2014-03-26 17:34 GMT+04:00 Robert Olofsson <[email protected]>: > Hi! > > I just started an upgrade of our tomcat, 7.0.47, to 7.0.52 and got into a > problem. Tomcat did not want to start our webapp. Looking in the log > I see: > > Mar 26, 2014 2:10:42 PM org.apache.catalina.startup.ContextConfig > parseWebXml > SEVERE: Parse error in application web.xml file at > jndi:/localhost/bios/WEB-INF/web.xml > java.io.FileNotFoundException: Could not resolve XML resource [null] with > public ID > [null], system ID [dpservices.xml] and base URI > [jndi:/localhost/bios/WEB-INF/web.xml] > to a known, local entity. > > Not very helpful! >
It says "dpservices.xml" and "/bios/WEB-INF/web.xml". That is enough for you to locate the problematic file. It says what API is being called. > Looking in our web.xml I find that it starts with: > <?xml version="1.0"?> > <!DOCTYPE web-app [ <!ENTITY service SYSTEM "dpservices.xml">]> > ... > > Checking the directory and the dpservices.xml file is there. > > After a bit of git cloning, git grep:ing and similar I find that: > > "7.0.51:Change default value of |xmlBlockExternal| attribute of Context. > It is |true| now" > > There is no bug referenced so I am not sure why this change was made. > Is there some security problem with external entities that I should know of? > Is there a bug where I can read more? (I can not been able to find anything > specific to this from google). CVE-2013-4590 The option controls whether the XML parser is allowed to access external files such as entities, schemas, DTDs etc. People using such tricks as you are rare. A more often case is typos in schema or DTD URLs. [1] With this option being 'true' the parser fails fast, without trying to contact the external sun/oracle sites. [1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=351040 > Setting xmlBlockExternal="false" in the context makes things start > up as they should again and I can continue with testing the new > version. > > It would be nicer if the parse error also said something like "...external > entities are not allowed, check the xmlBlockExternal context property..." > Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
