Hello Daniel, This is working as designed.
Disabling validation has no impact on entity processing. Please refer to this FAQ [1]. DocumentBuilderFactory.setExpandEntityReferences() only tells the DocumentBuilder whether it should include EntityReference nodes in the tree. Please refer to [2] for more details about this setting. Xerces has no implementation of XMLInputFactory (StAX) so I'm not sure what you tested there. Thanks. [1] http://xerces.apache.org/xerces2-j/faq-write.html#faq-2 [2] http://xerces.apache.org/xerces2-j/features.html#dom.create-entity-ref-nodes Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com E-mail: mrgla...@apache.org "Daniel Amodio" <dan.amo...@aspectsecurity.com> wrote on 05/12/2012 10:35:25 AM: > Hello, > > We recently did some testing to verify the proper way of disabling > external entity resolution, as a security recommendation. > > Through some unit testing, we came up with a couple findings which I > wanted to verify were intended functionality: > > • Not validating XML did not stop XXE attacks in the > JAXP and StAX implementation; It expanded external entities. > • .setExpandEntityReferences(false) also did not stop > XXE attacks in the JAXP implementation; It also expanded external > entity references. > > Should this be the case, or should those settings disable the > resolution? I’ve included some more details of our test results below. > We’re willing to contribute the test cases if that’s at all useful. > > Thanks, > Dan > > Tested Xerces 2.10.0 and 1.4.4 > > > DocumentBuilderFactory (JAXP) > > Implementation > > Stop XXE? > > .setValidating(false); > > Xerces 1 or Xerces 2 > > NO > > .setExpandEntityReferences(false) > > Xerces 1 or Xerces 2 > > NO > > .setFeature("http://apache.org/xml/features/disallow-doctype-decl ",true); > > Xerces 2 Only > > YES! > > Both .setFeature("http://xml.org/sax/features/external-general-entities > ", false); and .setFeature("http://xml.org/sax/features/external- > parameter-entities", false); > > Xerces 1 and Xerces 2 > > YES! > > > > SAXParserFactory (JAXP) > > Implementation > > Stop XXE? > > .setValidating(false); > > Xerces 1 or Xerces 2 > > NO > > .setFeature("http://apache.org/xml/features/disallow-doctype-decl ",true); > > Xerces 2 Only > > YES! > > Both .setFeature("http://xml.org/sax/features/external-general-entities > ", false); and .setFeature("http://xml.org/sax/features/external- > parameter-entities", false); > > Xerces 1 and Xerces 2 > > YES! > > > > XMLInputFactory (StAX) > > Implementation (Did not test on Xerces 1) > > Stop XXE? > > .setProperty("javax.xml.stream.isValidating", false); > > Xerces 2 > > NO > > .setProperty("javax.xml.stream.isSupportingExternalEntities", false); > > Xerces 2 > > YES! > > > --------------------------------------------------------------------- To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
