You are viewing a plain text version of this content. The canonical link for it is here.
Posted to c-dev@xerces.apache.org by "Alberto Massari (JIRA)" <xe...@xml.apache.org> on 2004/12/16 11:04:56 UTC

[jira] Closed: (XERCESC-1309) schemaLocation declared in instance document overrides validator properties

     [ http://nagoya.apache.org/jira/browse/XERCESC-1309?page=history ]
     
Alberto Massari closed XERCESC-1309:
------------------------------------


Hi Jake,
I think we can close this bug now, as you have found the problem in your schema. 
I will answer your final comment on the mailing list, as they are general issues.

Thanks,
Alberto

> schemaLocation declared in instance document overrides validator properties
> ---------------------------------------------------------------------------
>
>          Key: XERCESC-1309
>          URL: http://nagoya.apache.org/jira/browse/XERCESC-1309
>      Project: Xerces-C++
>         Type: Bug
>   Components: Validating Parser (Schema) (Xerces 1.5 or up only)
>     Versions: 2.5.0, 2.6.0
>  Environment: Solaris 2.8, Forte 6.2 patch 5, built from source for both 2.5.0 and 2.6.0
>     Reporter: Jake Pieczonka
>     Priority: Critical

>
> I am writing some code to validate documents against a given schema:
>     parser = new XercesDOMParser;
>     errorHandler = new ValidatorErrorHandler;
>     parser->setErrorHandler(errorHandler);
>     parser->setValidationScheme(XercesDOMParser::Val_Always);
>     parser->setDoNamespaces(true);
>     parser->setDoSchema(true);
>     //parser->setExternalSchemaLocation(schemaLocationWithNS.c_str());
>     parser->setExternalNoNamespaceSchemaLocation(schemaLocation.c_str());
>     parser->cacheGrammarFromParse(true);
> The code should override any schema declarations in the instance document.
> It works as expected when no schema declarations are present, and also correctly overrides any noNameSpaceSchemaLocation declared in the document.
> However, if the document contains a schemaLocation declaration, then the code above fails to override it and the schema is loaded from the location contained in the document.
> Here is a sample declaration:
> <rootElement xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://exploit.com/schema http://www.exploit.com/schemas/exploitSchema.xsd"/>
> I am flagging this as cricital because of the possible security considerations.  Instance documents should not be able to override the schema location declared by the program, since it then becomes a trivial matter to pass untrusted data to a program which is expecting validated input.
> Note that using the commented-out line above to set the schema location in the program also fails to override the document setting.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://nagoya.apache.org/jira/secure/Administrators.jspa
-
If you want more information on JIRA, or have a bug to report see:
   http://www.atlassian.com/software/jira


---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-c-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-c-dev-help@xml.apache.org