configuration and can (un)marshal
* though class aliases can be used to have more control over the behavior of XStream. * any class on the classpath. As such, it is <b>not recommended to use the
* {@code XStreamMarshaller} to unmarshal XML from external sources</b> (i.e. the Web), as
* this can result in <b>security vulnerabilities</b>. If you do use the
* {@code XStreamMarshaller} to unmarshal external XML, set the
* {@link #setConverters(ConverterMatcher[]) converters} and
* {@link #setSupportedClasses(Class[]) supportedClasses} properties or override the
* {@link #customizeXStream(XStream)} method to make sure it only accepts the classes
* you want it to support.
* *
* <p>Due to XStream's API, it is required to set the encoding used for writing to OutputStreams. * <p>Due to XStream's API, it is required to set the encoding used for writing to OutputStreams.
* It defaults to {@code UTF-8}. * It defaults to {@code UTF-8}.

View File

@ -755,7 +755,11 @@ public class Application {
<para> <para>
By default, XStream allows for arbitrary classes to be unmarshalled, which can result in security By default, XStream allows for arbitrary classes to be unmarshalled, which can result in security
vulnerabilities. vulnerabilities.
As such, it is recommended to set the <property>supportedClasses</property> property on the As such, it is <emphasis>not recommended to use the <classname>XStreamMarshaller</classname> to
unmarshal XML from external sources</emphasis> (i.e. the Web), as this can result in
<emphasis>security vulnerabilities</emphasis>.
If you do use the <classname>XStreamMarshaller</classname> to unmarshal XML from an external source,
set the <property>supportedClasses</property> property on the
<classname>XStreamMarshaller</classname>, like so: <classname>XStreamMarshaller</classname>, like so:
<programlisting language="xml"><![CDATA[<bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller"> <programlisting language="xml"><![CDATA[<bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller">
<property name="supportedClasses" value="org.springframework.oxm.xstream.Flight"/> <property name="supportedClasses" value="org.springframework.oxm.xstream.Flight"/>