[ https://issues.apache.org/jira/browse/UIMA-6064?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16867304#comment-16867304 ]
Timo Boehme commented on UIMA-6064: ----------------------------------- DISALLOW_DOCTYPE_DECL is the most important one as otherwise using a DTD with includes etc. in descriptors is not possible. Validating against a schema seems not to be needed as the XML parser itself does some checks. Not sure about the TransformerFactory and ACCESS_EXTERNAL_DTD/ACCESS_EXTERNAL_STYLESHEET. At least the possibility to allow for file access could be of interest. > External DTD usage in XML descriptors disabled during build revision upgrade > ---------------------------------------------------------------------------- > > Key: UIMA-6064 > URL: https://issues.apache.org/jira/browse/UIMA-6064 > Project: UIMA > Issue Type: Bug > Components: Core Java Framework > Affects Versions: 2.10.2SDK > Reporter: Timo Boehme > Priority: Major > > Between version 2.10.1 and 2.10.2 the XMLParser configuration was changed > (fixed, without the possibility to adjust it) to not allow for DTD and its > loading from external file. > This is done in XMLUtils.createSAXParserFactory() which sets the > DISALLOW_DOCTYPE_DECL and LOAD_EXTERNAL_DTD feature. Before the > SAXParserFactory was created without adjusting these features. > While I understand that this was done to prevent malicious XML from doing > nasty things, the kind how it was done is problematic: > * the change happened in a revision build, no major or minor number change > * it was not documented > * one cannot simply change it back like using an environment variable, > method call etc. - the only workaround is to do a problematic sub-classing of > XMLParser_impl with additional configuration etc. > We use the DTDs for CPE descriptors quite a lot to have the descriptor in > modular chunks using entities etc. Thus it is important (for the time being) > to use DTD there - and we know that the XML is not problematic. > Because this feature (DTD) is crucial I have marked this as a BUG since such > changes should not occur in a build upgrade or it should at least be possible > to get the old behavior easily back. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)