On Mon, Aug 10, 2009 at 3:06 PM, Michael Glavassevich<mrgla...@ca.ibm.com> wrote: > Hi Jeff, > > The specific problem reported to Apache only applied to Apache Xerces C++. > Xerces-J does not have the bug that was fixed in the C++ impl. > > As a side note, for applications which do not want to trust documents > containing DTDs there's been a feature [1] available in Xerces-J for years > which will block them. There's also the JAXP secure processing feature [2] > which folks should also be enabling if they're concerned about DoS attacks. > > Thanks. > > [1] http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl > [2] > http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl simply rejects documents containing DOCTYPEs. That might or might not block the attack, depending on whether the parser actually tries to parse the DTD before throwing the error. I would hope it throws the error as soon as it sees <!DOCTYPE, in which case it's likely safe. However it is exceedingly draconian. There aren't a lot of details on the attack yet, but from what little has been released I doubt http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING would have any effect on this. That feature protects against parsers following the spec, and expanding entity references. It sounds like the problem here is a failure to follow the spec, and blowing up on malformed, recursive entity declarations; though, as I said, I'm only guessing about that. -- Elliotte Rusty Harold elh...@ibiblio.org --------------------------------------------------------------------- To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
