You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@daffodil.apache.org by "Mike Beckerle (Jira)" <ji...@apache.org> on 2021/03/10 20:51:00 UTC
[jira] [Commented] (DAFFODIL-1422) disallow doctype decls in all
XML & XSD that we read in
[ https://issues.apache.org/jira/browse/DAFFODIL-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17299128#comment-17299128 ]
Mike Beckerle commented on DAFFODIL-1422:
-----------------------------------------
See DAFFODIL-1659 about disabling general entities (also parameter entities)
> disallow doctype decls in all XML & XSD that we read in
> -------------------------------------------------------
>
> Key: DAFFODIL-1422
> URL: https://issues.apache.org/jira/browse/DAFFODIL-1422
> Project: Daffodil
> Issue Type: Improvement
> Components: API, Back End, Front End
> Affects Versions: 1.1.0
> Reporter: Mike Beckerle
> Assignee: Mike Beckerle
> Priority: Critical
>
> We should be doing this:
> {code}
> spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
> {code}
> and simply rejecting things with doctype decls. This would apply to all the XML we consume be it a DFDL schema, configuration file, or input data for unparsing.
> This is needed because of problems that doctype decls can create where the incoming XML can cause the JVM to crash with out-of-memory-errors (OOME).
> See https://en.wikipedia.org/wiki/Billion_laughs for one vulnerability that this fixes.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)