Return-Path: 
 <j-users-return-12928-apmail-xerces-j-users-archive=xerces.apache.org@xerces.apache.org>
Delivered-To: apmail-xerces-j-users-archive@www.apache.org
Received: (qmail 77993 invoked from network); 11 Aug 2009 21:03:40 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 11 Aug 2009 21:03:40 -0000
Received: (qmail 98527 invoked by uid 500); 11 Aug 2009 21:02:40 -0000
Delivered-To: apmail-xerces-j-users-archive@xerces.apache.org
Received: (qmail 98325 invoked by uid 500); 11 Aug 2009 21:02:40 -0000
Mailing-List: contact j-users-help@xerces.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:j-users-help@xerces.apache.org>
List-Unsubscribe: <mailto:j-users-unsubscribe@xerces.apache.org>
List-Post: <mailto:j-users@xerces.apache.org>
List-Id: <j-users.xerces.apache.org>
Reply-To: j-users@xerces.apache.org
Delivered-To: mailing list j-users@xerces.apache.org
Delivered-To: moderator for j-users@xerces.apache.org
Received: (qmail 30521 invoked by uid 99); 11 Aug 2009 13:56:42 -0000
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
MIME-Version: 1.0
In-Reply-To: 
 <OFA8822936.0D9D57E8-ON8525760E.007696FD-8525760E.00796C8E@ca.ibm.com>
References: <1249939133.6241.12.camel@Lini>
	 <OFA8822936.0D9D57E8-ON8525760E.007696FD-8525760E.00796C8E@ca.ibm.com>
Date: Tue, 11 Aug 2009 06:56:12 -0700
Message-ID: <654a2bb30908110656i6f513b3cg3aed7f8572039a8c@mail.gmail.com>
Subject: Re: Denial of service with Xerces?
From: Elliotte Rusty Harold <elharo@ibiblio.org>
To: j-users@xerces.apache.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

On Mon, Aug 10, 2009 at 3:06 PM, Michael
Glavassevich<mrglavas@ca.ibm.com> wrote:
> Hi Jeff,
>
> The specific problem reported to Apache only applied to Apache Xerces C++.
> Xerces-J does not have the bug that was fixed in the C++ impl.
>
> As a side note, for applications which do not want to trust documents
> containing DTDs there's been a feature [1] available in Xerces-J for years
> which will block them. There's also the JAXP secure processing feature [2]
> which folks should also be enabling if they're concerned about DoS attacks.
>
> Thanks.
>
> [1] http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
> [2]
> http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING

http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
simply rejects documents containing DOCTYPEs. That might or might not
block the attack, depending on whether the parser actually tries to
parse the DTD before throwing the error. I would hope it throws the
error as soon as it sees <!DOCTYPE, in which case it's likely safe.
However it is exceedingly draconian.

There aren't a lot of details on the attack yet, but from what little
has been released I doubt
http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
would have any effect on this. That feature protects against parsers
following the spec, and expanding entity references. It sounds like
the problem here is a failure to follow the spec, and blowing up on
malformed, recursive entity declarations; though, as I said, I'm only
guessing about that.

-- 
Elliotte Rusty Harold
elharo@ibiblio.org

---------------------------------------------------------------------
To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-users-help@xerces.apache.org