"Cantor, Scott" <canto...@osu.edu> wrote on 03/04/2015 12:15:02 PM: > On 3/4/15, 4:56 PM, "Michael Glavassevich" <mrgla...@ca.ibm.com> wrote: > > > > >There has been some work done on the trunk [1] to make it easier for > >users > >to protect themselves but it isn't likely to change any defaults. Users
> >need to configure XML parsers appropriately for their scenario and there > >are plenty of ways they can do that if they're concerned about XXE. > > Maybe we were mistaken, but my team's analysis of CVE-2013-4002 that > addressed an issue in the JDK, and the fix here that was applied to trunk > but never released, suggested to me that there's no way to configure any > released version of Xerces safely unless the input document size is > limited. > > This isn't an XXE issue per se, but it seemed relevant to ask since this > response seems to reinforce the position that no release can be expected. The defect you're referring to had nothing to do with DTDs or entities. > -- Scott > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org > For additional commands, e-mail: j-users-h...@xerces.apache.org Michael Glavassevich XML Technologies and WAS Development IBM Toronto Lab E-mail: mrgla...@ca.ibm.com E-mail: mrgla...@apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
