Re: Question regarding suggested way to prevent XML bomb

Tue, 02 Dec 2008 10:58:38 -0800 

if u explcitily deprecate DTD and use schema, you will be fine...
----- Original Message ----- From: "Christian Möller" <[EMAIL PROTECTED]> 
To: <[email protected]>
Sent: Tuesday, December 02, 2008 4:31 AM
Subject: Question regarding suggested way to prevent XML bomb



Hi,

I've read the following article describing the so called "XML bomb":

http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302558&psrc=CLT_92

Now I'm asking myself if my XMLBeans based code is vulnerable. After
writing a simple test the answer is "definetly yes", OutOfMemoryError
arises when parsing the following XML:

<?xml version='1.0'?>
<!DOCTYPE versions [
<!ENTITY x0 'xml-entity-bomb'>
<!ENTITY x1 '&x0;&x0;&x0;&x0;'>
<!ENTITY x2 '&x1;&x1;&x1;&x1;'>
<!ENTITY x3 '&x2;&x2;&x2;&x2;'>
<!ENTITY x4 '&x3;&x3;&x3;&x3;'>
<!ENTITY x5 '&x4;&x4;&x4;&x4;'>
<!ENTITY x6 '&x5;&x5;&x5;&x5;'>
<!ENTITY x7 '&x6;&x6;&x6;&x6;'>
<!ENTITY x8 '&x7;&x7;&x7;&x7;'>
<!ENTITY x9 '&x8;&x8;&x8;&x8;'>
<!ENTITY x10 '&x9;&x9;&x9;&x9;'>
]>
<versions xmlns='urn:ietf:params:xml:ns:iris-transport'>
 <transferProtocol protocolId='iris.lwz1'>
   <application protocolId='urn:ietf:params:xml:ns:iris1'>
     <dataModel protocolId='&x10;' />
   </application>
 </transferProtocol>
</versions>

The next question is how to prevent it. Any recommendations?

Thanks and regards

Christian


PS: I've also read the XMLBeans Javadoc stating "By default, XmlBeans
does not resolve entities when parsing xml documents (unless an explicit
entity resolver is specified)."

http://xmlbeans.apache.org/docs/2.4.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver()

I do not have set any kind of entity resolver, so this seems to
contradict my experiences ... what's going wrong here?

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to