xerces-j-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Elliotte Rusty Harold <elh...@ibiblio.org>
Subject Re: Denial of service with Xerces?
Date Tue, 11 Aug 2009 13:56:12 GMT
On Mon, Aug 10, 2009 at 3:06 PM, Michael
Glavassevich<mrglavas@ca.ibm.com> wrote:
> Hi Jeff,
> The specific problem reported to Apache only applied to Apache Xerces C++.
> Xerces-J does not have the bug that was fixed in the C++ impl.
> As a side note, for applications which do not want to trust documents
> containing DTDs there's been a feature [1] available in Xerces-J for years
> which will block them. There's also the JAXP secure processing feature [2]
> which folks should also be enabling if they're concerned about DoS attacks.
> Thanks.
> [1] http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
> [2]
> http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING

simply rejects documents containing DOCTYPEs. That might or might not
block the attack, depending on whether the parser actually tries to
parse the DTD before throwing the error. I would hope it throws the
error as soon as it sees <!DOCTYPE, in which case it's likely safe.
However it is exceedingly draconian.

There aren't a lot of details on the attack yet, but from what little
has been released I doubt
would have any effect on this. That feature protects against parsers
following the spec, and expanding entity references. It sounds like
the problem here is a failure to follow the spec, and blowing up on
malformed, recursive entity declarations; though, as I said, I'm only
guessing about that.

Elliotte Rusty Harold

To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-users-help@xerces.apache.org

View raw message