tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Olofsson <>
Subject External entities in web.xml
Date Wed, 26 Mar 2014 13:34:59 GMT

I just started an upgrade of our tomcat, 7.0.47, to 7.0.52 and got into a
problem. Tomcat did not want to start our webapp. Looking in the log
I see:

Mar 26, 2014 2:10:42 PM org.apache.catalina.startup.ContextConfig 
SEVERE: Parse error in application web.xml file at 
jndi:/localhost/bios/WEB-INF/web.xml Could not resolve XML resource [null] 
with public ID
  [null], system ID [dpservices.xml] and base URI 
to a known, local entity.

Not very helpful!

Looking in our web.xml I find that it starts with:
<?xml version="1.0"?>
<!DOCTYPE web-app [ <!ENTITY service SYSTEM "dpservices.xml">]>

Checking the directory and the dpservices.xml file is there.

After a bit of git cloning, git grep:ing and similar I find that:

"7.0.51:Change default value of |xmlBlockExternal| attribute of Context.
  It is |true| now"

There is no bug referenced so I am not sure why this change was made.
Is there some security problem with external entities that I should know of?
Is there a bug where I can read more? (I can not been able to find anything
specific to this from google).

Setting xmlBlockExternal="false" in the context makes things start
up as they should again and I can continue with testing the new

It would be nicer if the parse error also said something like "...external
entities are not allowed, check the xmlBlockExternal context property..."


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message