You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@daffodil.apache.org by "Mike Beckerle (Jira)" <ji...@apache.org> on 2020/12/16 20:00:00 UTC

[jira] [Updated] (DAFFODIL-1422) disallow doctype decls in all XML & XSD that we read in

     [ https://issues.apache.org/jira/browse/DAFFODIL-1422?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Mike Beckerle updated DAFFODIL-1422:
------------------------------------
    Priority: Critical  (was: Major)

> disallow doctype decls in all XML & XSD that we read in
> -------------------------------------------------------
>
>                 Key: DAFFODIL-1422
>                 URL: https://issues.apache.org/jira/browse/DAFFODIL-1422
>             Project: Daffodil
>          Issue Type: Improvement
>          Components: API, Back End, Front End
>    Affects Versions: 1.1.0
>            Reporter: Mike Beckerle
>            Priority: Critical
>
> We should be doing this:
> {code}
> spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
> {code}
> and simply rejecting things with doctype decls. This would apply to all the XML we consume be it a DFDL schema, configuration file, or input data for unparsing. 
> This is needed because of problems that doctype decls can create where the incoming XML can cause the JVM to crash with out-of-memory-errors (OOME). 
> See https://en.wikipedia.org/wiki/Billion_laughs for one vulnerability that this fixes.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)