Hi, I've read the following article describing the so called "XML bomb":
http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302558&psrc=CLT_92 Now I'm asking myself if my XMLBeans based code is vulnerable. After writing a simple test the answer is "definetly yes", OutOfMemoryError arises when parsing the following XML: <?xml version='1.0'?> <!DOCTYPE versions [ <!ENTITY x0 'xml-entity-bomb'> <!ENTITY x1 '&x0;&x0;&x0;&x0;'> <!ENTITY x2 '&x1;&x1;&x1;&x1;'> <!ENTITY x3 '&x2;&x2;&x2;&x2;'> <!ENTITY x4 '&x3;&x3;&x3;&x3;'> <!ENTITY x5 '&x4;&x4;&x4;&x4;'> <!ENTITY x6 '&x5;&x5;&x5;&x5;'> <!ENTITY x7 '&x6;&x6;&x6;&x6;'> <!ENTITY x8 '&x7;&x7;&x7;&x7;'> <!ENTITY x9 '&x8;&x8;&x8;&x8;'> <!ENTITY x10 '&x9;&x9;&x9;&x9;'> ]> <versions xmlns='urn:ietf:params:xml:ns:iris-transport'> <transferProtocol protocolId='iris.lwz1'> <application protocolId='urn:ietf:params:xml:ns:iris1'> <dataModel protocolId='&x10;' /> </application> </transferProtocol> </versions> The next question is how to prevent it. Any recommendations? Thanks and regards Christian PS: I've also read the XMLBeans Javadoc stating "By default, XmlBeans does not resolve entities when parsing xml documents (unless an explicit entity resolver is specified)." http://xmlbeans.apache.org/docs/2.4.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver() I do not have set any kind of entity resolver, so this seems to contradict my experiences ... what's going wrong here? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
