Fix #1279

Author: cowtowncoder

release-notes/VERSION

@@ -4,6 +4,10 @@ Project: jackson-databind
 === Releases ===
 ------------------------------------------------------------------------
 
+2.7.6 (not yet released)
+
+#1279: Ensure DOM parsing defaults to not expanding external entities
+
 2.7.5 (11-Jun-2016)
 
 #1098: DeserializationFeature.FAIL_ON_INVALID_SUBTYPE does not work with

src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java

@@ -2,7 +2,9 @@
 
 import java.io.StringReader;
 
+import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
@@ -20,11 +22,14 @@ public abstract class DOMDeserializer<T> extends FromStringDeserializer<T>
 {
     private static final long serialVersionUID = 1L;
 
-    private final static DocumentBuilderFactory _parserFactory;
+    private final static DocumentBuilderFactory DEFAULT_PARSER_FACTORY;
     static {
-        _parserFactory = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory parserFactory = DocumentBuilderFactory.newInstance();
         // yup, only cave men do XML without recognizing namespaces...
-        _parserFactory.setNamespaceAware(true);
+        parserFactory.setNamespaceAware(true);
+        // [databind#1279]: make sure external entities NOT expanded by default
+        parserFactory.setExpandEntityReferences(false);
+        DEFAULT_PARSER_FACTORY = parserFactory;
     }
 
     protected DOMDeserializer(Class<T> cls) { super(cls); }
@@ -34,12 +39,22 @@ public abstract class DOMDeserializer<T> extends FromStringDeserializer<T>
 
     protected final Document parse(String value) throws IllegalArgumentException {
         try {
-            return _parserFactory.newDocumentBuilder().parse(new InputSource(new StringReader(value)));
+            return documentBuilder().parse(new InputSource(new StringReader(value)));
         } catch (Exception e) {
             throw new IllegalArgumentException("Failed to parse JSON String as XML: "+e.getMessage(), e);
         }
     }
 
+    /**
+     * Overridable factory method used to create {@link DocumentBuilder} for parsing
+     * XML as DOM.
+     *
+     * @since 2.7.6
+     */
+    protected DocumentBuilder documentBuilder() throws ParserConfigurationException {
+        return DEFAULT_PARSER_FACTORY.newDocumentBuilder();
+    }
+
     /*
     /**********************************************************
     /* Concrete deserializers