With respect, XXE is a massive vulnerability that is turned off by default in Java 8 as well as IBM parsers. Is there any proof or risk model I could provide to convince Xerces to turn this off by default?
I am honestly just a researcher who has watch several folks get brutally hacked because of this. Turning it off by default would make the world a safer place. Respectfully, -- Jim Manico @Manicode (808) 652-3805 > On Mar 4, 2015, at 8:56 AM, Michael Glavassevich <mrgla...@ca.ibm.com> wrote: > > Hi, > > There has been some work done on the trunk [1] to make it easier for users > to protect themselves but it isn't likely to change any defaults. Users > need to configure XML parsers appropriately for their scenario and there > are plenty of ways they can do that if they're concerned about XXE. > > Thanks. > > [1] http://markmail.org/message/cj2ytc62gczbplum > > Michael Glavassevich > XML Technologies and WAS Development > IBM Toronto Lab > E-mail: mrgla...@ca.ibm.com > E-mail: mrgla...@apache.org > > Jim Manico <j...@manico.net> wrote on 02/26/2015 07:38:54 AM: > >> Hello, >> >> I am a security researcher worried about the threat of XXE in Java > parsers. >> >> https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing >> >> Java 8 made the choice to disable External Entities by default and >> I'd love to see Xerces2 make the same choice. This is a pretty >> serious risk to be left on by default. >> >> Has there been any discussion on this before? Forgive me if I am >> late to the game here. >> >> Aloha, >> -- >> Jim Manico >> @Manicode >> (808) 652-3805 >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org >> For additional commands, e-mail: j-users-h...@xerces.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org > For additional commands, e-mail: j-users-h...@xerces.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
