You are viewing a plain text version of this content. The canonical link for it is here.
Posted to j-dev@xerces.apache.org by "Dave Wichers (Jira)" <xe...@xml.apache.org> on 2021/01/24 00:59:00 UTC
[jira] [Commented] (XERCESJ-1654) Add support for properties set by
JAXP in the JDK (secure-processing, accessExternalDTD and
entityExpansionLimit)
[ https://issues.apache.org/jira/browse/XERCESJ-1654?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17270788#comment-17270788 ]
Dave Wichers commented on XERCESJ-1654:
---------------------------------------
Hello......
I specifically ran in this problem. Please add support for: {{accessExternalDTD}} and {{entityExpansionLimit }}as they are standard flags.
I was testing an app where these worked fine, and prevented problems. And then after some changes, another library caused the Apache version of Xerces to get imported and these defenses 'went away'. After some digging, I saw this subtle error on the console:
"XML parser org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser does not recognize the property [http://javax.xml.XMLConstants/property/accessExternalDTD|http://javax.xml.xmlconstants/property/accessExternalDTD]"
But other than that, there was no other indication of a problem, except that the app was now vulnerable to XXE attacks where previously it was not.
This issue was reported 6 YEARS ago and is likely introducing security vulns into apps that think they are actually SAFE and the tools are probably saying they are SAFE too, when they aren't if YOUR version of Xerces is on the app's classpath.
> Add support for properties set by JAXP in the JDK (secure-processing, accessExternalDTD and entityExpansionLimit)
> ------------------------------------------------------------------------------------------------------------------
>
> Key: XERCESJ-1654
> URL: https://issues.apache.org/jira/browse/XERCESJ-1654
> Project: Xerces2-J
> Issue Type: New Feature
> Affects Versions: 2.11.0
> Environment: Problem noticed with:
> * jdk1.7.0_71.jdk
> * jdk1.8.0_25.jdk
> Reporter: Vincent Massol
> Priority: Major
>
> I have tons of the following warnings in my console when doing an XSLT transformation:
> {noformat}
> Warning: org.apache.xerces.parsers.SAXParser: Feature 'http://javax.xml.XMLConstants/feature/secure-processing' is not recognized.
> Warning: org.apache.xerces.parsers.SAXParser: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
> Warning: org.apache.xerces.parsers.SAXParser: Property 'http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit' is not recognized.
> {noformat}
> Code:
> {code}
> /**
> * Parse and pretty pint a XML content.
> *
> * @param content the XML content to format
> * @return the formated version of the passed XML content
> * @throws TransformerFactoryConfigurationError when failing to create a
> * {@link TransformerFactoryConfigurationError}
> * @throws TransformerException when failing to transform the content
> * @since 5.2M1
> */
> public static String formatXMLContent(String content) throws TransformerFactoryConfigurationError,
> TransformerException
> {
> Transformer transformer = TransformerFactory.newInstance().newTransformer();
> transformer.setOutputProperty(OutputKeys.INDENT, "yes");
> transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount", "2");
> StreamResult result = new StreamResult(new StringWriter());
> StreamSource source = new StreamSource(new StringReader(content));
> transformer.transform(source, result);
> return result.getWriter().toString();
> }
> {code}
> According to what I read at https://issues.apache.org/jira/browse/RAT-158 and at http://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html this seems to have been caused by some changes introduced in the JDK and that XercesJ doesn't support yet.
> Thus this issue is about adding support for them.
> Thanks!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-dev-help@xerces.apache.org