Radu Preotiuc-Pietro schrieb:
> Yes, the question is how to disable DTDs. I have looked a bit through
> Piccolo's source code and haven't found a way. If anyone knows of how to do
> it for a particular parser and could post the info, that would be great.
> Then, Christian, you can use that particular parser with XMLBeans and you
> will be fine.
Hi Radu,
I've found a kind of solution by setting a XMLReader explicitely via
XmlOption instance and providing an appropriate instance of Xerces'
SecurityManager like this:
----------------------------------------------------
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.apache.xmlbeans.XmlOptions;
import org.xml.sax.XMLReader;
import com.sun.org.apache.xerces.internal.util.SecurityManager;
...
SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
SecurityManager securityManager = new SecurityManager();
// Default seems to be 64000!
securityManager.setEntityExpansionLimit(16);
saxParser.setProperty("http://apache.org/xml/properties/security-manager";,
securityManager);
// System.out.println("Parser: " + saxParser);
final XMLReader xmlReader = saxParser.getXMLReader();
final XmlOptions xmlOptions = new
XmlOptions().setLoadUseXMLReader(xmlReader);
----------------------------------------------------
Using the instance of XmlOptions as parameter with
VersionsDocument.Factory.parse(someReader, xmlOptions)
I get this exception:
----------------------------------------------------
org.apache.xmlbeans.XmlException: error: The parser has encountered more
than "16" entity expansions in this document; this is the limit imposed
by the application.
at
org.apache.xmlbeans.impl.store.Locale$SaxLoader.load(Locale.java:3486)
at
org.apache.xmlbeans.impl.store.Locale.parseToXmlObject(Locale.java:1329)
at
org.apache.xmlbeans.impl.store.Locale.parseToXmlObject(Locale.java:1316)
at
org.apache.xmlbeans.impl.schema.SchemaTypeLoaderBase.parse(SchemaTypeLoaderBase.java:360)
[...]
----------------------------------------------------
You will find explanations regarding Xerces' SecurityManager here:
- http://xerces.apache.org/xerces2-j/properties.html
-
http://xerces.apache.org/xerces2-j/javadocs/xerces2/org/apache/xerces/util/SecurityManager.html
This way you should not be vulnerable to the XML bomb anymore, but
unfortunately you won't get your XML parsed :-)
Christian
>> -----Original Message-----
>> From: jimmy Zhang [mailto:[EMAIL PROTECTED]
>> Sent: Tuesday, December 02, 2008 1:57 PM
>> To: [email protected]
>> Subject: Re: Question regarding suggested way to prevent XML bomb
>>
>> if u explcitily deprecate DTD and use schema, you will be fine...
>> ----- Original Message -----
>> From: "Christian Möller" <[EMAIL PROTECTED]>
>> To: <[email protected]>
>> Sent: Tuesday, December 02, 2008 4:31 AM
>> Subject: Question regarding suggested way to prevent XML bomb
>>
>>
>>> Hi,
>>>
>>> I've read the following article describing the so called "XML bomb":
>>>
>>>
>> http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer
>>> /0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302558&psrc=CLT_92
>>>
>>> Now I'm asking myself if my XMLBeans based code is
>> vulnerable. After
>>> writing a simple test the answer is "definetly yes",
>> OutOfMemoryError
>>> arises when parsing the following XML:
>>>
>>> <?xml version='1.0'?>
>>> <!DOCTYPE versions [
>>> <!ENTITY x0 'xml-entity-bomb'>
>>> <!ENTITY x1 '&x0;&x0;&x0;&x0;'>
>>> <!ENTITY x2 '&x1;&x1;&x1;&x1;'>
>>> <!ENTITY x3 '&x2;&x2;&x2;&x2;'>
>>> <!ENTITY x4 '&x3;&x3;&x3;&x3;'>
>>> <!ENTITY x5 '&x4;&x4;&x4;&x4;'>
>>> <!ENTITY x6 '&x5;&x5;&x5;&x5;'>
>>> <!ENTITY x7 '&x6;&x6;&x6;&x6;'>
>>> <!ENTITY x8 '&x7;&x7;&x7;&x7;'>
>>> <!ENTITY x9 '&x8;&x8;&x8;&x8;'>
>>> <!ENTITY x10 '&x9;&x9;&x9;&x9;'>
>>> ]>
>>> <versions xmlns='urn:ietf:params:xml:ns:iris-transport'>
>>> <transferProtocol protocolId='iris.lwz1'>
>>> <application protocolId='urn:ietf:params:xml:ns:iris1'>
>>> <dataModel protocolId='&x10;' />
>>> </application>
>>> </transferProtocol>
>>> </versions>
>>>
>>> The next question is how to prevent it. Any recommendations?
>>>
>>> Thanks and regards
>>>
>>> Christian
>>>
>>>
>>> PS: I've also read the XMLBeans Javadoc stating "By
>> default, XmlBeans
>>> does not resolve entities when parsing xml documents (unless an
>>> explicit entity resolver is specified)."
>>>
>>>
>> http://xmlbeans.apache.org/docs/2.4.0/reference/org/apache/xmlbeans/Xm
>>> lOptions.html#setLoadUseDefaultResolver()
>>>
>>> I do not have set any kind of entity resolver, so this seems to
>>> contradict my experiences ... what's going wrong here?
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
