Disable `SUPPORT_DTD` for `XMLInputFactory` unless explicitly overridden [CVE-2016-7051]

[cowtowncoder]

Although XML specification defines DTD handling as part of core xml processing, for most XML use cases for networking systems DTDs are either not used, or are minority use case. Conversely use of DTDs is often actually an anti-pattern considering access restrictions and overhead.
With this in mind, it would probably make sense to change defaults to disable DTD processing and just allow changing settings to enable it for cases where it is needed, as opposed to the other way around.

Compared to other default changes it would probably make sense to actually add a specific feature; but if not possible, then just simple setter for XmlMapper. Regardless it'd be easier to do this than to expect user to pre-configure XMLInputFactory.

[cowtowncoder]

Was implemented for '2.7.8' and '2.8.4'.

[cowtowncoder]

CVE: http://www.cvedetails.com/cve/CVE-2016-7051/

[cowtowncoder]

Update at https://nvd.nist.gov/vuln/detail/CVE-2016-7051 -- now includes information on fixed-in version.

[dreamuth]

Thanks for fixing this. But still https://nvd.nist.gov/vuln/detail/CVE-2016-7051 is not updated with the fixed-in version at Vulnerable software and versions.

[cowtowncoder]

I sent an update request with information, but I do not have access to change any of it directly.
So I am not quite sure what to do there. Help would be appreciated.