Re: Hello and XXE

Jim Manico Wed, 04 Mar 2015 09:26:48 -0800

How can I help? I'm happy to submit a patch if you like... This is a fairly 
critical security issue and I'm willing to get my hands dirty and help.... 
code? wash your car? free trips to Hawaii? What do need?


Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

> On Mar 4, 2015, at 9:16 AM, Cantor, Scott <canto...@osu.edu> wrote:
> 
> On 3/4/15, 5:08 PM, "Jim Manico" <j...@manico.net> wrote:
> 
> 
> 
>> With respect, XXE is a massive vulnerability that is turned off by 
>> default in Java 8 as well as IBM parsers. Is there any proof or risk 
>> model I could provide to convince Xerces to turn this off by default?
> 
> +1
> 
> And it's not the only unfixed vulnerability in play (per the note I just 
> sent).
> 
> -- Scott
> 
> B‹KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB•È[œÝXœØÜšX™KK[XZ[ˆ‹]\Ù\œË][œÝXœØÜšX™P\˜Ù\Ë˜\XÚK›Ü™ÃB‘›ÜˆY][Û˜[ÛÛ[X[™ËK[XZ[ˆ‹]\Ù\œËZ[\˜Ù\Ë˜\XÚK›Ü™ÃB

---------------------------------------------------------------------
To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-users-h...@xerces.apache.org

Re: Hello and XXE

Reply via email to