Hi Elliotte, Rejecting DOCTYPEs isn't just unnecessarily harsh, it's also incomplete. See documentation for the new security manager property (http://apache.org/xml/properties/security-manager) [1], and the javadoc for the org.apache.xerces.util.SecurityManager class.
Cheers, Neil [1]: http://xml.apache.org/xerces2-j/properties.html Neil Graham XML Parser Development IBM Toronto Lab Phone: 905-413-3519, T/L 969-3519 E-mail: [EMAIL PROTECTED] |---------+----------------------------> | | Elliotte Rusty | | | Harold | | | <[EMAIL PROTECTED]| | | nc.edu> | | | | | | 01/28/2003 06:02 | | | AM | | | Please respond to| | | xerces-j-dev | | | | |---------+----------------------------> >---------------------------------------------------------------------------------------------------------------------------------------------| | | | To: [EMAIL PROTECTED] | | cc: | | Subject: Rejecting the billion laughs attack | | | | | >---------------------------------------------------------------------------------------------------------------------------------------------| At 6:42 PM -0500 1/27/03, [EMAIL PROTECTED] wrote: >Finally, Xerces-J now provides means by which applications can >force the parser to reject certain kinds of documents whose processing >could result in a denial-of-service attack. How is this accomplished? Simply by rejecting documents that contain a document type declaration? That seems unnecessarily harsh to me? Is there any more fine-grained control over this? -- +-----------------------+------------------------+-------------------+ | Elliotte Rusty Harold | [EMAIL PROTECTED] | Writer/Programmer | +-----------------------+------------------------+-------------------+ | Processing XML with Java (Addison-Wesley, 2002) | | http://www.cafeconleche.org/books/xmljava | | http://www.amazon.com/exec/obidos/ISBN%3D0201771861/cafeaulaitA | +----------------------------------+---------------------------------+ | Read Cafe au Lait for Java News: http://www.cafeaulait.org/ | | Read Cafe con Leche for XML News: http://www.cafeconleche.org/ | +----------------------------------+---------------------------------+ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
