Yes, the question is how to disable DTDs. I have looked a bit through Piccolo's source code and haven't found a way. If anyone knows of how to do it for a particular parser and could post the info, that would be great. Then, Christian, you can use that particular parser with XMLBeans and you will be fine.
To answer your JavaDoc question, it is a little bit confusing but that sentence doesn't refer to "XML entities" but "entities in the sense of EntityResolver" meaning documents accesible by source/public id (such as external DTDs for example). Those are indeed disabled by default, but this is not relevant for your concern (it is relevant if you are worried about someone inserting something in a message sent to you that makes your server ping his/her server while processing the message). Radu > -----Original Message----- > From: jimmy Zhang [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 02, 2008 1:57 PM > To: [email protected] > Subject: Re: Question regarding suggested way to prevent XML bomb > > if u explcitily deprecate DTD and use schema, you will be fine... > ----- Original Message ----- > From: "Christian Möller" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Tuesday, December 02, 2008 4:31 AM > Subject: Question regarding suggested way to prevent XML bomb > > > > Hi, > > > > I've read the following article describing the so called "XML bomb": > > > > > http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer > > /0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302558&psrc=CLT_92 > > > > Now I'm asking myself if my XMLBeans based code is > vulnerable. After > > writing a simple test the answer is "definetly yes", > OutOfMemoryError > > arises when parsing the following XML: > > > > <?xml version='1.0'?> > > <!DOCTYPE versions [ > > <!ENTITY x0 'xml-entity-bomb'> > > <!ENTITY x1 '&x0;&x0;&x0;&x0;'> > > <!ENTITY x2 '&x1;&x1;&x1;&x1;'> > > <!ENTITY x3 '&x2;&x2;&x2;&x2;'> > > <!ENTITY x4 '&x3;&x3;&x3;&x3;'> > > <!ENTITY x5 '&x4;&x4;&x4;&x4;'> > > <!ENTITY x6 '&x5;&x5;&x5;&x5;'> > > <!ENTITY x7 '&x6;&x6;&x6;&x6;'> > > <!ENTITY x8 '&x7;&x7;&x7;&x7;'> > > <!ENTITY x9 '&x8;&x8;&x8;&x8;'> > > <!ENTITY x10 '&x9;&x9;&x9;&x9;'> > > ]> > > <versions xmlns='urn:ietf:params:xml:ns:iris-transport'> > > <transferProtocol protocolId='iris.lwz1'> > > <application protocolId='urn:ietf:params:xml:ns:iris1'> > > <dataModel protocolId='&x10;' /> > > </application> > > </transferProtocol> > > </versions> > > > > The next question is how to prevent it. Any recommendations? > > > > Thanks and regards > > > > Christian > > > > > > PS: I've also read the XMLBeans Javadoc stating "By > default, XmlBeans > > does not resolve entities when parsing xml documents (unless an > > explicit entity resolver is specified)." > > > > > http://xmlbeans.apache.org/docs/2.4.0/reference/org/apache/xmlbeans/Xm > > lOptions.html#setLoadUseDefaultResolver() > > > > I do not have set any kind of entity resolver, so this seems to > > contradict my experiences ... what's going wrong here? > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
