Additional docs about security vulnerabilities with XStream.

Arjen Poutsma · rstoyanchev · commit 4da7e304b86c · 2013-07-24T10:24:13.000-04:00
diff --git a/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java b/spring-oxm/src/main/java/org/springframework/oxm/xstream/XStreamMarshaller.java
@@ -75,8 +75,15 @@
 /**
  * Implementation of the {@code Marshaller} interface for XStream.
  *
- * <p>By default, XStream does not require any further configuration,
- * though class aliases can be used to have more control over the behavior of XStream.
+ * <p>By default, XStream does not require any further configuration and can (un)marshal
+ * any class on the classpath. As such, it is <b>not recommended to use the
+ * {@code XStreamMarshaller} to unmarshal XML from external sources</b> (i.e. the Web), as
+ * this can result in <b>security vulnerabilities</b>. If you do use the
+ * {@code XStreamMarshaller} to unmarshal external XML, set the
+ * {@link #setConverters(ConverterMatcher[]) converters} and
+ * {@link #setSupportedClasses(Class[]) supportedClasses} properties or override the
+ * {@link #customizeXStream(XStream)} method to make sure it only accepts the classes
+ * you want it to support.
  *
  * <p>Due to XStream's API, it is required to set the encoding used for writing to OutputStreams.
  * It defaults to {@code UTF-8}.
diff --git a/src/reference/docbook/oxm.xml b/src/reference/docbook/oxm.xml
@@ -755,7 +755,11 @@ public class Application {
                 <para>
                   By default, XStream allows for arbitrary classes to be unmarshalled, which can result in security
                   vulnerabilities.
-                  As such, it is recommended to set the <property>supportedClasses</property> property on the
+                  As such, it is <emphasis>not recommended to use the <classname>XStreamMarshaller</classname> to
+                  unmarshal XML from external sources</emphasis> (i.e. the Web), as this can result in
+                  <emphasis>security vulnerabilities</emphasis>.
+                  If you do use the <classname>XStreamMarshaller</classname> to unmarshal XML from an external source,
+                  set the <property>supportedClasses</property> property on the
                   <classname>XStreamMarshaller</classname>, like so:
                   <programlisting language="xml"><![CDATA[<bean id="xstreamMarshaller" class="org.springframework.oxm.xstream.XStreamMarshaller">
     <property name="supportedClasses" value="org.springframework.oxm.xstream.Flight"/>
