cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: DTD based XML attacks - refering to Apache CXF Security Advisory (CVE-2010-2076)
Date Fri, 13 Aug 2010 16:08:03 GMT
Hi

apologies for a delay...

Sergey Beryozkin-5 wrote:
> >
> > Hi
> >
> > On Mon, Aug 2, 2010 at 3:00 PM, Tal Maayani <tal.maayani@amdocs.com>
> > wrote:
> >
> >> Hi,
> >>
> >> According to your advice, in order to block DTD based XML attack one
> need
> >> to either use CXF version 2.2.9 or replace the default xml parser.
> >>
> >> there is an issue with (JAXRS) SourceProvider in 2.2.9 which I missed.
> >> But
> > this provider is optional. As far as I know Dan has done some refactoring
> > in
> > 2.2.10-SNAPSHOT which also helped to fix the SourceProvider issue.
> >
> >
> >> Can you please explain how to replace the xml parser when using REST
> >> service.
> >>
> >
> > are you using JAXB in your JAXRS services ?
> >
> >
>
> We use JAXB in our services.
>
>
JAXBElementProvider delegates by default to the JAXB runtime, without
dealing explicitly with parsers.
However it also checks if either XMLStreamReader or XMLInputFactory is
available on the current message and if yes then either reuse the reader or
will ask the factory to create the one. The only limitation there is that
JAXBElementProvider does not check a message contextual property so one
would need to register a custom reader/factory from either a cxf interceptor
or RequestHandler filter.
Alternatively JAXBElementProvider can be extended and its createStreamReader
method be overridden.

thanks, Sergey


> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/DTD-based-XML-attacks-refering-to-Apache-CXF-Security-Advisory-CVE-2010-2076-tp2261760p2268798.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message