Hi apologies for a delay...
Sergey Beryozkin-5 wrote: > > > > Hi > > > > On Mon, Aug 2, 2010 at 3:00 PM, Tal Maayani <tal.maay...@amdocs.com> > > wrote: > > > >> Hi, > >> > >> According to your advice, in order to block DTD based XML attack one > need > >> to either use CXF version 2.2.9 or replace the default xml parser. > >> > >> there is an issue with (JAXRS) SourceProvider in 2.2.9 which I missed. > >> But > > this provider is optional. As far as I know Dan has done some refactoring > > in > > 2.2.10-SNAPSHOT which also helped to fix the SourceProvider issue. > > > > > >> Can you please explain how to replace the xml parser when using REST > >> service. > >> > > > > are you using JAXB in your JAXRS services ? > > > > > > We use JAXB in our services. > > JAXBElementProvider delegates by default to the JAXB runtime, without dealing explicitly with parsers. However it also checks if either XMLStreamReader or XMLInputFactory is available on the current message and if yes then either reuse the reader or will ask the factory to create the one. The only limitation there is that JAXBElementProvider does not check a message contextual property so one would need to register a custom reader/factory from either a cxf interceptor or RequestHandler filter. Alternatively JAXBElementProvider can be extended and its createStreamReader method be overridden. thanks, Sergey > -- > View this message in context: > http://cxf.547215.n5.nabble.com/DTD-based-XML-attacks-refering-to-Apache-CXF-Security-Advisory-CVE-2010-2076-tp2261760p2268798.html > Sent from the cxf-dev mailing list archive at Nabble.com. >
