On Tue, Aug 11, 2009 at 12:04:00PM -0400, Michael S. Gilbert wrote: > reassign 540862 libxerces2-java > thanks > > this appears to be a flaw in the xerces xml parser. see previous > discussion and pdf.
I don't see what you expect Xerces to do here. Since Xerces is not usable in a standalone format with Tomcat (you have to create a servlet that specifically calls Xerces), there's really nothing that Xerces can do. The ability to read entities from the local network may in fact be very useful if the data being parsed are under the server's (i.e., not an attacker's) control. This is a specific case of sanitizing your input data. A servlet parsing untrusted XML probably should use more defensive settings, but that is hardly a bug in Xerces. AFAICT, all Java XML parsers read DTDs (both internal and external) by default; this has both good and bad aspects, but it is not a security bug. To call it one would be blaming a shared library for resolving external references when the network-facing daemon has failed to instruct it otherwise. NB: I am not the maintainer, but I do use both Xerces and Tomcat. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
signature.asc
Description: Digital signature