xerces-j-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Glavassevich <mrgla...@ca.ibm.com>
Subject Re: Denial of service with Xerces?
Date Tue, 11 Aug 2009 22:15:24 GMT


Elliotte Rusty Harold <elharo@ibiblio.org> wrote on 08/11/2009 09:56:12 AM:

> On Mon, Aug 10, 2009 at 3:06 PM, Michael
> Glavassevich<mrglavas@ca.ibm.com> wrote:
> > Hi Jeff,
> >
> > The specific problem reported to Apache only applied to Apache Xerces C
> > Xerces-J does not have the bug that was fixed in the C++ impl.
> >
> > As a side note, for applications which do not want to trust documents
> > containing DTDs there's been a feature [1] available in Xerces-J for
> > which will block them. There's also the JAXP secure processing feature
> > which folks should also be enabling if they're concerned about DoS
> >
> > Thanks.
> >
> > [1]
> > [2]
> > http://xerces.apache.org/xerces2-
> j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
> http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
> simply rejects documents containing DOCTYPEs. That might or might not
> block the attack, depending on whether the parser actually tries to
> parse the DTD before throwing the error. I would hope it throws the
> error as soon as it sees <!DOCTYPE, in which case it's likely safe.
> However it is exceedingly draconian.

The fatal error is reported (and exception is thrown) immediately after
parsing "<!DOCTYPE". It doesn't go any further.

SOAP messages in particular do not allow DOCTYPEs, so would expect
applications which process those to be enabling this feature. I'm sure
there are other appropriate uses though obviously not a solution for

> There aren't a lot of details on the attack yet, but from what little
> has been released I doubt
> http://xerces.apache.org/xerces2-
> j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
> would have any effect on this.

I never said it did. I was making a general statement.

> That feature protects against parsers
> following the spec, and expanding entity references. It sounds like
> the problem here is a failure to follow the spec, and blowing up on
> malformed, recursive entity declarations; though, as I said, I'm only
> guessing about that.

This feature does whatever an implementation feels it needs to to protect
itself and that could include imposing limits on anything not just entity
expansion. Sure, Xerces only checks a couple things today when you turn
that feature on but it might check more things in the future and if you're
not setting it you won't get that protection.

> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> For additional commands, e-mail: j-users-help@xerces.apache.org


Michael Glavassevich
XML Parser Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
View raw message