[
https://issues.apache.org/jira/browse/XERCESJ-1644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14106782#comment-14106782
]
David Jorm commented on XERCESJ-1644:
-------------------------------------
I would like to note that this patch would make applications using xerces not
vulnerable to XXE attacks by default. In recent years, a very large number of
Java applications have had XXE vulnerabilities, mainly because parsers are
vulnerable by default, and documentation explaining how to address XXE has been
incomplete and inconsistent. It may be argued that disabling doctype
declarations and entities by default could break some applications that rely on
this functionality. I think this concern is outweighed by the security benefit
that this patch would introduce.
> RFE: Allow global enabling/disabling of features with secure defaults
> ---------------------------------------------------------------------
>
> Key: XERCESJ-1644
> URL: https://issues.apache.org/jira/browse/XERCESJ-1644
> Project: Xerces2-J
> Issue Type: Improvement
> Components: JAXP (javax.xml.parsers)
> Affects Versions: 2.11.0
> Reporter: Arun Babu Neelicattu
> Attachments: XERCESJ-1644.patch
>
>
> It would be useful to be able enable and disable features using a global
> configuration, either by using system properties or a property file or both.
> Possible usage via system properties:
> {noformat}
> -Dorg.apache.xerces.jaxp.features.enable=http://apache.org/xml/features/disallow-doctype-decl
> -Dorg.apache.xerces.jaxp.features.disable=http://xml.org/sax/features/external-general-entities,http://xml.org/sax/features/external-parameter-entities
> {noformat}
> Is this something that can be added?
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
