You are viewing a plain text version of this content. The canonical link for it is here.
Posted to j-dev@xerces.apache.org by Troy <tj...@tksoft.com> on 2002/12/03 18:39:13 UTC

Re: Security Alert - Xerces. Centralization issue

Re: centralizing security related features.

I came to think that because there could be security issues
involved with many xml features, it might make sense to define one
security_features object that would then provide an interface for
enabling/disabling the various features.

The advantage of this approach, versus using multiple features,
is that the application developer would have a lot easier time
determining which of his/her applications are taking advantage of
security features and which aren't. Centralizing the management
of security related features into one object would make it easy
to check your code and determine where security is implemented,
and then whether it is implemented correctly.

Using the piece-meal approach one would have to look for all of
the separate features in various source files. The job of finding
information about such features will immediately become a problem
after there is more than one such feature.

Anyway, just my two cents worth.



Troy

Troy Korjuslommi                Tksoft Inc.
tjk@tksoft.com





> 
> The next version of Xerces-J will include a parser feature that will
> turn off DOCTYPE processing.  When activated, this feature will
> prevent the entity expansion that causes this vulnerability.  The Axis
> team will be able to use this feature to close the hole.
> 
> The URI for the parser feature will be 
> "http://apache.org/xml/features/disallow-doctype-decl"
> 
> Ted
> ----- Original Message ----- 
> From: "Ben Laurie" <be...@algroup.co.uk>
> To: "Ted Leung" <tw...@sauria.com>
> Sent: Wednesday, November 27, 2002 3:37 AM
> Subject: [Fwd: Security Alert - Xerces]
> 
> 
> > Here ya go. Please keep security@ copied on any followups...
> > 
> > Cheers,
> > 
> > Ben.
> > 
> > -- 
> > http://www.apache-ssl.org/ben.html       http://www.thebunker.net/
> > 
> > "There is no limit to what a man can do or how far he can go if he
> > doesn't mind who gets the credit." - Robert Woodruff
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: xerces-j-dev-unsubscribe@xml.apache.org
> For additional commands, e-mail: xerces-j-dev-help@xml.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: xerces-j-dev-unsubscribe@xml.apache.org
For additional commands, e-mail: xerces-j-dev-help@xml.apache.org