You are viewing a plain text version of this content. The canonical link for it is here.

Posted to j-dev@xerces.apache.org by "David Jorm (JIRA)" <xe...@xml.apache.org> on 2014/08/22 14:40:12 UTC

[jira] [Commented] (XERCESJ-1644) RFE: Allow global enabling/disabling of features with secure defaults

    [ https://issues.apache.org/jira/browse/XERCESJ-1644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14106782#comment-14106782 ] 

David Jorm commented on XERCESJ-1644:
-------------------------------------

I would like to note that this patch would make applications using xerces not vulnerable to XXE attacks by default. In recent years, a very large number of Java applications have had XXE vulnerabilities, mainly because parsers are vulnerable by default, and documentation explaining how to address XXE has been incomplete and inconsistent. It may be argued that disabling doctype declarations and entities by default could break some applications that rely on this functionality. I think this concern is outweighed by the security benefit that this patch would introduce.

> RFE: Allow global enabling/disabling of features with secure defaults
> ---------------------------------------------------------------------
>
>                 Key: XERCESJ-1644
>                 URL: https://issues.apache.org/jira/browse/XERCESJ-1644
>             Project: Xerces2-J
>          Issue Type: Improvement
>          Components: JAXP (javax.xml.parsers)
>    Affects Versions: 2.11.0
>            Reporter: Arun Babu Neelicattu
>         Attachments: XERCESJ-1644.patch
>
>
> It would be useful to be able enable and disable features using a global configuration, either by using system properties or a property file or both.
> Possible usage via system properties:
> {noformat}
> -Dorg.apache.xerces.jaxp.features.enable=http://apache.org/xml/features/disallow-doctype-decl
> -Dorg.apache.xerces.jaxp.features.disable=http://xml.org/sax/features/external-general-entities,http://xml.org/sax/features/external-parameter-entities
> {noformat}
> Is this something that can be added?



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-dev-help@xerces.apache.org