Re: centralizing security related features. I came to think that because there could be security issues involved with many xml features, it might make sense to define one security_features object that would then provide an interface for enabling/disabling the various features.
The advantage of this approach, versus using multiple features, is that the application developer would have a lot easier time determining which of his/her applications are taking advantage of security features and which aren't. Centralizing the management of security related features into one object would make it easy to check your code and determine where security is implemented, and then whether it is implemented correctly. Using the piece-meal approach one would have to look for all of the separate features in various source files. The job of finding information about such features will immediately become a problem after there is more than one such feature. Anyway, just my two cents worth. Troy Troy Korjuslommi Tksoft Inc. [EMAIL PROTECTED] > > The next version of Xerces-J will include a parser feature that will > turn off DOCTYPE processing. When activated, this feature will > prevent the entity expansion that causes this vulnerability. The Axis > team will be able to use this feature to close the hole. > > The URI for the parser feature will be > "http://apache.org/xml/features/disallow-doctype-decl"; > > Ted > ----- Original Message ----- > From: "Ben Laurie" <[EMAIL PROTECTED]> > To: "Ted Leung" <[EMAIL PROTECTED]> > Sent: Wednesday, November 27, 2002 3:37 AM > Subject: [Fwd: Security Alert - Xerces] > > > > Here ya go. Please keep security@ copied on any followups... > > > > Cheers, > > > > Ben. > > > > -- > > http://www.apache-ssl.org/ben.html http://www.thebunker.net/ > > > > "There is no limit to what a man can do or how far he can go if he > > doesn't mind who gets the credit." - Robert Woodruff > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
