File tree 3 files changed +16
-0
lines changed
src/main/java/com/fasterxml/jackson/databind/ext
3 files changed +16
-0
lines changed Original file line number Diff line number Diff line change @@ -1051,3 +1051,8 @@ Joseph Koshakow (jkosh44@github)
10511051Haowei Wen (yushijinhun@github)
10521052 * Reported #2565 : Java 8 `Optional` not working with `@JsonUnwrapped` on unwrappable type
10531053 (2.11.0 )
1054+
1055+ Bartosz Baranowski (baranowb@github)
1056+ * Reported #2589 : `DOMDeserializer`: setExpandEntityReferences(false ) may not prevent
1057+ external entity expansion in all cases
1058+ (2.11.0 )
Original file line number Diff line number Diff line change @@ -34,6 +34,9 @@ Project: jackson-databind
3434 (reported by Haowei W)
3535#2573 : Add `MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES` to allow blocking
3636 use of unsafe base type for polymorphic deserialization
37+ #2589 : `DOMDeserializer`: setExpandEntityReferences(false ) may not prevent
38+ external entity expansion in all cases
39+ (reported by Bartosz B)
3740- Add `SerializerProvider.findContentValueSerializer()` methods
3841
39422.10.2 (05 -Jan-2020 )
Original file line number Diff line number Diff line change @@ -39,6 +39,14 @@ public abstract class DOMDeserializer<T> extends FromStringDeserializer<T>
3939 // 14-Jul-2016, tatu: Not sure how or why, but during code coverage runs
4040 // (via Cobertura) we get `java.lang.AbstractMethodError` so... ignore that too
4141 }
42+
43+ // [databind#2589] add two more settings just in case
44+ try {
45+ parserFactory .setFeature ("http://apache.org/xml/features/disallow-doctype-decl" , true );
46+ } catch (Throwable t ) { } // as per previous one, nothing much to do
47+ try {
48+ parserFactory .setFeature ("http://apache.org/xml/features/nonvalidating/load-external-dtd" , false );
49+ } catch (Throwable t ) { } // as per previous one, nothing much to do
4250 DEFAULT_PARSER_FACTORY = parserFactory ;
4351 }
4452
You can’t perform that action at this time.
0 commit comments