I politely disagree. This can only be fixed via parser configuration. It makes sense to turn external entities OFF by default since it's rarely used and does a lot of damage by default. Most XML parsers already default to turning this off. It's almost always a good idea to have safe defaults in software when you can.
Note: IBM has a very expensive product •just• to handle this issue - which would be largely unnecessary if Xerces defaulted to turning external entities off by default. With respect, -- Jim Manico @Manicode (808) 652-3805 > On Mar 4, 2015, at 8:23 AM, Michael Glavassevich <mrgla...@ca.ibm.com> wrote: > > "Cantor, Scott" <canto...@osu.edu> wrote on 03/04/2015 12:16:03 PM: > >> From: "Cantor, Scott" <canto...@osu.edu> >> To: "j-users@xerces.apache.org" <j-users@xerces.apache.org>, >> Date: 03/04/2015 12:18 PM >> Subject: Re: Hello and XXE >> >> On 3/4/15, 5:08 PM, "Jim Manico" <j...@manico.net> wrote: >> >> >> >>> With respect, XXE is a massive vulnerability that is turned off by >>> default in Java 8 as well as IBM parsers. Is there any proof or risk >>> model I could provide to convince Xerces to turn this off by default? >> >> +1 >> >> And it's not the only unfixed vulnerability in play (per the note I just > >> sent). > > -1. XXE is not a vulnerability in the parser. It may be a vulnerability > for an application/product, but that is the developer's responsibility to > apply proper configuration to protect themselves in the right context. > >> -- Scott > > Michael Glavassevich > XML Technologies and WAS Development > IBM Toronto Lab > E-mail: mrgla...@ca.ibm.com > E-mail: mrgla...@apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org > For additional commands, e-mail: j-users-h...@xerces.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: j-users-unsubscr...@xerces.apache.org For additional commands, e-mail: j-users-h...@xerces.apache.org
