On Sun, 2007-10-21 at 09:09 -0400, Mark Thomas wrote: > Rémy Maucherat wrote: > > Since it's an obvious hacking attempt, I chose to use this method > > instead: > > documentBuilder.setEntityResolver > > (new EntityResolver() { > > public InputSource resolveEntity(String publicId, > > String systemId) > > throws SAXException, IOException { > > return new InputSource(new StringReader("")); > > } > > }); > > > > -> no logging, replace with blank text (I was using an ISE right before > > instead of an input source, but there's no real justification) > > I don't think no logging for an obvious hacking attempt is a good idea. > > I also think that there is a slim chance of a legitimate use of an > entity and in this case the logging gives the administrator a chance > of working out why something isn't working.
I take it down streams should run with the first patches to work around this vulnerability till next release. I already applied the one liner, kinda glad I did not apply the other last night ;) Please advise, thanks. -- William L. Thomson Jr. Gentoo/Java
signature.asc
Description: This is a digitally signed message part