From 7576274874deeccb6da6b09a8d5bd62e8b5538b7 Mon Sep 17 00:00:00 2001
From: Arjen Poutsma <apoutsma@gopivotal.com>
Date: Tue, 6 Aug 2013 15:04:09 -0700
Subject: [PATCH] Fix potential security risk when using Spring OXM

Disable by default external entity resolution when using Spring OXM
with jaxb. This prevents a XML entity from being able to resolve a
local file on the host system.

See:
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

Issue: SPR-10806
---
 .../converter/xml/Jaxb2CollectionHttpMessageConverter.java    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java b/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java
index d2e0e9b53dd..848842be536 100644
--- a/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java
+++ b/spring-web/src/main/java/org/springframework/http/converter/xml/Jaxb2CollectionHttpMessageConverter.java
@@ -226,7 +226,9 @@ public class Jaxb2CollectionHttpMessageConverter<T extends Collection>
 	 * @return the created factory
 	 */
 	protected XMLInputFactory createXmlInputFactory() {
-		return XMLInputFactory.newInstance();
+		XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+		inputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
+		return inputFactory;
 	}
 
 }