Return-Path: 
 <dev-return-9477-apmail-cxf-dev-archive=cxf.apache.org@cxf.apache.org>
Delivered-To: apmail-cxf-dev-archive@www.apache.org
Received: (qmail 97624 invoked from network); 15 Aug 2010 06:51:43 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 15 Aug 2010 06:51:43 -0000
Received: (qmail 76953 invoked by uid 500); 15 Aug 2010 06:51:43 -0000
Delivered-To: apmail-cxf-dev-archive@cxf.apache.org
Received: (qmail 76640 invoked by uid 500); 15 Aug 2010 06:51:40 -0000
Mailing-List: contact dev-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cxf.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cxf.apache.org>
List-Post: <mailto:dev@cxf.apache.org>
List-Id: <dev.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list dev@cxf.apache.org
Received: (qmail 76629 invoked by uid 99); 15 Aug 2010 06:51:38 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 15 Aug 2010 06:51:38 +0000
X-ASF-Spam-Status: No, hits=2.0 required=10.0
	tests=SPF_HELO_PASS,SPF_NEUTRAL,URI_HEX
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [216.139.236.158] (HELO kuber.nabble.com) (216.139.236.158)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 15 Aug 2010 06:51:32 +0000
Received: from sam.nabble.com ([192.168.236.26])
	by kuber.nabble.com with esmtp (Exim 4.63)
	(envelope-from <oferdi@amdocs.com>)
	id 1OkX3m-0003sq-1R
	for dev@cxf.apache.org; Sat, 14 Aug 2010 23:51:10 -0700
Date: Sat, 14 Aug 2010 23:51:10 -0700 (PDT)
From: oferdit <oferdi@amdocs.com>
To: dev@cxf.apache.org
Message-ID: <1281855070038-2635632.post@n5.nabble.com>
In-Reply-To: <AANLkTi=G=7Vh5s9byLK_otyGZhjT5u3AY7NZBR+m7gQb@mail.gmail.com>
References: 
 <30C706FE1F9DFD4FAAF0B6E09EC0B481F8DDA9B9FC@ILRAAMAIL1.corp.amdocs.com>
 <AANLkTikBzhdmVi0d5OSg1iqmpRSAVtX5GXfeYWA0YuuW@mail.gmail.com>
 <1281359069989-2268798.post@n5.nabble.com>
 <AANLkTi=G=7Vh5s9byLK_otyGZhjT5u3AY7NZBR+m7gQb@mail.gmail.com>
Subject: Re: DTD based XML attacks - refering to Apache CXF Security
 Advisory (CVE-2010-2076)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit


First we tried to use the staxiniterceptor in order to register the
XMLInputFactory which is mentioned in the advisory document. but we had some
problems with JSON requests and encoding of utf-8 messages. so what we have
done is to extend jaxbelementprovider as you mention. 
-- 
View this message in context: http://cxf.547215.n5.nabble.com/DTD-based-XML-attacks-refering-to-Apache-CXF-Security-Advisory-CVE-2010-2076-tp2261760p2635632.html
Sent from the cxf-dev mailing list archive at Nabble.com.