You are viewing a plain text version of this content. The canonical link for it is here.

Posted to j-dev@xerces.apache.org by Ted Leung <tw...@sauria.com> on 2002/11/27 20:28:11 UTC

Fw: Security Alert - Xerces]

Okay,  It looks like Sanctum has decided that Xerces is the problem, and
they are going to issue a security
alert against us.  Other than Sanjiva's suggetsion of a flag to turn off
internal (or probably all) entity expansion,
does anyone have any other ideas of how to fix this?

Ted
----- Original Message -----
From: "Ben Laurie" <be...@algroup.co.uk>
To: "Ted Leung" <tw...@sauria.com>
Sent: Wednesday, November 27, 2002 3:37 AM
Subject: [Fwd: Security Alert - Xerces]

> Here ya go. Please keep security@ copied on any followups...
>
> Cheers,
>
> Ben.
>
> --
> http://www.apache-ssl.org/ben.html       http://www.thebunker.net/
>
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff
>

Re: Fw: Security Alert - Xerces]

Posted by Joseph Kesselman <ke...@us.ibm.com>.

Set up a maximum-recursion-depth counter on entity expansion, and let 
folks tune it for whatever they consider reasonable?

______________________________________
Joe Kesselman  / IBM Research

---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-j-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-j-dev-help@xml.apache.org