URIHandler.DEFAULT_HANDLERS as potential security risk

[juergen-albert]

The DEFAULT_HANDLERS are an unmodifiable List, that applies to all ResourceSets created with new ResourceSetIml(). This leads to the behavior, that by default any Proxy with an HTTP URI will result in a Request.

Any chance, that this list can become modifiable, so we can remove the handler, so nobody accidentally creates a new ResourceSet that exabits such behavior? This is an issue, that gets us into trouble with any security audit.

[merks]

You will need to modify the handlers in your URIConvert instance

  public ExtensibleURIConverterImpl()
  {
    this(URIHandler.DEFAULT_HANDLERS, ContentHandler.Registry.INSTANCE.contentHandlers());
  }

  /**
   * Creates an instance.
   */
  public ExtensibleURIConverterImpl(Collection<URIHandler> uriHandlers, Collection<ContentHandler> contentHandlers)
  {
    getURIHandlers().addAll(uriHandlers);
    getContentHandlers().addAll(contentHandlers);
  }

While you might want to avoid someone doing something accidentally, I also want to avoid someone accidentally changing the default that affects the entire system.

Perhaps some system property to change some behavior of something might be helpful? I don't understand what is being audit or how it is being audited. Even the JDK can always be used to make a http request, or?