The secure processing feature in Xerces guards against two well known denial of service attacks. See implementation details here: https://xerces.apache.org/xerces2-j/javadocs/xerces2/org/apache/xerces/util/SecurityManager.html. Reading external entities is a different concern and can be managed with other XML parser configuration (e.g. an EntityResolver).
-----Original Message----- From: Joseph Kessselman <[email protected]> Sent: August 22, 2025 4:42 PM To: [email protected] Subject: [EXTERNAL] Re: Question about secure processing When I replaced the URI in the DTD External Entity reference with a legitimate one (pointing to a stub server on my own machine), I did get complaints about HTML protocol not being correct ... so apparently this is at least trying to open the URI. If it's actually reading the entity, that could be the basis for a DOS attack, if nothing else. We *should* be running with the secure flag set. I can try debuggerizing to confirm. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
