axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Veithen <andreas.veit...@gmail.com>
Subject Re: Unable to process XML response with DOCTYPE declaration
Date Mon, 24 Jan 2011 08:34:56 GMT
>From the point of view of Axiom, it is already configurable: the
behavior is specified by a StAXParserConfiguration object that is
passed to the relevant methods in StAXUtils and OMXMLBuilderFactory. I
have no objections to make this configurable at the Axis2 level,
provided that the default configuration is secure.

Andreas

On Mon, Jan 24, 2011 at 08:44, Hiranya Jayathilaka <hiranya911@gmail.com> wrote:
> Hi Andreas,
> Can we make this configurable? Current behavior is causing some issues in
> Synapse front. Sometimes users mediate HTML files through Synapse and most
> HTML documents contain DTD declarations. Can we introduce a property in
> Axiom to not throw an exception when a DTD is encountered? We can write a
> custom message builder for Synapse, but before we do that we want to know
> what Axiom/Axis2 folks think about this.
> Thanks,
> Hiranya
>
> On Sat, Jan 22, 2011 at 6:02 PM, Andreas Veithen <andreas.veithen@gmail.com>
> wrote:
>>
>> Since message builders are configurable, a user already has the option
>> to replace ApplicationXMLBuilder by an alternative (and insecure!)
>> implementation.
>>
>> Andreas
>>
>> On Sat, Jan 22, 2011 at 08:30, Supun Kamburugamuva <supun06@gmail.com>
>> wrote:
>> > If this is handled at the Axiom layer why are we throwing this
>> > exception? Shouldn't we let the user control this behavior, without
>> > always throwing an exception?
>> >
>> > Thanks,
>> > Supun..
>> >
>> > On Fri, Jan 21, 2011 at 1:29 PM, Miyuru Wanninayaka <miyurudw@gmail.com>
>> > wrote:
>> >> Hi all,
>> >>
>> >> I'm trying to process XML response from a POX service which return XML
>> >> response with DOCTYPE declarations and it fails with
>> >> "javax.xml.stream.XMLStreamException: DOCTYPE is not allowed
>> >> exception".
>> >> Reason for this is DisallowDoctypeDeclStreamReaderWrapper throws a
>> >> XMLStreamException when DTD element found. I think this is done to fix
>> >> security vlunarability CVE-2010-1632.
>> >>
>> >> AFIK setting javax.xml.stream.supportDTD property to false in axiom
>> >> will
>> >> prevent DTD processing and does not require to throw a exception when
>> >> DTD
>> >> found.
>> >>
>> >> --
>> >> Thanks,
>> >> Miyuru Wanninayaka
>> >> Software Engineer - WSO2 Inc.
>> >>
>> >
>> >
>> >
>> > --
>> > Technical Lead, WSO2 Inc
>> > http://wso2.org
>> > supunk.blogspot.com
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
>> > For additional commands, e-mail: java-dev-help@axis.apache.org
>> >
>> >
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
>> For additional commands, e-mail: java-dev-help@axis.apache.org
>>
>
>
>
> --
> Hiranya Jayathilaka
> Senior Software Engineer;
> WSO2 Inc.;  http://wso2.org
> E-mail: hiranya@wso2.com;  Mobile: +94 77 633 3491
> Blog: http://techfeast-hiranya.blogspot.com
>

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message