On Sun, 2007-10-21 at 09:09 -0400, Mark Thomas wrote:
> Rémy Maucherat wrote:
> > Since it's an obvious hacking attempt, I chose to use this method
> > instead:
> > documentBuilder.setEntityResolver
> > (new EntityResolver() {
> > public InputSource resolveEntity(String publicId,
> > String systemId)
> > throws SAXException, IOException {
> > return new InputSource(new StringReader(""));
> > }
> > });
> >
> > -> no logging, replace with blank text (I was using an ISE right before
> > instead of an input source, but there's no real justification)
>
> I don't think no logging for an obvious hacking attempt is a good idea.
>
> I also think that there is a slim chance of a legitimate use of an
> entity and in this case the logging gives the administrator a chance
> of working out why something isn't working.I take it down streams should run with the first patches to work around this vulnerability till next release. I already applied the one liner, kinda glad I did not apply the other last night ;) Please advise, thanks. -- William L. Thomson Jr. Gentoo/Java
signature.asc
Description: This is a digitally signed message part
