You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by Davanum Srinivas <da...@gmail.com> on 2006/11/09 19:08:17 UTC
Re: Do we have XML Injection thread on AXIS 1.X Soap Servers?
we already take care of this in Axis1 and Axis2.
-- dims
On 11/9/06, Venkatesh Jayaraman (jvenky) <jv...@cisco.com> wrote:
>
>
>
> Security Issue Posed by Nested Entity Definitions
>
> While XML does not allow recursive entity definitions, it does permit nested
> entity definitions, which produces the potential for Denial of Service
> attacks on a server which accepts XML data from external sources. For
> example, a SOAP document like the following that has very deeply nested
> entity definitions can consume 100% of CPU time and large amounts of memory
> in entity expansions: <?xml version="1.0" encoding ="UTF-8"?>
>
> <!DOCTYPE foobar[
>
> <!ENTITY x100 "foobar">
>
> <!ENTITY x99 "&x100;&x100;">
>
> <!ENTITY x98 "&x99;&x99;">
>
> ...
>
> <!ENTITY x2 "&x3;&x3;">
>
> <!ENTITY x1 "&x2;&x2;">
>
> ]>
>
> <SOAP-ENV:Envelope xmlns:SOAP-ENV=...>
>
> <SOAP-ENV:Body>
>
> <ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV:encodingStyle="...">
>
> <foobar xsi:type="xsd:string">&x1;</foobar>
>
> </ns1:aaa>
>
> </SOAP-ENV:Body>
>
> </SOAP-ENV:Envelope>
>
>
> A system that doesn't take in external XML data need not be concerned with
> the issue, but one that does can utilize one of the following safeguards to
> prevent the problem:
>
> New system property to limit entity expansion
>
> The entityExpansionLimit system property lets existing applications
> constrain the total number of entity expansions without recompiling the
> code. The parser throws a fatal error once it has reached the entity
> expansion limit. (By default, the limit is set to 64000.)
>
> To set the entity expansion limit using the system property, use an option
> like the following on the java command line: -DentityExpansionLimit=100000
>
>
>
> New parser property to disallow DTDs
>
> The application can also set the
> http://apache.org/xml/features/disallow-doctype-decl parser
> property to true. A fatal error is then thrown if the incoming XML document
> contains a DOCTYPE declaration. (The default value for this property is
> false.) This property is typically useful for SOAP based applications where
> a SOAP message must not contain a Document Type Declaration.
>
> New feature for Secure Processing
>
> JAXP 1.3 includes a new secure processing feature in which an application
> can configure the SAXParserFactory or DocumentBuilderFactory to get an XML
> processor that behaves in a secured fashion. Setting this feature to true
> sets the entity expansion limit to 64000. Note that the default limit can
> be increased using the entityExpansionLimit system property.
>
>
>
>
>
>
>
>
>
> http://java.sun.com/j2se/1.5.0/docs/guide/xml/jaxp/JAXP-Compatibility_150.html
>
>
>
>
>
> Thanks
>
>
>
> -Venky (Venkatesh Jayaraman)
>
>
>
>
--
Davanum Srinivas : http://www.wso2.net (Oxygen for Web Service Developers)
---------------------------------------------------------------------
To unsubscribe, e-mail: axis-user-unsubscribe@ws.apache.org
For additional commands, e-mail: axis-user-help@ws.apache.org