Hi,
Bernd Eckenfels wrote on 03/03/2015 10:27:55 PM:
> Hello,
>
> I noticed that since 2.10 Xerces-J will ship and register
> implementations for StAX Event classes. I can see that this is a first
> step to provide a full StAX Parser/Serializer. But until then I wonder
> what can be done with t
Hi,
There has been some work done on the trunk [1] to make it easier for users
to protect themselves but it isn't likely to change any defaults. Users
need to configure XML parsers appropriately for their scenario and there
are plenty of ways they can do that if they're concerned about XXE.
Th
With respect, XXE is a massive vulnerability that is turned off by default in
Java 8 as well as IBM parsers. Is there any proof or risk model I could provide
to convince Xerces to turn this off by default?
I am honestly just a researcher who has watch several folks get brutally hacked
because o
On 3/4/15, 4:56 PM, "Michael Glavassevich" wrote:
>
>There has been some work done on the trunk [1] to make it easier for
>users
>to protect themselves but it isn't likely to change any defaults. Users
>need to configure XML parsers appropriately for their scenario and there
>are plenty of w
On 3/4/15, 5:08 PM, "Jim Manico" wrote:
>With respect, XXE is a massive vulnerability that is turned off by
>default in Java 8 as well as IBM parsers. Is there any proof or risk
>model I could provide to convince Xerces to turn this off by default?
+1
And it's not the only unfixed vulnerabi
How can I help? I'm happy to submit a patch if you like... This is a fairly
critical security issue and I'm willing to get my hands dirty and help
code? wash your car? free trips to Hawaii? What do need?
Aloha,
--
Jim Manico
@Manicode
(808) 652-3805
> On Mar 4, 2015, at 9:16 AM, Cantor, Sco
On 3/4/15, 5:21 PM, "Jim Manico" wrote:
>How can I help? I'm happy to submit a patch if you like... This is a
>fairly critical security issue and I'm willing to get my hands dirty and
>help code? wash your car? free trips to Hawaii? What do need?
If you're directing that question to me,
"Cantor, Scott" wrote on 03/04/2015 12:15:02 PM:
> On 3/4/15, 4:56 PM, "Michael Glavassevich" wrote:
>
> >
> >There has been some work done on the trunk [1] to make it easier for
> >users
> >to protect themselves but it isn't likely to change any defaults. Users
> >need to configure XML par
On 3/4/15, 6:10 PM, "Michael Glavassevich" wrote:
>
>The defect you're referring to had nothing to do with DTDs or entities.
Which I acknowledged. You still have an unreleased security fix that is
*not* a function of "applications configuring the parser correctly".
-- Scott
"Cantor, Scott" wrote on 03/04/2015 12:16:03 PM:
> From: "Cantor, Scott"
> To: "j-users@xerces.apache.org" ,
> Date: 03/04/2015 12:18 PM
> Subject: Re: Hello and XXE
>
> On 3/4/15, 5:08 PM, "Jim Manico" wrote:
>
>
>
> >With respect, XXE is a massive vulnerability that is turned off by
> >
On 3/4/15, 6:23 PM, "Michael Glavassevich" wrote:
>
>-1. XXE is not a vulnerability in the parser. It may be a vulnerability
>for an application/product, but that is the developer's responsibility to
>apply proper configuration to protect themselves in the right context.
The issue is a trade-
"Cantor, Scott" wrote on 03/04/2015 01:16:30 PM:
> From: "Cantor, Scott"
> To: "j-users@xerces.apache.org" ,
> Date: 03/04/2015 01:19 PM
> Subject: Re: Hello and XXE
>
> On 3/4/15, 6:10 PM, "Michael Glavassevich" wrote:
>
>
> >
> >The defect you're referring to had nothing to do with DTDs o
On 3/4/15, 6:34 PM, "Michael Glavassevich" wrote:
>
>And I was pointing out that it's irrelevant to Jim's concern.
I'm betting Jim's concern is with the parser being secure, period, not
just in one specific way, but he can speak for himself.
>If you're interested in seeing a release which rol
I politely disagree. This can only be fixed via parser configuration. It makes
sense to turn external entities OFF by default since it's rarely used and does
a lot of damage by default. Most XML parsers already default to turning this
off. It's almost always a good idea to have safe defaults in
That's true Scott. Xerces is a big player in the XML parsing world. I'm just a
security activist trying to encourage important libraries like Xerces to use
safe defaults when they can. And for XXE, for sure, there is precedent to turn
it off by default since it's so dangerous.
--
Jim Manico
@Ma
15 matches
Mail list logo
