Backport #3837 in 2.14(.3)

cowtowncoder · cowtowncoder · commit 5c63735e9181 · 2023-03-22T17:07:15.000-07:00
diff --git a/release-notes/CREDITS-2.x b/release-notes/CREDITS-2.x
@@ -1488,6 +1488,8 @@ PJ Fanning (pjfanning@github)
   (2.14.0)
   * Contributed #3530: Change LRUMap to just evict one entry when maxEntries reached
   (2.14.0)
+  * Contributed #3837: Set transformer factory attributes to improve protection against XXE
+  (2.14.3)
 
 Igor Shymko (ancane@github)
   * Contributed #3500: Add optional explicit `JsonSubTypes` repeated names check
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -8,6 +8,8 @@ Project: jackson-databind
 
 #3784: `PrimitiveArrayDeserializers$ByteDeser.deserialize` ignores
   `DeserializationProblemHandler` for invalid Base64 content
+#3837: Set transformer factory attributes to improve protection against XXE
+ (contributed by @pjfanning)
 
 2.14.2 (28-Jan-2023)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/ext/DOMSerializer.java b/src/main/java/com/fasterxml/jackson/databind/ext/DOMSerializer.java
@@ -28,6 +28,7 @@ public DOMSerializer() {
         try {
             transformerFactory = TransformerFactory.newInstance();
             transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+	    // 22-Mar-2023, tatu: [databind#3837] add these 2 settings further
             setTransformerFactoryAttribute(transformerFactory, XMLConstants.ACCESS_EXTERNAL_DTD, "");
             setTransformerFactoryAttribute(transformerFactory, XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
         } catch (Exception e) {
