Thread: [pgjdbc/pgjdbc] 14b62a: Merge pull request from GHSA-37xm-4h3m-5w3v
Branch: refs/heads/master Home: https://github.com/pgjdbc/pgjdbc Commit: 14b62aca4764d496813f55a43d050b017e01eb65 https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65 Author: Sehrope Sarkuni <sehrope@jackdb.com> Date: 2020-06-01 (Mon, 01 Jun 2020) Changed paths: M pgjdbc/src/main/java/org/postgresql/PGProperty.java M pgjdbc/src/main/java/org/postgresql/core/BaseConnection.java M pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java M pgjdbc/src/main/java/org/postgresql/jdbc/PgConnection.java M pgjdbc/src/main/java/org/postgresql/jdbc/PgSQLXML.java A pgjdbc/src/main/java/org/postgresql/xml/DefaultPGXmlFactoryFactory.java A pgjdbc/src/main/java/org/postgresql/xml/EmptyStringEntityResolver.java A pgjdbc/src/main/java/org/postgresql/xml/LegacyInsecurePGXmlFactoryFactory.java A pgjdbc/src/main/java/org/postgresql/xml/NullErrorHandler.java A pgjdbc/src/main/java/org/postgresql/xml/PGXmlFactoryFactory.java M pgjdbc/src/test/java/org/postgresql/jdbc/PgSQLXMLTest.java Log Message: ----------- Merge pull request from GHSA-37xm-4h3m-5w3v * refactor: Clean up whitespace in existing PgSQLXMLTest * fix: Fix XXE vulnerability in PgSQLXML by disabling external access and doctypes Fixes XXE vulnerability by defaulting to disabling external access and doc types. The legacy insecure behavior can be restored via the new connection property xmlFactoryFactory with a value of LEGACY_INSECURE. Alternatively, a custom class name can be specified that implements org.postgresql.xml.PGXmlFactoryFactory and takes a no argument constructor. * fix: Add missing getter and setter for XML_FACTORY_FACTORY to BasicDataSource